Cyberattacks as the new normal

The ‘Petya’ ransomware virus crippled major corporations round the world on Tuesday but insurance industry experts question whether this was just ‘business as usual’. Those responsible for unleashing the virus were reportedly demanding ransoms of US$300 to release the encrypted data.

While the figure might seem low, this will scale up very quickly, according to Tristan Liverpool, director of systems engineering UK and Ireland at technology security specialist F5 Networks. “These attacks are upping the ante, as they hit services that affect people’s day-to-day activity; such as healthcare, postal services and transport services,” he says. Indeed, last week South Korea web hosting firm Nayana reportedly agreed to pay hackers a record ransom of US$1m-plus to unlock its frozen computers.

“The more concerning issue is how national infrastructure is being impacted. There is no easy solution to eradicate ransomware, but when the dust settles the source of the compromises needs to be determined and remediated,” adds Liverpool.

The Lloyd’s of London insurance market this week hosted a panel of cyber risk industry experts to discuss how to protect businesses from cybercrime. Panellists Vanessa Leemans, chief operating officer (COO) of broking and risk management group Aon Risk Solutions and Paul Bantick, an underwriter for technology, media and business at insurer Beazley, both acknowledge that this type of attack is simply something that has become an everyday threat.

Panellist Matthew Martindale, director of cyber security, KPMG, said: “Business as usual was previously, ‘let’s keep the data on the server,’ and now business as usual will be that no one wants to touch the data it unless it goes through the correct compliance processes. We’re in that transitional phase.”

Liverpool agrees: “Going into the new world of IT and connected devices, with every element focusing on the application, the digital attack surface area will continue to grow.

“This gives the attackers more opportunities to infiltrate data. More focus needs to be put on the application and data security. In addition, more cyber security education should be integral in everybody’s daily lives.”

While most businesses have undergone a huge culture change in recent years, reflected in measures ranging from training staff on cyber risk issues to having fraud alert posters around the office. There has also been a spike in demand from insurers for business interruption (BI) coverage, according to Dan Trueman, chief innovation officer (CIO) at Lloyd’s (re)insurer Novae.

Beyond hackers

However, the cyber insurance market still only insures a fraction of total global exposure.

One audience member argued that this is because the cyber insurance market is unwilling to take on more than a small percentage of the risk. However, Trueman argued that this is partly because there is a lack of awareness of how broad cyber insurance really is.

Cyber risks do not just involve hacking, he stressed. It can be anything from a power outage to an accident by an internal member of staff.

One example of this is last month’s much-publicised British Airways IT failures that caused a cyber event and grounded many of the airline’s services. The operational failure that plagued BA was reportedly caused by an “uncontrolled return of power” following a power outage that physically damaged servers at its data centre. About 75,000 passengers were affected as flights were cancelled and early estimates put the cost to the airline at £150m (US$194m).

The media: help or hindrance?

The mainstream media has the power to shape the reputations of both the hacked and the hackers. Hackers are often stereotyped as teenage boys in their bedrooms, whereas the type of hacker to launch attacks seen this week would be extremely sophisticated and a far greater threat that a malicious teen.

“The cyber-attacks that frequently dominate the headlines can distort how businesses perceive the risks associated with cyber,” commented Closing the Gap, a Lloyd’s report launched to mark the event. “There is a natural tendency to focus on the unusual or memorable, but this doesn’t always reflect the reality of the cyber risks facing companies every day.”

Despite individual publications having reporters who specialise in cyber risks, much of the media is still learning about cyber events, meaning that the reporting is not always as adequate as it could be, suggests Leemans.

As a business preparing for a potential attack, “you need to know that there will be a vacuum where you have to say something,” she advises.

In Europe, a business currently is only required to report a cyber event if customers are effected. However, when Europe introduces the General Data Protection Regulation (GDPR) in May 2018, this will change. All incidents will need to be reported, regardless of whether consumers were impacted.

As a result, “we’re going to have more of an educated media. But, we have a lot of scaremongering going on right now,” predicts Leemans.

In this environment, European businesses need to limit resulting reputational damage if they are required to report an event. “It’s one of the reasons why you need to have something to say as a business, even though you don’t have anything to say,” she argued.

“You need to figure that out beforehand. What you should talk about is how are you protecting your data, what steps have you taken, where does encryption fall into that and how have you been training your staff. There lots of things that are not confidential that you can talk about.”

238 views

Related reading