Are countries ready to become cybersecurity insurance companies of last resort?
A senior member of the Cyber Monitoring Center (CMC), which was set up last year to monitor, report and classify cyber incidents affecting UK organisations, this week questioned whether the government’s £1.5 billion (about $2 billion) government guarantee to Jaguar Land Rover (JLR) should have happened in the first place.
Speaking at an event held by the Royal United Services Institute (RUSI) which reviewed the CMC’s activities in its first year of operation, Ciaran Martin, chairman of the CMC’s technical monitoring committee, discussed the loan guarantee announced last year following an attack that has been described as one of the worst cyber incidents in the UK.
“I must emphasize that I am speaking personally now. I think that the loan guarantee is a bad example because the government intervened in a specific way, in response to a set of events, without a clear process of what form such intervention can take,” said Martin during a panel discussion with CMC executives and Tracey Paul, chief strategy and communications officer at Pool Reinsurer UK terrorists.
Martin, who is also a RUSI Distinguished Fellow, said, “obviously there is a set of plausible, realistic, dire circumstances where most reasonable citizens would expect some form of government action. What else?”
To complicate matters, Paul noted that today there is a gap in internet insurance protection. “I don’t know how we’re going to close this gap between potential economic losses and insured losses without some cooperation between the government and the insurance industry and other parts of the cyber ecosystem,” he said. The industry has a pre-funded model, and a contract with the government where if the insurer runs out of money, the government will step in and lend money to cover the loss.
“But that’s another way of doing it and I think they’d like the flexibility to do it another way,” he noted. “But what I think is that you can’t transfer risk between the public sector and the private sector unless you have some kind of structure around it, and at some point the government is going to have to come to the table about what that looks like to make that happen.”
The impact of the event ‘could flow through the entire economy’
Analysts share Martin’s concerns.
Erik Avakian, a technology consultant at Info-Tech Research Group, said on Friday that “he has been predicting for years that attackers will move from small disruption attacks (think DDoS) to catastrophic disruption and destruction of company operations.”
The JLR incident, he said, “really speaks to having an impact on the overall strength of the company’s business. And once that happens, the implications can be more than just missing a quarterly salary.”
Avakian added that, “what we saw with the attack on Jaguar Land Rover is an example of that, and it shows that a cyber incident can shut down real-world operations in such a way that the effects can affect the entire economy, not just IT systems; where a cyberattack can directly affect a country’s GDP, employment, and cause damage to a country’s sales.”
He agreed with the sentiments of Martin, explaining, “in my opinion, the government to enter in this way with the guarantee of loans is long overdue and to send a signal that some companies can now be considered too important to fail because of the cyber risk. That can create a dangerous precedent because large, critical organizations can be the main targets of cyber criminals if they know that a successful attack can cause such large consequences.”
It can also lead to new risks, says Avakian, “where companies may invest less in their security if they believe there is an opaque safety net in place. Cyber resilience is more important than ever and should be fundamental to how organizations think about security and risk management; not just how to prevent a breach, but how to keep business operations running in the face of cyber attacks.”
David Shipley, CEO of Beauceron Security, added, “a monster has been created using insurance to cheat our way out of danger in very expensive, but long-term, ways.”
He asked why organizations should “invest all the work in insuring many things when you can’t buy insurance?
The government bailout of the industry, says Shipley, “is next, a bad leap from the same flawed decision. If insurance was the crack cocaine of cyber risk management, government bailouts are the fentanyl of business. Perhaps the wisest answer is, we have to be accountable for the real costs of proper security for our assets and services, and invest in ways that don’t put money in the hands of criminals.”
This article appeared on CIO.com.
