It looks like predictions from cyber experts are coming true as nation state actors continue to top the list of concerns around cyber risk. Back in February, the US director of national intelligence released a Worldwide Threat Assessment report that underlined hackers who are targeting governments, companies and industrial operations as a growing threat. We already have clear examples of this risk coming to fruition in 2018 – for one, with the ransomware attack on the city of Atlanta, which knocked out many municipal services.
When largescale operations are threatened by hackers, the potential for damage is likewise significant.
“Think of state actors as folks who are targeting utilities, air traffic control, public transportation or water treatment facilities – these aren’t necessarily the same actors that are going after credit card information and other more monetizable areas,” said Josh Ladeau (pictured), global head of tech E&O and cyber, for Aspen Insurance. “The actors who are going after infrastructure are likely to be state actors, and ones that would be aiming to cause a large amount of damage and some sort of higher level of material sabotage, economically or otherwise.”
As state actors become more commonplace, it’s not the targeted attack of one facility that worries insurers today.
“If somebody wanted to do the US harm, they wouldn’t simply go after one utility provider because the redundancy of the US infrastructure is such that it wouldn’t be sufficiently impactful. It could be absorbed – we have enough redundancy to absorb a single provider outage,” said Ladeau. “In my view, state actors would likely try to infiltrate and discreetly maintain their presence indefinitely - not necessarily executing any small-scale or individual attacks that might compromise their presence or methods, but rather covertly position themselves across a wide swathe of US infrastructure, and at a given point, execute a coordinated attack across many entities simultaneously. That’s a big concern.”
Another point of concern is that the cyber insurance market isn’t ready to deal with losses tied to cyberattacks of this magnitude, even as cyber insurance premiums are forecasted to be worth US$4 billion by 2021, according to a recent report from Aon Inpoint.
“You have a lot of folks in that competitive environment: prices are pushed down, coverage is expanded, and critical infrastructure losses aren’t really happening on a regular basis or at a sufficient magnitude to impact market dynamics,” explained Ladeau. “As an industry, do we get caught off guard when a state actor pulls a lever across a wide swathe of target entities, and are we as an industry ready to deal with that? Does the industry have sufficient funds in reserve to deal with that sort of catastrophic loss, and are we all thinking about that as insurers?”
Ladeau questions whether insurers are putting themselves in the shoes of the state actors, asking how they would behave if they wanted to inflict as much damage as possible, and then preparing appropriately for those scenarios.
“For an actuarial-based industry, where historical losses are compiled and analyzed to calculate future risk and premiums, this is a different way of thinking,” explained Ladeau. “This is a rapidly evolving space and the potentialities here are much different than I think a lot of areas that insurance traditionally covers.”
While some companies are ready for a cyberattack, others have weak and penetrable walls of security, or a lack thereof. Even with Fortune 500 companies, there are significant differences in cyber security posturing, according to Ladeau. Moving forward, the insurance industry should put into practice what Ladeau refers to as the carrot-and-stick approach: rewarding companies who are implementing security measures.
“Those entities that are demonstrating the right controls, the right strategy and the right attitude, which includes all of senior management accepting responsibility for the direction and organizational embrace of cybersecurity, should be offered more favorable coverage terms. Conversely, we should be much more conservative with regard to the availability, breadth and pricing of coverage for entities that have failed to adequately prepare,” Ladeau outlined. “We don’t want to be their substitute approach to cyber security – that’s not what our industry is designed for. We should be a risk transference mechanism for security conscious entities, those that have made the appropriate financial and cultural investments; we are an important component, not the centerpiece, of an organization’s approach to cyber security.”