BlackBerry and Corvus Insurance - a US headquartered insurtech with a presence in Australia - recently released a study that revealed insights into the attitude of IT decision makers towards cyber insurance coverage.
The Cyber Insurance Coverage study involved interviews in July with more than 400 IT business decision makers. The investigation found that half of the surveyed regarded a lack of transparency from insurers about what is covered as one of their biggest cyber challenges. Sixty per cent (60%) of the decision makers also said they would be hesitant to enter a new agreement with any organisation lacking cyber insurance.
Ismael Valenzuela (pictured above), vice president of Threat Research and Intelligence at BlackBerry, said the report is further evidence that the industry “is really immature” when it comes to cyber insurance.
“There’s immaturity both from the side of the organisations demanding these policies for protection and also immaturity from the insurance industry in terms of their knowledge about what is happening in the industry,” said the New Jersey based Valenzuela.
The cyber expert referred to a story by Harvard Kennedy School computer security expert Bruce Schneier. The tale compares buying cyber insurance to purchasing a car or signing up for health insurance.
“When a customer buys health insurance they are at an advantage over the insurance company because the insurance company is asking them questions about their health but only the customer really knows how he or she feels and what’s going on,” he said.
Valenzuela said this situation is reversed in a used car sale.
“The salesperson knows more about the car than you do, so you’re at a disadvantage,” he explained.
Valenzuela said Schneier saw the cyber security industry as quite unique.
“Cyber security is one of the few industries where none of the parties, neither the seller nor the buyer, know what’s going on, that’s the reality,” he said.
Valenzuela said insurance companies try and do due diligence but are providing solutions that are often too generic. On the other side of the transaction, the buyers of cyber insurance policies, he said, are too often doing so mainly for compliance purposes or to ensure they are considered for government projects or even to avoid investing in real cyber security measures.
He advocated for an approach that focuses more on practical assessments of the cyber risks, rather than just checklists. Valenzuela said government agencies working with contractors, for example, are demanding these organizations do tabletop exercises as part of their risk assessment.
He said cyber insurance coverage could depend on simulating cyberattack scenarios and showing the insurance company the results of those simulations.
“For larger organizations this could involve having a practical test where you hire a company that will come and do an emulation as if they were attackers and then evaluate how good your defences are,” he said. “These are things that I think are going to happen more frequently.”
He said some insurance companies are also demanding that the firms they insure have their IT networks, cloud platforms and all their cyber security managed and secured by a specialist team or an external firm as part of their managed services.
Another way insurers could improve their cyber offerings, said Valenzuela, would be to have more information about the cyber threats specific to regions and industries.
“What happens in APAC is very specific to the region,” he said. “It’s very different from what happens in Brazil, Mexico, or in the United States.”
By way of example, he said APAC cyber threats more often involve state actors like China targeting intellectual property in the energy sector or attempting to steal healthcare technology.
Read next: How practical is Lloyd’s cyber mandate?
In the same interview with Insurance Business, Valenzuela said the recent Lloyd’s of London cyber mandate excluding state-backed cyberattacks and war from standalone cyber policies was another example of the immaturity of the cyber insurance sector.
“This is very interesting because how do you attribute an attack to a specific nation and say this is an act of war?” he said. “From my perspective, as a cybersecurity expert, we can never attribute something 100% to a specific actor because what we have is digital evidence and digital evidence can be manipulated in many different ways.”
Valenzuela said in cases when cyberattacks can be attributed to a particular actor it’s with, at best, a high degree of confidence.
“That’s not the same as knowing 100% for sure who is behind it,” he said. “There’s a lot of uncertainty here.”
