EVENT TRANSCRIPT: Cyber Security Insurance: Is Regulation the Answer?
DATE: 18th March, 3.00pm – 4.00pm
VENUE: Online
SPEAKERS: Dr Asaf Lubin, Dr Jan Martin Lemnitzer
EVENT MODERATOR: Dr Danny Steed
Dr Danny Steed 00:01
Ladies, gentlemen, good afternoon to you all. And thank you for joining us today for this event on whether or not the cyber insurance market should be regulated. First off, my apologies if we’re a couple of minutes late. I had a very 2021 drama and my network crashed one minute before the hour, so my sincere apologies if anyone has been waiting. We’ve got a very exciting couple of guests this afternoon to talk on a subject that in many ways I was saying to as just before we got started, it’s no exaggeration to say we’ve got quite a ticking time bomb with cybersecurity insurance and the challenges which come with this. The way we’re going to do this today; my guest, Dr Jan Lemnitzer, will be presenting his research on his very recently published article, “Why Cybersecurity Insurance should be Regulated and Compulsory” that was just published in the Journal of Cyber Security. Jan is the founder of JML Cyber policy consulting and also teaches Cyber Security Policy at Copenhagen Business School. Joining us as well is Dr Asaf Lubin, who’s Associate Professor of Law at Indiana University. What we’re aiming for today is not going to be quite as polarized as regulation-non-regulation debates. It won’t quite be a riposte from that, but we are going for a bit of spirited critique on the views Jan has been developing his research lately. So just before I hand over to Jan, please do pump in those questions on the Q&A chat channel. As we move ahead, we will be triaging them, and we will be opening up for questions for the second half of the hour. Otherwise, Jan, I know you have your slides to share, please, let’s get those up. And let’s hear from you why cybersecurity insurance should be regulated.
Dr Jan Lemnitzer 02:44
Thank you very much for inviting me and for giving me the opportunity to talk about my research here. It’s indeed hopefully going to be very interesting because whenever it comes to regulation and something being compulsory for 10s of 1000s of businesses, then the European and US perspectives tend to be rather different. Here, however, we are all also in the same boat of desperately trying to make up solutions on what to do against an escalating wave of cybercrime, especially ransomware, and how to protect businesses and keep them going what is still a rather new digital economy. And what I’m trying to develop here in the next 10 minutes or so is an idea of how we can use compulsory cyber insurance combined with externally set minimum standards to solve a problem that otherwise has been addressed, but never really resolved in the many different National Cyber Security strategies. So why at all talk about insurance and something as exciting as the world of cyberspace? Well, cyberspace is very much marked by uncertainty. And insurance is what humans have for centuries chosen as their tool to manage uncertainty. Now, there are great expectations for the cybersecurity market to take off, but even in the US it has not taken off as expected. For example, in Europe, there are estimates that about 85% of companies currently do not have cyber insurance. Now, my argument here is that if we get these companies under the cover of cyber insurance and into the gentle embrace of the insurance, we can use them to persuade these companies to practice better standards of IT security and must be better protected against cybercrime. Now, SMEs are a particular problem here, small and medium enterprises, because surveys in various countries routinely show that about half of them fail to practice basic standards of IT security. They use outdated, unsupported software, they fail to patch the operating systems. They have no clue what hardware and software they’re actually running at any one time. They ignore basic cyber hygiene and security protocols. This is why cybercrime is so easy these days. ransomware gangs know this and they’ve deliberately targeted SMEs and wealthy countries to win a sizable, if not super large ransom for very little effort. Now, in the next coming weeks and months, the mass exploitation of the Microsoft Exchange vulnerability means that a new wave of ransomware attacks is going to hit just these businesses and many others. So, when I present this research and academic conferences, sometimes I get the question: Well, why is that a problem, that’s their own fault, then, I argue for a bit more sympathy with small and medium sized enterprises, because if they are hit by a cyber attack, they face a much higher bankruptcy risk, than larger economies, and they are the backbone of our economies. But if they’re vulnerable, they are the soft underbelly of our economies. And that’s not just bad for all the productivity and the jobs they provide, but they also being used in supply chain hacks as entryways into larger companies or government networks, for example, critical infrastructure. So our digital economy or ecosystem as a whole is only as secure as the many small companies that we rely on. So how full-time insurance help here. And if it goes through sort of step by step, the various benefits. Signing up for cyber insurance might be the first basic audit that a company does for its cyber risk exposure. Good insurance insists on certain minimum standards already. Now, I argue later, this is something that should be extended, and formalized. Insurance also provides financial coverage up to a specified limit. It’s not a not a free lunch, but