Another day, another cyberattack: just last week, two major Canadian banks – Bank of Montreal and Canadian Imperial Bank of Commerce – revealed that they had been contacted by cyberattackers claiming to have stolen the data of nearly 90,000 customers, in what was described as the first significant assault on financial institutions in the country.
But while the insurance world is rushing to adapt to the growing demand for cyber insurance, one cybersecurity professor says we still don’t really know much about the future risks of the cyber world.
“Cybersecurity right now is mostly procedural. You train your users not to click on certain links, you have certain measures in place, you do certain types of tests. However, we are not very much prepared for future threats,” said Professor Florian Kerschbaum, interim director of the Waterloo Cybersecurity and Privacy Institute.
“Take the prevalence of AI right now – we haven’t really understood what the implications of using AI and these kinds of decisions really are. Trying to be able to predict what the security will be is very difficult,” he told Insurance Business.
Currently, there is no “clear risk profile” when it comes to cyber, and insurers are only really able to value assets rather than assess risk when pricing a cyber policy, according to the professor.
However, as the cyber insurance market matures and the amount of data collected grows, the hope is that data science will allow for a much clearer insight into what the future of cyber might look like.
“We need to start developing the kind of tools… that are able to better predict and able to handle some of the fundamental challenges in cybersecurity in a better way, so that we actually are able to significantly reduce the number of these reports,” Kerschbaum said in reference to the hacked Canadian banks.
“Maybe with the prevalence of cyber insurance, and collecting more data, cyber insurance in itself will be able to better predict the important measures that people have to take,” he added.
For now, best practice lies in “defence and depth” – in short, layers of encryption – according to Kerschbaum.
“If one security control fails then you have a second in place,” he said. “If we can build systems in this way, while nothing will be foolproof, the science of resilience is that if plan A fails, you have to have a plan B.”