The Big Question: Are insurers doing enough to be proactive when it comes to rising cyber risks?

The UK’s national Cyber Security Centre has issued its annual report which highlighted a significant uptick in the numbers and severity of cyber-attacks faced by businesses and infrastructure.

The centre revealed there were a record 204 nationally significant cyber-attacks handled by GCHQ’s National Cyber Security Centre in the year to September, up from 89 in the previous 12 months.

Of a total of 429 incidents handled, 18 were categorised as ‘highly significant’, meaning that they had the potential to have a serious impact on essential services. This marks an almost 50% increase on incidents of this second-highest level categorisation compared with the previous year, and an increase for the third year running.  

In response British businesses are being urged to take concrete action to protect themselves from cyber-attacks, as the number of nationally significant incidents rises to an average of four every week.

It has seen a huge uptick in the demand for cyber insurance coverage from companies of all sizes. Insurers have been quick to look at ways in which they can meet the demand and new capacity has entered the market as have new solutions. Beyond the indemnity for financial loss  insurers have sought to provide a range of services within their coverage which will react at time of a cyber event, from cyber security expertise to public relations resource.

However, is the market doing enough to prevent cyber risks and are insurers getting on the front foot when it comes to delivering the old adage – prevention is far better than cure.

Lee Williams, Head of AdvantageGo

CDL Cyber Intelligence’s co-founder, Jonathan Palmer says insurers and their insureds have to recognize the rising threats they face and the need to understand that intelligence will be key in identifying the potential for threat and to create the time to take action to thwart any future attack.

Palmer’s company is one of the world’s leading providers of Dark Web Managed Service and Social Listening, consumer intelligence, and brand monitoring and he explains there is growing evidence that insurers need to look at how best to predict the threat rather the response.

“Traditional threat intelligence often works with Indicators of Compromise (IOCs)- things that have already been used in attacks,” he adds. “That means a lot of the work is reactive.

“Intelligence allows organizations to see ahead to detect infrastructure that attackers are preparing but have not yet weaponised fully. This gives opportunity to stop or limit attacks before they hit.”

Palmer says: “What is clear is that businesses now face nation-backed cyber-attacks, and increasingly sophisticated organised crime groups.

The dark web is becoming a key facilitator for criminal gangs he adds, describing it as an “obfuscated part of the internet that is prolifically used by cybercriminals to communicate between one another, plan their attacks, and buy, sell, and build the tools they need to execute them”.

However by accessing the dark web businesses and insurers can obtain vital prior warning that a company is set to be targeted.

“This activity is known as the ‘pre-attack’ phase of a cybersecurity incident: the actions that cybercriminals undertake before they launch their campaign against an organisation and breach their network,” he adds. “It stands to reason that the presence of this pre-attack activity against a specific organisation would mean that they have an increased likelihood of being the victim of a cybersecurity incident.”

Palmer cites the work broker Marsh undertook to identify whether there is a correlation between a company’s appearance on the dark web and falling victims to a cyber-attack.

“Marsh McLennan’s Cyber Risk Intelligence Center conducted a study to determine if intelligence sources from the dark web were correlated with the frequency of cyber insurance claims,” he explains. “Marsh’s team demonstrated a statistically significant correlation between all of our dark web intelligence sources – including, but not limited to, dark web market listings, hacking forum chatter, and dark web traffic to and from the corporate network – and an increased likelihood of suffering a cybersecurity incident. Put simply: the presence of any dark web findings related to an organisation – without exception – was associated with a higher likelihood of a breach.”

On the current cyber market Palmer says: “Brokers remain concerned over the current cyber offerings. Insurance remains very much a relationship business. For brokers cyber cover is still viewed as a reputational and relationship risk, in terms of their clients if it fails to adequately respond.

“In many ways cyber cover is unlike any other risk given the difficulty and in some ways impossibility to accurately quantify risks. For example how do you quantify the Friday afternoon when a member of staff gives away their password and opens the business to a cyber-attack?”

He adds: “Insurers need to get onto the front foot and as with every other risk it is far cheaper for the insurer and insured if they prevent the claim rather than seek to limit the damage.

“To do so they need to use intelligence to get ahead of the bad actors. Yes, technology and people are important, but so is intelligence. If used right it can be a significant weapon for insurers to support their clients and to identify when they are set to come under threat and put in place systems which will defend against the threat which has been identified.”

Palmer concludes: “There needs to be a shift in focus. While support post incident is at the heart of the cyber insurance offering, there is much more that can be done to get ahead of the threats and better identify them to allow insurers the time to prepare. We need to be more proactive and there are tools which can be used to do just that.”