it provides financial coverage and a very vulnerable moment for the company as it tries to recover from a ransomware attack. Insurers also provide incident support services for their clients, which is not as much of a benefit for the biggest companies, but for a small company that will not have a cyber security company on a monthly retainer to be able to call them as they please, this makes a massive difference. Because if you go into the office on Monday morning, and you have double prime (inaudible) in your systems, that is a very bad moment to scout the incident response market and get a good price. And it’s not just the incident response teams. It’s also forensic specialists that help you to recover client data. And in Europe, and in those states in the US where you have data protection regulation, you also have consultants for these aspects that are very important, especially because there are strict legal duties connected to big fines. If it’s so beneficial, the question then is why SMEs aren’t buying these policies in huge numbers. And the reason for that is partly rooted human nature. Doing going through this audit, buying this, choosing the right insurer cost time, money and effort and gives no immediate benefit to the bottom line. Especially if the insurer suggests replacing outdated or unsupported it. And it helps against the risks that is not very easy to get a grip on. A lot of business owners believe they will not be targeted because they are small and say in rural Indiana. But research shows that the recent experience of a cyber-attack is the best motivator for taking up insurance. And I argue that we might stab the business owners this special kind of motivation and just sort of get one step further and realize it’s a good idea. Another problem is that the way the market works right now, the policies and the variations and coverage options and definitions is genuinely confusing. Even brokers and large companies are struggling to understand what’s on offer and what’s best for them. So this is something insurers really have to tackle. And there is a big question mark as to whether insurers will pay out in the end because many, many policies include clauses that make the policy invalid in cases of negligence, and it is very hard to make sure that no one in your company’s ever negligent when it comes to IT security. So, insurers say they have an interest in paying out and growing the market, but companies remain doubtful. Insurers also could be doing more to push this product but because as WannaCry in our picture, have scared the market this would be a prime opportunity to sell lots of policies, but they’ve also spooked reinsurers who worry about systemic or aggregate cyber risks that might bankrupt them. So solar winds and the current model Microsoft Exchange vulnerability are great examples of what this means when 18,000 companies or 100,000 companies are hit at once by the same software vulnerability. Now, if they all have insurance and put in claims for the damages at the same time, this will overwhelm the group of 5, 6, 7 large reinsurance that are the backbone of the entire insurance business. At the same time, they have another problem, so called “silent cyber risk”. It was fashionable for a while to put in cyber add-ons to existing property or other commercial policies to say, oh, this is better than the competition. But very often, these policies use unclear broad definitions, and don’t specify maximum claims for cyber damage. So even the insurers don’t know precisely how much cyber risks they have already covered. They’re trying to claw back on that and trying to push cyber insurance into specific standalone cyber policies. But we’re not quite there yet. There’s a lot of these policies out there. And the other sort of dark secret of the industry is insurers really struggled to understand and price the cyber risk of small companies, they are getting quite good at understanding the cyber risk of a big company, they work with auditors who go in talk to the people make a report, give back an informed picture. But this is unrealistic for 10s of 1000s of small companies, you cannot pay several years’ worth of premium just to send an auditor on site. So how much information can you get from the outside? What kind of questionnaires can you send? How can you verify the information that they give you? And how do you? How can you get reliable grip on the cyber risk that you’re just taking on? That is a big problem. And I guess that’s something we’ll be talking about more later. And I argue that the best solution here for the moment is to establish IT security standards specifically for smaller companies that insurers can rely on, but they are. But that said externally, not by the insurance themselves. The problem here is that we have plentiful it certifications and standards, but they’re mostly too complex and expensive for most SMEs that have just a dozen or so employees. That is something that the National Cyber Security Center in the UK trying to pick up on by developing what they called the cyber essential standards, which was a very good idea. But first, it was too basic, we need something stronger now with the way cybercrime has developed and be it was unverified. So at some point, companies need to say okay, we have a certificate now we had an auditor in. And this is something we can show to business partners to prove we are secure. And this is also something they can show to the insurer. These standards must include things like a risk assessment document, multi factor authorization, network segmentation, patching policies and