As an expert in cybersecurity, Chris Hodson believes bridging the gap between cyber risk management and insurance could solve major industry challenges
Cyber-attacks are now perceived as the biggest threat to a business, with the capacity to cause both damage and interruption of operations. Cyber security expert Chris Hodson tells Peter Littlejohns what the threat landscape is like in 2019, and what challenges insurance companies will continue to face.
In the 2019 World Economic Forum Regional Risks Doing Business report, cyber-attack was revealed as the number one concern of businesses in North America and Europe — and coming a close second to natural catastrophes in East Asia and the Pacific.
Such attacks can come in many forms, with malicious emails that deliver ransomware still a staple for cyber criminals, as well as supply-chain attacks that infect a business to target their end-customer on the rise.
Chris Hodson, author of Cyber Risk Management, and CISO EMEA for cybersecurity firm Tanium, describes the current landscape as “ambiguous”, as businesses aren’t necessarily aware of which of the threats they should be addressing, and the techniques they should be employing for protection.
“The [cyber security] industry is fixated on ‘sexy controls’ — the contemporary technology out there being applied to cyber security,” he says.
“But it’s important to look at why you would deploy say, a blockchain or machine learning tool in your environment.
“Having a foundation of knowledge about the infrastructure you’ve got, along with some metrics around how quickly you can apply patches or identify malicious indicators is not overly sexy, but it is imperative.”
When all else fails, companies must rely on their insurance policy — but Hodson believes the industry supplying coverage will continue to struggle with certain risks.
Lack of data in cyber insurance presents challenges to accurately assessing risk
One of the primary caveats for an effective insurance product is a thorough understanding of the risk faced by policyholders.
In cyber coverage, this isn’t an easy feat because of how early the product line is in its lifecycle, when compared with stalwarts such as home or car insurance.
The data that informs these older lines of insurance is comprehensive enough that discounting freak weather events, claims volume and cost is relatively predictable.
The same cannot be said for cyber insurance, according to Hodson, who compares it to natural disaster coverage to show the challenges a lack of data presents.
“We’ve had years of high-veracity data around how likely an earthquake is in London, for example,” he says.
“I don’t think we’ve had that same quantitative, very accurate telemetry data for cyber risk.”
Companies such as Arceo.ai and CyberCube are attempting to shift risk understanding in favour of insurers, which Hodson sees as a positive thing — especially when it can be used to inform risk management procedures too.
Integrating risk management and risk transfer an ’eminently positive thing’
A recent trend in the world of cyber insurance is providers enhancing the value of their coverage with a suite of cyber risk management controls.
Up until now, businesses taking out a policy have been encouraged to adopt best practices — mostly in line with basic guides like the UK government’s Cyber Essentials scheme.
But new industry players, like Arceo and Cytegic, are looking to add a layer of protection to businesses by providing tools to assess risk and recommend ways to reduce it — whether through patching software or cybersecurity defences.
This has dual benefits to businesses and insurers, giving the former a chance to lower their premiums and the latter a better understanding of risk.
Given the tough decisions those in charge of business cyber risk have to make between risk management and transfer — Hodson believes the industry bringing insurance and risk controls closer together is an “eminently positive thing”.
“People at the highest level of organisations understand risk and they understand insurance — so talking about it with an enhanced cyber lens is a good thing,” he adds.
“CEOs and chief finance officers understand that lessening risk means cheaper premiums — which also means more money can be invested in cyber security.”
Hodson hopes companies ensure they’re secured against cyber threats rather than relying on insurance coverage — but he also urges them to put resources in the right place, starting with patching loopholes.
“Patching, I would say, is our number one tool as a prevention mechanism in cyber security,” he adds.
The nation-state exclusion is one of the major challenges to insurance companies that remains unsolved
The landmark lawsuit from American confectioner Mondelez against Swiss multi-insurance giant Zurich, launched in January this year, cast aspersions on cyber insurance as a trustworthy product.
Mondelez argued that Zurich refused to pay out for a cyber claim that would cover physical damages and business losses of more than $100m (£78m).
But the Swiss insurer counter-claims that because the attack came as part of NotPetya — widely speculated as a state-sponsored hack from Russia — it falls under its exclusion for acts of war in a time of peace.
The outcome of the case could set a precedent for the industry, but Hodson believes finding the source of a cyber attack will continue to challenge insurance companies relying on their ‘act of war’ exclusion.
“How do you qualify that in a world where the first objective of a nation-state actor is misdirection?” He says.
“How would you know that a particular event can be attributed to an actor associated with some kind of act of war?”
Hodson doesn’t know the answer to either question, but says the issue will continue to perplex insurers and policyholders.