Will cyber attacks soon be uninsurable?
by Tina Siering
The number of cyber attacks and the damage they cause are at record levels worldwide. And the situation is not expected to ease in the next few years either; on the contrary, it will continue to worsen. Insurance companies are becoming increasingly concerned about this increased cyber risk. In an interview with the Financial Times, Mario Greco, CEO of the Swiss insurance company Zurich, predicts that cybercrime could soon become uninsurable, especially for operators of critical infrastructures (CRITIS).
Greco points out that cyberattacks are not just about data, but about the lives of the entire population. Attacks on critical infrastructure in particular could have far-reaching consequences for civilization. In the recent past, these included attacks on hospitals, for example, which temporarily restricted patient care. But incidents such as the ransomware attack on the Colonial Pipeline in the southeastern United States, which temporarily led to shortages in gasoline supplies, are also cause for concern. This is because such attacks not only affect the original target, but also the companies that are economically dependent on them. In Europe in particular, the issue has gained additional importance since the start of the Russian war of aggression against Ukraine.
Insurers' initial reactions: policies are already significantly more expensive
Many insurers have already reacted to the increasing damage caused by cyber attacks. On the one hand, they have increased their premiums so massively in recent years that insurance is increasingly becoming a financial burden for many small and medium-sized companies. Premium adjustments with an increase of 50 to 100% are not uncommon. On the other hand, insurance companies are changing policies in such a way that policyholders have to assume a higher share of the losses themselves or that not all losses are covered anymore. For example, after food manufacturer Mondelez fell victim to the NotPetya cyberattack, Zurich refused to pay $100 million in compensation in 2019 because the policy excluded war-like actions. Later, however, the parties were able to reach an agreement.
According to Greco, it is not possible for private sector insurers to cover all costs resulting from a cyberattack. The Zurich CEO therefore advocates government or private-public insurance systems in the United States that take care of systemic, non-quantifiable cyber risks. This would be comparable to insurance systems that cover earthquakes or terrorist attacks in some countries of the world. The issue is also already under discussion within the U.S. government.
In addition, Greco is in favor of the U.S. government's plan of action to prevent ransomware attacks. He believes that there will be fewer cyberattacks if the payment of ransoms is restricted.
How to prevent damage from occurring in the first place
Of course, the German government is also aware of the heightened threat situation. With the IT Security Act (IT-SiG) 2.0, it is therefore obliging CRITIS operators and companies of particular public interest to implement suitable attack detection systems by May 1, 2023 at the latest.
Companies affected by the law include
- from the gas, electricity and energy supply sectors,
- from the municipal waste disposal sector,
- from the defense industry,
- from the classified IT sector and
- with a particular economic significance.
Unlike traditional passive security techniques such as firewalls or network segmentation, attack detection systems actively look for suspicious activity on the corporate network. This means that compromises can be detected after a very short time, preventing attackers from moving further into the network and causing more damage in the first place.
This is particularly important in view of the ever-increasing complexity of production networks. More and more components - such as sensors, actuators and intelligent control systems - are communicating with each other, generating data and data streams that need to be monitored. This is only possible with 24/7 monitoring, which immediately detects and reports conspicuous behavior and anomalies in the network. IT-SiG 2.0 thus makes an important contribution to preventive defense against data manipulation and theft and to protecting critical infrastructures.
How SMEs and CRITIS can meet their obligations.
Solutions that meet the precautionary obligations of IT-SiG 2.0 include managed detection and response services such as Active Cyber Defense (ACD) from Allgeier secion.
As required by law, the security consultants proactively and continuously examine your network traffic for attack activities and anomalies and detect attacker communications to Command & Control (C2) servers. If action is required, the ACD team informs you immediately so that appropriate countermeasures can be initiated in good time before any damage is done. At the same time, the incident can be reported immediately to the German Federal Office for Information Security (BSI) so that you can fulfill your reporting obligation as required.
Because ACD is a fully managed service with an outsourced SOC, even small and medium-sized businesses with limited resources can ensure effective protection of their systems. Depending on the company's location and number of Internet access points, implementation usually takes only three to seven days, so you can meet regulatory requirements in the shortest possible time.
In view of rising losses due to cybercrime, insurance companies have already been taking measures to limit losses for several years. On the one hand, insurance premiums have risen sharply, and on the other, policyholders are having to pay for more and more damage themselves. In the worst case, cyber attacks will soon no longer be insurable at all. In the USA, therefore, there are already calls for private-public insurance systems to take on systemic cyber risks.
The German government has responded to the heightened security situation by updating the IT Security Act. Version 2.0 has increased the requirements for cyber security: By requiring CRITIS operators such as utilities and companies of special public interest to now deploy attack detection systems (SzA), network security in critical infrastructures is to be increased. What is required are solutions that actively search the network for conspicuous actions and report them immediately. With Allgeier secion's Active Cyber Defense (ACD) service, even SMEs with limited financial and human resources are able to fulfill this obligation by means of anomaly detection.