staff training, for example, on how to spot a phishing scheme. This can also be coordinated with efforts that are currently happening in the field of supply chain cyber security, where both in the US and in Europe and of course in many other places, countries start to think systematically about the risks their critical infrastructure companies face where the local waterworks have like dozens of different suppliers and have no idea what cyber risk each of them pose. And they’re introducing duties to try and manage that. And this is fundamentally the same problem that the insurers have. So, this is something where efforts can be converging. Austria, for example, is just introducing its own cybersecurity rating for critical infrastructure suppliers. In the EU, something like this will come with the information security directive that will come and replace the NIS directive of 2016. That’s already in the draft. But for the moment, there’s a large gap here, and US based online ratings companies have moved in. And that is also something we can talk about later, because that is also something I’ll be doing more research on. Because on the one hand, they fill a gap, and they do something amazing. They allow you to rate the cyber security of a company online with a click just by checking its network configuration, websites and so on. On the other hands, they are only capturing part of the picture of what is happening in that company. So the question is really can you turn these this partial view that you have into a number and say you have now quantified cyber risk? So what else should be done to regulate cyber security insurance and I know this is something that is also beginning to happen in the US with New York, making the very first tentative steps towards regulating cyber insurance and As a European by heart, I argue that should be much more than it should be much more detailed. There should, for example, be minimum coverage requirements, especially regarding support services, that removal, insurer discretion should be removed here. Insurers should be encouraged to standardize the definitions and the scope of coverage they use so that policies are more comparable, I don’t want to remove the market here. But people have to understand the market so that market forces can play out. Also, dodgy practices such as covering ransom payments and fines for data protection breaches should be banned. And this is something that I feel quite strongly about, especially as we’re now seeing a trend of the best, most advanced ransomware gangs attacking cyber insurance so that they know who is covered, especially in the US and sort of working their way to the client list because they know these companies are insured and will pay and then they can finish off by attacking the insurer itself. That is happening right now. And that is also something that can be easily discouraged, but just not covering ransom payments anymore. At the same time, we could use insurance claims information, and get some better idea of what’s happening with ransomware in Europe using the GDPR Breach Notification process to try and establish a database. Because that is a big problem that we just don’t know the scale of the problem. Right now, in a report just published today, there was an assumption that there’s about $4 billion worth of damage of cybercrime to the US alone in one year. But the figure for ransomware is only 29 million because nobody reports the damage. I think it’s probably easily that figure again, but we don’t know precisely. And even the FBI is now trying to sit down with insurers and says, please give us some data. So we have some idea of what is going on. And I think that shouldn’t be formalized, at least in the EU, we have we have the tools to do that. So now to the big, big point at the end the compulsory bit. How would that even work? And I’m saying it worked with GDPR. If we had asked companies in Europe nicely 2015 to think more about data protection, they would have said “yes, sure.” But they would never have gotten to the level of compliance with the regulation that we’re seeing now. As it’s become compulsory. And I predict something similar will happen with cyber insurance, where we can have another National Cyber Security Strategy, telling small businesses to think about cyber security, but they’re just not going to do it. Whereas if they have to get compulsory insurance and enjoy the benefits of that, but at the same time have to fulfil certain minimum standards to get this insurance, then they will sooner or later fulfil these minimum standards in just a matter of years. It will also help to lower the premiums, which are going to rise quite substantially in light of recent ransomware developments simply because we’re going to have a much bigger market size. Just to make it a bit more controversial. It works a bit like universal health insurance in Europe, where the risk is spread out among a large number of people and though becomes easier to carry for the individual. Finally, we will need some sort of backstop mechanism to protect reinsurers from cluster or aggregate risks. There’s a couple of models out there on how that could be done, I’m sure others have thoughts on that. And yeah, I look forward to what you make of all this and how much of it is going to survive your scrutiny.
Dr Danny Steed 18:55
Jan, thank you. Quite a tour of what is, you know, as I’m sure our listeners are starting to appreciate a far deeper and wider issue with so many challenges. Asaf, I’ve seen you chomping a bit there certainly for at least the last five minutes. So let’s hear your thoughts.
