Around 315,000 new viruses created a day, says KCS Group
The world is rapidly becoming a more dangerous place for businesses as terrorist groups and rival foreign powers discover that it is far easier to hack into a corporate website than it is to orchestrate a physical attack or intrusion, writes KCS Group Europe chief executive Stuart Poole-Robb.
Insurers now face a huge challenge in trying to provide comprehensive cyber insurance. While an exemption clause for a policy covering, for example, buildings insurance may absolve the insurer from paying out in the event of terrorist attacks, the company insured and the insurer know that in developed countries this would be a highly unlikely occurrence.
But the digital age has offered terrorists a whole new cyber world in which they can operate far more freely than in the physical world. For example, a group of hackers based in Iran called Parastoo is known to be actively recruiting IT engineers with precisely those software skills needed to bring down financial trading systems and power supplies on other side of the world. Parastoo has already been linked to a military-style attack on an electric power station in the US.
Earlier this month, at the Council on Foreign Relations, the chairman of the US House Committee on Homeland Security Michael McCaul said what keeps him up at night is Iran or ISIS developing software that has the “ability to shut things down” such as water and power infrastructure.
This awareness of the vulnerability of all types of organisation to cyber terrorism has now begun to spread to the insurance industry. Cyber attacks and terrorism will be the most threatening emerging risks for the insurance and reinsurance industry in 2015, according to a survey released earlier this month by Guy Carpenter.
Of those surveyed, 40% said cyber attacks are the most threatening emerging risk, while 31% said terrorism is the most threatening for the coming year. The U.S. survey was based on the responses of 111 (re)insurance executives.
But acknowledging the risk and accurately quantifying it are two different matters. In many cases, organisations are often unaware that their IT systems have been infiltrated by terrorists or foreign governments. Sometimes, foreign powers, terrorist hacker groups and plain cyber criminals spy on companies without their knowledge, stealing sensitive and commercially valuable data such as client records, future business plans and product designs.
Data theft frequently goes unnoticed for months before cyber intruders are detected or finally choose to reveal their identities. The first step for an insurer to take is to establish whether an IT system has intruders already sitting on it and the second is to ensure the organisation is instantly alerted should an intruder break in.
But the major problem facing companies who wish to be insured is that traditional cyber defences are outmoded. For example, the anti-virus software which has traditionally protected IT systems against known software bugs is now largely redundant, despite the fact that it is almost universally deployed as a first line of defence.
According to Internet security adviser Kaspersky Lab, around 315,000 new varieties of malware are created every day. As it would be impossible for corporate software providers such as Microsoft to deliver so many patches, companies and their insurers must employ more effective cyber defences. Some modern software letsorganisation filter incoming communications. Complimentary software lets companies search the history of sensitive documents to establish if they have been compromised and, if so, precisely when and how this occurred. Insurers and their clients must now develop new procedures for identifying and evaluating the threat of cyber terrorism.