Cyber Insurance and the unknown unknowns
On 16 July, I saw a news article about the potential cost of a cyber attack on London’s electricity networks – £111m daily. “Wow”, I thought. And left it there.
And then, Thursday 25th July, headlines and broadcasts in Johannesburg, my home city – a tweet from City Power, the municipality utility in Johannesburg:
The attack was a ransomware attack, replicating other high profile attacks such as the UK National Health Service in 2017. This form of attack encrypts the target computers’ files, the attacker demanding payment in order to decrypt the vital information and programs.
And of course, just to add to my excitement, on Friday 26th, I was to attend an Institute of Directors education session on liability of directors in the case of cyber breaches for their companies. I was really looking forward to this!
The speaker that day confirmed that the City Power attack was one of three major attacks on that same day. It took over two days to sort out the City Power problems; imagine the costs/revenue losses, as much of the City Power revenue comes from prepaid tokens. If a customer was unable to buy power, there is lost revenue. In an environment where cities in South Africa are already struggling under a poorly performing Eskom (which was named as a key cause of the massive drop in GDP for the first quarter of 2019).
The speaker spoke through the various means of hackers breaching the defences of their targets and the simplicity with which these attacks are carried out are breath-taking. But they are sophisticated and seemingly highly effective. Sadly, in terms of defence, the lowest common denominator, i.e. the employee who cares the least, is the typical breach in the defences. Two simple examples; using a company name and perhaps a date and a “!” as passwords (or perhaps “Password01”, which is hugely popular with IT departments). The second example is the use of hardware – for example an innocent looking charging cable left on the ground in a car park – armed with a piece of loaded hardware to punch holes from WITHIN the targets firewalls.
So how does the insurance industry address these huge and unknown issues?
One characteristic of cybercrime is the unique nature of the industrial scale possible, along with the anonymity for the criminal – no cameras, eye witnesses, etc..It only requires one breach to allow an attacker to take over the systems and they “reside” in the internal systems for up to a year before effecting the attack, preparing meticulously for the big (pay)day. Few other crimes have the intentional scale as this.
And of course, whereas most crime has an expectation of gain for the criminal, until recently, cybercrime was either aimed at banks and payments (i.e. misdirecting money) or disruption for the sake of disruption (hacking websites for fun or fame). But now it seems that the criminals concerned are carefully considering monetisation of their actions, indeed the ecosystem is developing to “outsource”certain activities such as collection of names and information or a new one for me “HaaS” – “hacking as a service” – hand over the chicken fully basted (or security breached)!
So where does insurance go? For sure, there is a lack of historical data in terms of losses and therefore premium income versus losses. Does insurance insist on “maintenance”, patch management, etc..? Or will the insurers be guessing? I doubt the latter and designing this insurance has to have a strong element of “rules”, otherwise the insurers will lose.
I am looking forward to the InsureTech Rising conference in Paris in October which will have an entire day dedicated to Cyber Insurance.