Anecdotal evidence suggests that the global insurance industry is unwilling to play ball on writing cyber insurance policies. Firms are looking for US $1 billion covers, but the insurers are not biting.

It is not hard to understand the predicament of insurers. Cyber insurers face a situation of information asymmetry, there are none or very limited actuarial insights available.

No insurer has a clue as to what hidden vulnerabilities exist in a company’s IT set-up — software, websites, network, data centres and processes. How can the insurers know when companies themselves do not fully understand their vulnerabilities?

The task for insurers is made even more difficult by the fact that attacks may not be aimed at a big firm directly.

Dangerous liasons The recent attack on iOS (Apple) app store suggests that hackers may have discovered another route to compromise the internet — by infecting machines of software developers writing legitimate programmes and apps.

Developers are a huge, globally dispersed (geopolitical risks) and logical target for hackers, and this approach may be harder to defend against.

Further, insurers also need to take into account that one lives in the days of internet-linked business ecosystems which include multiple partners and suppliers of various sorts, apart from outsourced software development.

Smaller, less prepared, less equipped members of ecosystems offer hackers an easier route to sneak into the systems of big firms

The situation gets extremely complicated when one considers the size of cyber threats. One estimate of the annual cost of cybercrime to global economy ranges from $375 billion to $575 billion.

That’s a lot of money, and the reluctance of insurers to write out policies to protect against hugely expensive and unknown threats is unsurprising.

Attackers are remotely located, face no direct or immediate physical threat and are unafraid to take risks.

Testing for vulnerabilities is a deeply technical issue. When one is faced with situations such as Advanced Persistent Threats (APT) and 0 Day Vulnerabilities, it needs to be borne in mind that businesses are up against attackers typically belonging to organised criminal groups, mafia groups, Black Hat hacker groups or state-backed groups.

Lacking expertise The problem is also compounded by the lack of senior management involvement in a vulnerability assessment.

This is a matter that cannot be left to systems administrators or developers who are better equipped to re-mediate security issues than discovering vulnerabilities.

Given the reluctance of insurers to play ball, companies may have little choice but to look after themselves.

The buck needs to stop at the desk of senior management and boards need to ask difficult questions. Constant vigilance, vulnerability assessments and penetration testing are essential for defence.

Companies also need to utilise country-cyber espionage and counter-intelligence techniques.

The writer is the founder of Cyber Security & Privacy Foundation

Related Topics