Dr Asaf Lubin 19:18
Certainly, I also prepared some slides, I’d be happy to share them though. My use of them is only to react to the great points raised by Jan so I’m sharing them now. I will say at the outset that we need to be very cautious when we use the term regulation and understanding what kinds of regulation we’re talking about, who should be employing them and then what time they should be employed. I think Jan did a great job in both identifying the many plugs that are common to the cyber insurance market in identifying the list or menu of potential regulatory interventions. But we need to perhaps take a step back and ask the question of whether or not each of these regulations will be effective in the right time, and what time given the fact that we need to recognize that every regulation comes with a cost. The cost is the most obvious level, the political and capital resources that will be spent in making that regulation which might hinder potential other regulations in the future. And so, in being a reactionary and reacting to particular issues that we identified a market at its current form, we might be developing regulations that create would create their own externalities, and thereby also hinder the possibility of a wait and see approach, letting the market mature first, and then develop regulation that better identify the risks and problems. But within the 10 minutes I was given, what I want to do is both identify to you in a different form: what are the problems that currently plague the market, and then offer you a taxonomy of potential regulations of the market and explain to you when those should be promoted. And these can be what I’m trying to do is just group some of the problems that Jan had identified to a set of limits to currently identified in the cyber insurance market. And the first is perhaps the actuarial challenge of cyber insurance. In fact, you have a Warren Buffett at the bottom there who had said that anyone who claims to know how to model cyber risk is quote, kidding themselves. And the reason for that has to do with the fact that this is still an emerging and evolving risk. And therefore, we have a lesser understanding of how this risk materializes on a day-to-day basis. And the tools that we use to measure this risk are perhaps inefficient. In fact, his is a slide from Sasha Romanosky and his colleagues, which suggested that carriers who are trying to price their cyber risk are doing this in a sub optimal way. They don’t know what they’re talking about, they’re mostly guessing. And they’re using someone else’s guesses whenever they can to set their own coverage. And in an environment like that, when insurers are not in no position to develop the correct pricing models for the cyber risk, the result will be a product that is unable to engage in what Jan wants to see in the world, a private insurer that is indirectly regulating the markets to develop a better cybersecurity hygiene. If we’re not in a position to model the market effectively, we will not be in a position to engage in the kind of private regulation that the Jan wants to see. And one example of that is the tools that insurers use. So this is a question here from one insurer. Let’s take just one of the questions in the question here. Do you promptly disclose your privacy policy? And do you always honour it with the answers being Yes or no? As if a question like that poses to the insurer the ability to engage in what you’re called a basic audit. So, part of the problem is that we are not in a position yet with the tools insurers currently have to engage in the kind of kind of audits that are necessary to develop a good cyber insurance market. And perhaps we need to give the insurers the time they need to develop the tools they need for the insurance should market to mature well enough before we regulate, let alone before we make the market compulsory. Another problem that is common in the market is inflammation of symmetries and risk classification problem. And I think Jan hit on that when he suggested that we need to increase information sharing. But there’s a lot of problems with information sharing, both because a lot of this data is proprietary, and the insurers have a good reason not to want to disclose it. And because the rest of the data, the security data is national security interest of the state, and the state has reasons not to disclose it. So, it’s easy to say we need more information sharing. But the problem is, what kind and at what time and by what entity who should be the controller if a data repository of this nature is one example the problem that we can identify. The same can go for cyber aggregation risks. What makes cybersecurity particularly threatening is the fact that a single risk can cause a harm across the globe, making it so that it is harder for an insurer to diversify their portfolio and to evade insolvency. So, a cloud service provider falling or a supply chain attack, like what we saw with solar winds, could resort with massive economic casualties, as we witnessed with WannaCry. And again, the question is, how do we create regulation to the extent we want to go there that could better address this mega cyber risk in particular, when particularly when the threat is by a government entity, which is using the kinds of vulnerabilities that an insurer cannot be in a position to mandate its clients to protect and prevent. These are the kinds of things that the government is in a better position. To manage and regulate and so the question is where in there is the cyber insurance market playing a role and what facet. And I think the last one is the lack of uniform language standardization and predictability. And again, the markets are currently plagued with a complex language in their cyber insurance policies unpredictable terminology, use of standards that are not uniform in any way cyber security standards. That is, and the result is instability in the in the implementation of the insurance policy once the claim is brought, because we don’t know if the insurer will be in a position to actually cover you for the harm, creating a disincentive for anyone to buy the policy, and also a potential litigation havoc for our court system, and trying to interpret these insurance policies. And so, to sum up, and those would be the last two slides I want to show, I just want to show you that when we think about cyber insurance regulation, it cannot be as simplistic as just here’s the menu. And I want to clarify that I’m not blaming Jan at all about