Risk briefing: insurance industry unprepared for large scale, systemic cyber attacks

There’s no doubt that a widespread, systemic, catastrophic cyber event could be devastating for many organisations.

According to the World Economic Forum, it’s a risk that’s top of mind. Data shared by managing director Jeremy Jurgens found that 91% of business leaders say a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years.

 

And Gallagher says that the prospect of a cyber catastrophe has also been on the (re)insurance sector’s worry list for a while.

For instance, in 2022, Zurich Insurance’s CEO, Mario Greco, declared that cyber attacks could become “uninsurable.” She appealed to governments to “set up private-public schemes to handle systemic cyber risks that have not yet been quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks.”

Meanwhile, regulators are concerned that not enough businesses have cyber insurance coverage.

In May, Lindy Cameron, chief executive of the UK’s National Cyber Security Centre, told an audience of insurance executives that “it has been said that only 200,000 of the 2.7 million businesses in the UK with a website buy stand-alone cyber insurance policies.”

She added: “I’d love to believe that this was because it was covered as part of their wider business insurance. But I don’t believe this is the case.”

Gallagher’s new report - ‘The Risk of a Cyber Catastrophe’ - finds that there are question marks over whether the world is ready for a large-scale cyber event.

It finds that carriers are still determining their coverage limits, businesses are exploring how to manage their exposures, and models are still not fit for purpose.

What would a cyber catastrophe look like for businesses?

Gallagher’s report says that when considering the risk of cyber cat, the biggest problem is that the industry has never really experienced one.

This means that there is no universally accepted definition for what might cause one and what form it might take—and no industry consensus on modelling the risks.

A shared understanding of what a cyber catastrophe could look like would be a useful starting point. 

Ed Pocock, Gallagher Re’s head of cyber security, says: “Traditional modelling divides cyber into three types of cats: data breach and the loss of data; outage and the inability to access data; and a lack of data integrity, where data becomes corrupted or unusable. The largest cyber cat events will contain elements of all three.”

Paolo Cuomo, executive director, strategic advisory, at Gallagher Re, takes a different tack. He says: “If the world ends or descends into anarchy because of a cyber event, your organisation is irrelevant…[but] you don’t want an event in which your business is disproportionately affected.

”For an event to threaten the system, it either has to knock out one of the internet’s crucial pieces of centralised infrastructure or go uncontrollably viral.”

“You won’t be forgiven for that. That leads to Directors and Officers (D&O) claims. So, executives need to be asking the question—what’s the likelihood that something will happen that we’re less prepared to deal with?”

The consensus is that cyber catastrophes will be infrequent events, but severe and impacting a large population of users rapidly. 

Gallagher’s report says: ”For an event to threaten the system, it either has to knock out one of the internet’s crucial pieces of centralised infrastructure or go uncontrollably viral.

”A prolonged cloud outage is the first of the two most common suggestions—for example, the failure of Amazon Web Services or Microsoft Azure—rendering huge swaths of the business world inoperable.

”The second is a new, virulent strain of malware, potentially a second cousin of NotPetya, one of the most destructive pieces of code in the last decade.”

Unexpected vulnerabilities in widely used software are a related risk. However, companies can mitigate these risks with improved staff training on social engineering and phishing attacks.

Can new technologies help businesses improve the risk?

Gallagher Re has been studying the potential for new technology to improve cyber risk management.

For instance, US tech-based managing general agents (MGAs) use outside-in scanning technologies to assess their policyholders’ vulnerabilities.

Instead of asking a client to respond to a lengthy questionnaire about their security posture, this approach uses technology to rapidly scan the client’s internet-facing surface and then make underwriting decisions based on the results of the scan.

After a zero-day event, carriers can also use this tech to identify potentially exposed clients and help them patch or protect themselves before losses emerge.

Justyna Pikinska, global head of cyber analytics at Gallagher Re has mixed views: “Outside-in scanning can prevent some of the claims… It’s very helpful for SMEs purchasing a low limit of cover but does not necessarily show you all the results, particularly when considering targeted attacks on larger companies.

”If a malicious attacker wants to go after [a large corporate], they will find a way.”

Other new technologies may help companies beef up their cyber defences, such as self-healing systems.

”If a malicious attacker wants to go after [a large corporate], they will find a way.”

This new breed of network, incorporating machine learning and other AI tools, is designed to identify errors or faults within itself and potentially repair them without human intervention.

The system achieves this through monitoring to quickly gauge deviations from standard configuration settings and either repair or re-install the affected component. Industry commentator Forrester Research has recommended them, and many in the IT community are optimistic about their potential to defend against cyber attacks.

Meanwhile, AI could help to defend against cyber attacks—or make them worse

Since ChatGPT was unveiled in November 2022, hackers have been busy. Already, large language models are being deployed to write phishing emails, analyse code to find vulnerabilities, or even write malicious code.

Markets such as Japan have historically experienced fewer claims from phishing attacks due to the difficulties that fraudsters have in translating attack emails, but large language models are facilitating better translations.

“AI is very exciting—a new paradigm,” says Pocock. “But we’re going to see a lot of catastrophising. It does lower the bar for threat actors to launch a broader range of attacks with less manual dependency, phishing being a good example.”

That said, AI is a double-edged sword. If attackers can use it, so can defenders.

“Cyber is young, so if we all do it the same way, there’s a risk of us having a collective delusion.” 

“The balance of power doesn’t change if you have good defences,” says Simon Heather, Gallagher Re’s head of cyber cat modelling.

One example would be the increased ability of anti-virus software to detect intruders using AI to identify their behaviour, rather than the traditional approach of identifying signatures.

Problems may emerge if there is a mismatch between attackers and defenders, however—and this is most likely amongst small and medium enterprises (SMEs).

“SMEs are more vulnerable,” says Heather. “They often don’t have an understanding of AI—a lot of the time, IT security is not their focus.”

At present, the insurance industry treats smaller businesses as simply a miniaturised version of a large business. But in cyber terms, SMEs are an entirely different species.

Pocock believes a diversification of models would be positive for the market. “The upshot of diversity of modelling is a good thing. Cyber is young, so if we all do it the same way, there’s a risk of us having a collective delusion.” 

Finally, there’s the overwhelming challenge of employees whose behaviour has an overwhelming impact on an organisation’s security.

The most realistic way to mitigate risk here, is through improved education and training, coupled with automated detection and response systems.