Battling misinformation about cyber insurance can sometimes feel like a Sisyphean task for those working in the sector. CFC’s chief innovation officer Graeme Newman (pictured) noted that, in addition to navigating the negative public perception of insurance, cyber insurance faces scepticism and unease.
Misconceptions range from the belief that cyber insurance leads to decreased uptake of cyber security measures, to the particularly harmful idea that the payment of ransom demands fuels cybercrime. To suggest that if it was illegal to pay ransoms then such crime wouldn’t exist ignores the practical side of the problem, Newman said, and the reality that making ransom payments illegal would simply force the hand of victims.
“It’s easier to think about people rather than data,” he said. “Looking at the traditional kidnap & ransom sector, let’s face it, if any one of our loved ones was kidnapped and there was a ransom we could afford, whether it was legal or illegal we would pay it. The law is irrelevant in that sense, and all it does is drive it underground… So, the choice is this – do we drive this underground and lose sight of it or do we accept that there is a problem here that we need to solve?”
The irony, he said, is that cyber, as a relatively new line of cover, still has low levels of penetration with about 10% of businesses buying cover. So, it’s a total non sequitur to say that cyber insurance could be fuelling cybercrime when 90% of businesses don’t have it.
The cyber industry needs to think within the constraints it faces and question what is actually fuelling cybercrime before it can implement new measures to control it. Any evaluation has to start with the basics, he said, and the foundation of cybercrime is cryptocurrency. Cryptocurrency is the principal reason why cybercrime has grown exponentially. It makes it easy to move money around the world in a nanosecond, and it makes money laundering far easier as the funds don’t have to move through the traditional banking system.
“Cryptocurrency is fuelling ransoms,” he said. “If you’d asked me 18 months ago what our biggest source of claims is, it would have been social engineering and wire transfer fraud - but the banks have already started to get a handle on that [through account verification]. So, criminals are looking at where they can make the most money and it helps that cryptocurrency is going up like no tomorrow - so now, if they steal money, they can double that amount simply by sitting on it.
“The exchange is the flow-through point, however, because there’s no point in having cryptocurrencies, as it’s pretty hard to spend, but you can cash it in. To cash it in, you need an exchange or an over-counter trader who will cash it for you. We should put the focus there. And there are exchanges which take their regulatory processes seriously and others that don’t. And that should be a big focus for regulation by law enforcement, because it’s a big part of this.”
CFC works with several of the anti-money laundering (AML) software providers, he said, to give them the capability to know if something is a ransom payment. It encourages these providers to honour their AML obligations by either stopping the crime or enabling law enforcement to follow the payment and thus find the criminal.
The second major aspect fuelling cybercrime is that criminals have realised that stealing the data first makes people more likely to pay a ransom due to the commercially sensitive nature of that data. But the real issue here is more nuanced than that, Newman noted, and goes to the very heart of how both regulation and legislation, and the publicity surrounding cyber incidents, have been wrongfully targeted at the victims of such crimes.
The penalisation of victims is strange, he said, and cybercrime seems to be the only type of crime in which the victim is treated as the perpetrator. Between fines and penalties, the creation of statutory damages and the roots for private class actions, attacked businesses are confronted with the threat of significant fines and litigation, as well as the humiliation of being shamed by the Press if the incident comes to light.
“That is fuelling this crime,” he said, “because as a business you feel you’ll be shamed if you have a data breach, and you fear you’ll be sued or fined or have regulatory action brought against you. And that can’t be right. Surely we should be supporting businesses, just like if I had my house broken into - the police come around and help me, they don’t threaten to put me in jail.
“The mainstream media has taken the angle of demonising businesses that are victims of this crime as negligent. And the reality is, if you look at the Solar Winds event, Microsoft was compromised, the NSA was compromised, Fireeye, one of the top security companies in the world, was compromised. We have to accept that, as a business, there’s only so much that can be done by way of protection. And also, people make mistakes, and actually, making mistakes is OK.”
Above all, the sector needs to move away from easy soundbites such as “make paying ransoms illegal”, he said, and embrace the role that cyber insurance plays in protecting businesses.
“Speaking from the insurance side,” he said. “I know that our motivation is good, we do genuinely want to help businesses and individuals with problems that they’ve got… We don’t like paying ransoms any more than anyone else does. Our job is to help our clients have fewer claims, not more claims.
“That’s why it’s frustrating to read in the Press that somehow it’s good for business if we have more claims. I can promise you, it’s not good for business. It’s simple economics - if the price goes down more people buy it… So clearly, it’s in our interest to reduce claims, that’s how the insurance industry works. And somehow that seems to get lost in translation.”