this, this is something that I have done in my previous paper, I also kind of rush to suggest regulation quickly based on problems that I’ve identified in the market. But we need to understand insurance regulation in a broader setting and identify a set of actors that could regulate in different ways at different arts. And see this on a broader lens. And so, what this slide that I have for you today, and I’d be more than happy to share after identifies that we can think about both direct forms of regulation and indirect forms of regulation, both direct regulations of the cyber insurance markets, but also indirect regulation of the liability environment in which these insurance markets operate. We can also think about different sets of regulators and regulated entities. It’s not just the insurer Commissioner versus the insurance company, a commercial insurance company, we can think about state regulation or federal regulation, or in the case of the EU, perhaps an international organization regulating, we can also think about the role those foreign regulators will have on our domestic markets. We can also think about the role that federal security agencies or enforcement agencies play in creating a liability environment in which these insurers operate. All of these actors have a role to play, and they all play off from each other. And so, to just latch on, say, a New York regulation of some sort, the New York regulator cannot take this on alone. Cyber Security is the kind of problem that requires public private partnership. And so, we need to understand all these various actors roles in operating together, and then Consortium, and not just rush to suggest one set of regulations by Congress to pass tomorrow. And so, the last thing, I will also say that we can also think about when the right time is to regulate a long what we might call the product lifecycle. And by product, I mean, not just the insurance product, but also insurance tech products, hardware products, software products, internet platform service solutions, and cybersecurity services, solutions. Each of these can be regulated at different times. And we need to be careful not to stifle innovation, we need to be careful not to regulate too fast to prevent the insurance markets from developing on their own. And also, obviously not to be too to regulate too late when we have already seen massive catastrophes happening in real life. And so each of these timeframes along the product lifecycle could have different regulatory interventions and have different scale nature and awfully effects. And we have to take all of these into account. And so I’m not against any of the ideas that the Jan is proposing today. I’m just trying to suggest that we need to be very cautious and slow paced, and that might not be particularly exciting for people to hear. But that is perhaps the nature of regulation as a whole. And with that I’ll stop share
Dr Danny Steed 29:07
Asaf, thank you. I mean, I think the risking caricature, we’re almost approaching a point of EU blunt hammer versus there isn’t one size fits all. If I could be so bold as to put this there. I mean, I think before I started going into the audience Q&A, the one thing that I that struck me there from what Asaf was just saying, right towards the end, is that timeline side of things and thinking of this from liability side because even the way liability vicarious liability is interpreted is a shifting, i’s a moving target some sometimes at the best of times, and perhaps to you both. Is there a bit of a question mark on this timeline Asaf, not just product life cycle, but company life cycle as well? We might be talking do startups present too much risk to be tolerant tolerated by the insurers and then they have these loopholes, of course, knowing you’re at high risk, and you have to demonstrate maturity, but Jan, I can see you saying straight away, that leaves them in that point you’re identifying straight away, you’re, they’re still an SME, and does that prize the mouse of the market, I just wonder if there’s any thoughts on the way liability is interpreted through this whole cycle?
Dr Jan Lemnitzer 30:35
I mean, if you’re a start-up company, I mean, you probably have just acquired your IT, which means at least it’s not out of support. And it’s probably brand new. So in a way, you are lower risk than then many more established companies where you have, for example, a family company with a patriot saying Windows Seven is still the best windows. And we’ll run it for a couple of years. And running insane, IT security risks without properly understanding them. While at the same time being fully established, growing companies that employ dozens of people, these are the ones I’m sort of worried most about. And if anyone doesn’t deserve coverage, it’s probably them. But I still think they should be held. As for the timeframe, arguments, and that is, I think, where me and Asaf fundamentally disagree. Because this is not a start-up cyber insurance industry that is going through some growing pains. This is a 20-year-old industry that hasn’t resolved well known and fundamental issues that need some kind of outside intervention. If you are talking to insurers about these things, they will, at least relatively readily acknowledge them. And I’ve rarely heard the line, I am afraid. And we are we are flying blind in many ways. And if there’s somebody external that will establish a standard that we can all refer to, and that is practicable, then we’d actually love that. And we’d love to take on more companies and grow up folios and make more money. I just don’t see the risk of early regulation of a misunderstood or poorly understood problem at the time when let’s face it, we don’t have five years to just watch the market and think about that. If you look at the development of cybercrime costs to businesses, if you look at what’s happening with ransomware, and with ransomware attacks, you can’t just tell the world we’re going to watch this space for five years. Something needs to happen. And it’s either going to be direct state regulation, or it’s going to be it’s going to be some sort of indirect regulation of the of the time, I suggest, because I think it might work better, even though really complex. Or we’re going to get to the point when the damage is going to be so big that there’ll be calls for some drastic action on the international stage against the states that are sheltering ransom by gangs. So, I think the regulation route here in the insurance sector is by far the lowest risk.
