If there is one constant to cyber it is that the nature of the threats is ever-changing. It is this fact which makes any discussion on the topic difficult, noted Matt Harrison, director of product management for cyber at RMS, as it is only a matter of time until the space evolves, and the foremost concern is replaced as the “flavour of the day”.
At the moment, that dubious title goes to ransomware, he said, because it’s the best way for cyber criminals to commercialise what they are doing. For years, ransomware represented a low-level threat where personal data could be restored for relatively small amounts, whereas now it is a big-game hunting phenomenon where large corporates are held to ransom by criminals.
“Their most precious assets are under duress in a bid to get as big a payment as possible,” he said. “We’ve seen that with the emergence of doxing and other phenomena. And it’s a hybrid where they’re encrypting and ransoming critical data but they’re also exfiltrating it.
“So, when you see these hybrid ransomware and DDoS attacks, all they’re trying to do if find more and more leverage on these large corporates to extract money out of them. ‘If you don’t pay me lots of money, I’m not going to stop, and it’s really going to hurt you.’ And, until there’s a feedback loop to restrict those criminals, what’s there to stop it?”
From RMS’s data, Harrison said, it is clear that ransom demands are increasing as cyber criminals gain a greater understanding not just of a business’s ability to pay, but also of the actions they can take that will cause the most damage.
In addition, he said, there has been a formalisation of these threat actors. The work of criminal fraternities to legitimise the process of ransomware is having the effect of making a company’s decision to pay out feel more like a business decision than the payment of a ransom demand.
It makes sense, given the above, that ransomware is the trend which is on everyone’s mind right now, Harrison said, but the older risks haven’t gone away - it’s simply a case that a different threat has become headline news because its impact is more immediate.
“And our job is to understand what those trends are, but not just be constantly looking to the future,” he said. “We’ve got to also be looking in the rear-view mirror because those other things will come back, or they’re still present. We can’t just bang the ransomware drum. From our perspective, models aren’t just about a number.
“A carrier can’t just ask about the risk they’re running, there has to be a ‘so what?’. Without the ‘so what?’, there’s no action. A model must be able to tell you the number, but also why it is that number and what part of your portfolio is driving that figure. That’s the actionable insight, which can tell you how to validate that risk or change it. They’re the things that we work the hardest on to derive value for our clients.”
It is a recognition of the evolving nature of cyber risk combined with an ambition to add value for clients that led to the company’s recent update to its cyber solutions offering, Harrison said. Updates are the name of the game as the cyber risk landscape keeps updating too. The challenge is to balance credible developments in the space that increase the value RMS adds to its models through new data, with delivering such updates in a way that is digestible and tractable for insurance companies.
“Insurance companies simply don’t update their models every week as to do so would be counterproductive to an annual business planning cycle and the annual contracts that they’re selling and writing,” he said. “And maybe that’s where we want to get to – that live view of risk. But that kind of change in how the whole ecosystem of insurance works, I’m not going to be quite so bold as to say I’m going to disrupt that this week. But we do need to move towards understanding how to deal with this dynamic, changing risk and the cycle of insurance over longer time periods.”