The contribution of the insurance sector to improving cyber security best practice to date has been more limited than both policy makers and businesses might like, and an industry-wide reset could be needed to help cyber insurers deal with the challenges they face, particularly an “existential threat” from ransomware.
This is according to a newly-published paper produced by analysts at the Royal United Services Institute (Rusi) think tank, which shed some light on the challenges facing cyber insurers; besides ransomware these include problems with the collection and analysis of risk data.
In the paper, Cyber insurance and the cyber security challenge, which is available for the public to download here, Rusi cyber analyst Jamie MacColl, associate fellow Jason Nurse (also associate professor in cyber security at the University of Kent) and cyber research director James Sullivan argue that as the sector matures cyber insurance has the potential to fulfil a role played by insurers in other industries, such as rewarding good risk management or offering financial benefits – or even specialist knowledge and assistance – to organisations that have implemented better security controls and standards.
However, the paper’s authors say that while the levers that by which cyber insurance can incentivise better security hygiene do exist, all have “significant limitations”, and the nascent cyber insurance sector is “struggling to move from theory into practice”.
They conclude that if cyber insurance is to have the desired impact, the sector needs to get much better at not only understanding and identifying cyber risk, but also collecting and sharing reliable cyber risk data to inform underwriting and risk modelling.
Without this data, says Rusi, insurers and reinsurers are essentially unable to accurately assess a customers’ risk or security practice and therefore cannot price their premiums appropriately. Additionally, it said, the market is yet to embrace the proper use of financial incentives or imposed obligations to improve cyber practice among customers.
The paper goes on to highlight how as a result of these missing links, the sector may in fact be moving in the wrong direction, noting that cyber insurers have been criticised – at high level in some instances – for facilitating ransomware payments to cyber criminals. In doing so, critics argue, they incentivise further cyber criminal activity and enable existing crime gangs to invest in and expand their capabilities. It notes how losses stemming from underwriting ransomware incidents uncritically have also contributed to some insurers – such as AXA – leaving some markets.
Rusi set out a number of recommendations for cyber insurers to turn things around. These include the collective agreement on minimum security requirements during the risk assessment process for SMEs; and more collaboration with managed security service providers, cloud service providers, and threat intelligence specialists to tap customer data.
It also urges the Cabinet Office and Crown Commercial Service to develop a policy and legal framework that makes cyber insurance coverage compulsory across government suppliers and vendors.
It suggests the National Cyber Security Centre (NCSC), National Crime Agency (NCA) and insurance stakeholders to turn to existing public-private partnership models to combat cyber incidents and financial crime, and establish information sharing links to exchange threat intelligence and ransom payment data – all anonymised; that insurers should specify that if offered, ransomware coverage policies must mandate policy holders notify the NCSC and NCA if attacked and before payment; and that the insurance sector should work with the NCSC and cyber partners to create a set of minimum ransomware controls based on threat intelligence and claims data.
Rusi also called for the National Security Secretariat to conduct a policy review into the feasibility and suitability of outlawing ransomware payments altogether.
There does appear to be a growing amount of support for enacting some kind of ban on ransomware payments; a report released earlier in June 2021 to mark the launch of an anti-ransomware campaign, #Ransomaware, claimed that almost 80% of cyber security professionals, and about the same proportion of consumers, would support a ban.