Dr Asaf Lubin 33:25
I’ll just briefly is fine. I agree with Jan, I think we disagree on the nature of the market. I don’t think it’s a 20-year industry, the fact that there were early cyber–Insurance Solutions in the in the early 2000s does not make it a 20-year industry. The early cyber–Insurance Solutions in 2005, are not the same as the ones that were offered in 2015. And they’re not the same as the ones being offered in 2021. The market is evolving, and it’s evolving at a rapid pace. And part of the problem is that they are still being plagued with realities around cyber security. They have nothing to do with the insurance market and have everything to do with the fact that we as a society have not yet figured this thing out. It’s easy to say we need a standard. The problem is that the standards currently in place will not have caught something like WannaCry or Solar Wind. The problem is that we have standards that are in no way will but cannot be a magic bullet that would solve the problems that you’re identifying. And so where I disagree with you is the government can step in and just say you all need to comply with standard X. And once we do that, we have solved the cyber insurance market problem. And if you take just ransomware as one example. I don’t think we’re in that position. I certainly in my conversations with both the FBI and the Secret Service in a position to just here in the United States deem all ransomware payments illegal. I think that the reality is the ransomware is the kind of problem that could pose in certain circumstances, life and death decisions that could have immense impact. And so, a blunt regulation of the kind that you’re proposing could have dramatic impacts on the companies, and then on society as a whole. And what we need is a case-by-case careful regulation by the FBI, one that I’ve pushed for in the past, but that is not uniform. And, and, and one dimensional of the kind that you’re suggesting. And that’s all I’m saying, I’m not against interventions. I’m against what Danny called blunt interventions, it needs to be cautious and carefully designed, and at the right moment, depending on the specific issue you’re trying to address.
Dr Jan Lemnitzer 35:45
It just very quickly, directly on that. I think I’m trying to do that. And I think in some ways I achieve that. The ransomware finds the ransomware payment thing is one example; I never call for them to be banned. There are cases where, for example, a hospital is ransomed. There are good reasons to pay the ransom, to make sure you save patient lives. What I’m calling for is an end to the ability to get insurance cover for a ransom payment. Because I think this is setting some very wrong incentives.
Dr Asaf Lubin 36:20
Why shouldn’t the hospital in that context be compensated?
Dr Jan Lemnitzer 36:25
Because the hospital there has to make a decision. Am I in such an extraordinary case that I’m actually sending some Bitcoin to well organized criminals here? What is happening, especially in the US, is that there is a market developing, where as a nation, we’re collecting premiums and sending quite a substantial amount of that back to organize cyber criminals to develop that and fine tune that product. And that, I think, is bad.
Dr Asaf Lubin 36:52
I just don’t think that the hospital in the extreme scenarios should not be compensated, when he’s making when it’s making the right decision to pay in that very extreme scenario it’s finding itself in.
Dr Danny Steed 37:04
Okay gents, I’m going to do, like a good referee in boxing, break up for a minute, get back to the corners. Take a breath because we’ve got a good range of questions. And I want to let there be a bit of a free for all. Go into this now that you’re all warmed up. If we could go to Jason Cooke followed by Mark Partington. Just to say if you could pick us, I know you’ve got several could you pick your favorite two, because we’ve got few waiting? And if we have time, I’ll circle back to you for more. Jason, please go ahead. You may need to unmute yourself, Jason. I’ll read this out for Jason. He really directed it to Jan about the comments on compulsory insurance, presumably because it raises the high watermark and incentivizes it. Isn’t it like asking parents for households to do, like others doing protect their children against hostile threats? In an efficient market, isn’t that a truism? A large cost organization will try their best to defend businesses against attack. Why does it have to be compulsory to inject the incentive, when the incentive should be obvious?
