Risk managers advised to up their cyber risk game
A leading Swiss cyber risk and insurance expert advised risk and insurance managers to take a close look at their cyber coverage on a regular basis to ensure that it is truly fit for purpose for what remains a rapidly evolving threat.
Peter Hacker, cyber security and insurance expert and founder and director of Distinction.Global, told members of the Swiss risk and insurance management association SIRM during its recent 50thanniversary forum in Bern that he remains a “big fan” of cyber insurance.
But he stressed that given the evolutionary nature of the risk, it is more important than ever to design cover that reflects the realities of the corporation’s activities, structure and risk management approach.
Hacker, a former senior executive at broker JLT, also stressed that while good tailored cyber insurance coverage remains critical, risk and insurance managers must keep abreast of the changing cyber threat environment and equally ensure that robust preventative measures and systems are in place.
These measures critically need to be properly tested using crisis management and recovery plans that are tested using realistic scenarios that “make you sweat”, not just mere table-top exercises, said Hacker.
Dynamism is the key in cyber risk management and transfer, stressed Hacker, who has carried out many consulting projects for leading insurers and reinsurers in the European and international market, notably analysing aggregations and levels of affirmative and silent cyber.
He pointed out how the rise of AI and arrival of chatGPT itself brings a whole new layer of risk as well as opportunity for corporations and individuals worldwide.
While chatGPT has inbuilt defences against misuse, it did not take long for the hacking community to come up with its evil cousin WormGPT.
WormGPT is described as similar to ChatGPT, but has no ethical boundaries or limitations. It was discovered for sale on a hacker forum in July of this year and has the power to create remarkably accurate likenesses – audibly, visually and in writing.
Hacker warned the SIRM audience of the obvious game-changing potential for this tool in the Ransomware and online fraud/phishing “market”.
The cyber expert said that the rise of AI clearly brings vulnerabilities and improved defensive capabilities at the same time. “Phishing and social engineering attacks are already the number one risk. ChatGPT can help you defend against this. WormGPT is, however, properly written with no spelling mistakes,” said Hacker, referring to the common failing with chatGPT that many students have already fallen foul of!
“Business email compromise is the number one malware focus. AI will be used for such attacks through deep fakes such as corporate announcements to move markets. So with AI comes a lot of upside but also a lot of downside, and this also has a lot of implications for insurers and brokers too,” he said.
The cyber expert gave one example of a major risk that is generally not covered and will likely be a rising malicious threat – wiped data.
In February of last year, global communications group Viasat confirmed that a “multifaceted and deliberate” cyber-attack had been carried out against Viasat’s KA-SAT network that resulted in a partial interruption of KA-SAT’s consumer-oriented satellite broadband service.
The incident coincided with the Russian invasion of Ukraine and was blamed on the Russian state-sponsored hackers. It is believed to be one of the first state-sponsored attacks on commercial satellites.
“It was hacked. The modem was hacked using wiper malware. They were not asking for data as with ransomware but wiping data, which is not covered by most cyber policies because it is not deemed a physical loss.
These kinds of incidents tend to have knock-on effects. Viasat specialises in serving military and infrastructure. The French government confirmed that the attack also hit its police and ambulance communications.
It was also thought that around 30,000 satellite terminals used by companies and organisations in a variety of sectors were affected across Europe. Among them were 5,800 wind turbines operated by German firm Enercon in central Europe, with a total installed capacity of more than ten GW. Interestingly, Enercon confirmed that such satellite operations have no back-up systems and the installations had to be brought back online manually.
“Do not fall into the trap of thinking that past attacks will be the main ones of the future. This is not fire or water,” advised Hacker.
Hacker also pointed to the rising threat posed by Distributed Denial of Service (DDoS) attacks launched via the Internet of Things (IoT).
In 2016, for example, a DDoS attack in Finland led to the disruption of the heating systems for at least two housing blocks in the city of Lappeenranta, literally leaving their residents in sub-zero winter weather.
The facilities management company that ran the blocks luckily had a manual back-up in this case, but the potential threat is clear as the world obsessively, and arguably rashly, rushes headlong into a fully connected future. “With more IoT devices in homes, expect more attacks,” said Hacker.
Next up to keep the risk and IT security manager awake at night is the rise of polymorphic malware, warned the cyber expert.
This uses an encryption key to change its shape and signature. It combines a mutation engine with self-propagating code to change its appearance continuously and rapidly morph its code. This type of malware exists in multiple forms, such as viruses and bots. Traditional anti-virus tools struggle to keep up with the mutating threat.
This tool was actually first developed to help expose the weaknesses of anti-virus tools to help with defence. But it inevitably fell into the wrong hands, and it is thought that today nearly every malware infection employs some form of polymorphism.
“This is the most evil one and is coming to your dreams. You need to be prepared for it or you will be continually on the back foot,” warned Hacker.
As risk and insurance managers in Switzerland and across Europe are more than aware, it has become increasingly difficult in recent times to transfer these risks to the insurance market as it has woken up to the potential systemic nature of the risk, aggregations and silent cyber. Exclusions have become the norm and the range of often-flawed and inconsistent wordings is offering a potentially rich vein for lawyers in future.
Hacker advises risk and insurance managers to wake up to this challenge and get on the front foot. “The risk is not becoming smaller. Personally, I am a big fan of cyber insurance, but it needs to be matched to the specific risk, the potential for D&O exposure and the like. Can insurance help? Yes. Is it here to stay? Yes. But it will change,” said Hacker.
The bottom line is that this risk needs to be taken seriously and investment provided for a dynamic and proactive risk identification, measurement and management process and system before insurance is acquired, just as with any risk, really. The big difference with cyber is the speed of the risk’s evolution and the potentially cataclysmic impact of an event that is unexpected and not prepared for or well managed when it hits.