Dr Jan Lemnitzer 38:31
Because we know full well that companies aren’t doing it. The risk of a cyber-attack to a small company is still abstract. It’s still not the lived experience of generations of business owners who know this is something that can happen to them. And if it happens to you, it is very, very bad. It’s still something you read about in the news until it hits you. And so we know that a lot of companies still don’t practice sort of basic standards of IT security. And that’s another thing that as I’ve referred to, well, if we get them to improve their standards, it’s still not going to help against the Solar Winds-WannaCry type of attack and that is perfectly true. That is true. But we are at the point where we have to persuade the people up and down the land that locking their front door is a good idea. Some people are early adopters and have and have their front doors locked. Others think it’s unnecessary expense and makes going back in and out of a house full of unnecessary hassle. We’re at that stage of the debate. And that is why I think compulsory standards to get the front doors locked are a good thing overall on balance.
Dr Danny Steed 39:42
Just adding my two cents worth on this from my time in industry. There is always an awkward issue where companies very consciously choose to do the baseline minimum as required by law because that’s usually the water marker on this can breed bad behavior as Jan points out, and it’s it can be equally just a challenge and maturity for the company of they’ll take as faith, this is the only line we need to hit and in many cases, just be unaware of the risk. Okay. Mark, if you’re there at all.
Mark Partington 40:33
Okay. I just want to ask about maybe parametric cover being the solution for SMEs because it’s easy to understand. You get around the problem of you know, thinking and organic get paid. And it’s simple and, you know, cheap to settle claims after say deductible. And I have a friend running a company called CyberTexas that’s offering parametric cover to SMEs after an eight-hour deductible if they have you know, denial of service or their website goes down. And my other question was going to be about utilizing something like PoolRe we have in UK for terrorism and expanding their remit to include the aggregate risk, obviously, for cyber insurance, thank you.
Dr Jan Lemnitzer 41:22
Pool Re is something just to explain, it’s something that was introduced after particularly extensive as well as horrible IRA bomb attack in in, in London in 1992, I think. And it is a scheme where sort of victims can get compensation out of the joint fund. It’s seen by in the in the sort of small academic circle we’re in, there’s a bit of a scepticism, whether this is enough, whether the sums we’re talking about with like systemic cyber risk, whether they aren’t on a completely different scale in terms of the damages caused. So the model I’ve recommended in my paper is the US response to sort of not the 911 terror attacks, which is sort of a state run scheme, that coordinate that basically gives state coverage to insurance to pay out a lot of claimants if they come in all at once, after a catastrophic incident like that, and then sort of organizes the process by which insurers can recoup the money through sort of extra premiums over time. So it’s, the state sort of supplies some money upfront and the industry then recoups it slowly over time and absorbs the shock. That is, that is what’s being suggested.
Dr Asaf Lubin 42:47
I’ll just note that the current situation in the US on Tria, which is the model that Jan is referring to, has been expanded by the Department of the Treasury to uncover certain forms of cyber terrorism of though, it was very poorly defined in the statement that was made. And then when we move beyond just cyber terrorism, whatever the term is, current plan does not cover other forms of state sponsored attacks. And so in that sense, there is still a massive gap in our federal reinsurance against certain types of cyber, mega attacks.
Dr Danny Steed 43:30
We could go to Laurence and Francis next, Laurence please.
Laurence Timmons 43:49
Great. Thanks. So, I just wanted to check whether if you’re talking about imposing restrictions or certain regulations, could a cyber insurance company have a list of best practices, new technologies that they would present to their customers and say, if you have X, Y and Z of these technologies, these security layers enforced and their checks, then your premiums will go down by X percent? Is there a way that that could encourage a certain level of best practice by using security new technologies?
Dr Jan Lemnitzer 44:39
That that is already happening. But I’m a bit sceptical about encouraging that that further because it assumes that there is someone at the insurer making decisions, which product is better than another product. That then also influences the cyber security technology market in ways that maybe great or maybe not so great. I think it gives them a little too much power. And the other concern would be that company IT security is a complex beast. And it’s partly about technology. But it’s also about processes. And it’s about human beings. And it’s about organization. And if you only catch one of those elements, then you still are not doing what needs to be done right now. There’s a lot of things that don’t involve buying and installing a specific technology solution but are just about things that companies should do.
Dr Danny Steed 45:39
Okay, Francis, if you are still there?
Francis Wan 45:49
Thank you. So given that more and more business, such as SME are relying on key and free services such as Gmail, AWS, customer relations manager system provided by some global IP giants like Google, Microsoft, Amazon, Salesforce Oracle, we ask those IT giants to pay a heavier part in laying the groundwork and vetting this RTS, the business’s level of IP security? And, can the skills certifications, such as the Amazon Web Service certification, be linked to those cyber insurance so that only employees or contractors that are set up or working on those IP business systems with these certifications can get, let’s say, a lower or reduce, or cyber insurance. And, one willing question is should companies that use free and open-source software, you know, pay a lower premium in these kinds of situations than those who use a proprietary and closed source such as those by Microsoft and airports of demand? Thank you.
Dr Jan Lemnitzer 46:55
Okay, that’s a lot at once. Maybe, maybe on the last point. I know that reinsurers are starting to model things like, shouldn’t we build our portfolio in a way that we don’t fill it up with, with companies that use the same proprietary IT security product, so if that product, or solar winds is hit, we have some balance in our portfolio, and companies think about building up this supply chain in this way? I mean, it’s stuff that you wouldn’t really have thought about five years ago. But that is happening. I can totally see a place for a mix of say open source and proprietary solutions in your insurance portfolio as a way of risk management. Whether open source as itself is better than proprietary, in terms of the risk of damage, I’m not entirely sure. It’s I think it’s partly cyber criminals attack what is most used. So the moment that Linux would get wildly popular, then people will write code for that.
Dr Asaf Lubin 48:02
To your first question about the Amazon Web Services and Googles of the world. Interestingly, many of them in terms of services will have specific exclusions of liability and waivers of liability to them, in the case of business interruption caused by failures on their side. And they can do that because of their market economy. And at the same time, the cyber insurers most of them, that I’ve witnessed, have exclusions directly addressing our core internet services, so they will not cover you in the case of a massive satellite crash, or the massive Amazon crash. And it is in that exactly in that context that policyholders find themselves between a rock and a hard place, because the insurance won’t cover them in the case of a business interruption resulting from this. Nor would Amazon and so one proposal and this is to show you that I’m not against interventions, I just think that need to be carefully designed. One thing that I do think is necessary is to really relocate liabilities along the supply chain, predominantly by courts, striking as against public policy clauses in terms of service with the Amazons and Googles, that have barred them of any liability in these contexts. They are the least cost reducer but because they have the position to secure their own networks for the benefit of the rest of us and in that sense should hold the liability in the case of a man a massive fault on their on their hand.
Dr Danny Steed 49:43
Yeah, it does really strike me. I know I go on about liability in this but especially in a post not Pecha world, but now we’re talking post solar winds and Microsoft Exchange of where migration Potential litigation liability be pointed the finger at for businesses that are suffering under a policy, but it’s whose which company’s fault, is it if it’s coming through the supply chain, I wonder where this is going to go? I won’t press for an answer now because we’ve got others waiting. But just to float that grenade in front of everybody. If we could go to JP Macintosh next.
JP MacIntosh 50:28
Hi. I basically been asked to two questions. Firstly, Jan mentioned that he would be it sorry, Asaf I’ve mentioned, that the insurance industry would be able to sort of step up to the plate and address some of the more basic science questions or research questions that are central to this conundrum. Where has he seen any evidence that any private sector firm let alone the insurance industry has stepped up to such a major basic science question?
Dr Asaf Lubin 51:09
The question I would pose back to you is, where have you seen the government necessarily stepping in with the regulation that solves these problems either. I acknowledge I’m not in any way trying to defend the fact that we have a real intractable problem at the moment with the way cyber security is being handled across both the private sector and the public sector. And in the way it’s being addressed by both private companies and the public. My only point in this and I’ll try to maybe present it a different way to make sure it comes across most effectively. If Jan concerned with the fact that small to medium businesses don’t know to lock their door right now, it’s not obvious that the way to make them close their door or lock their door, is through an insurance industry, which itself doesn’t know that locking doors is important, or doesn’t know how to compel their clients to lock doors most effectively. And so the issue becomes that we shouldn’t take for granted the fact that the insurance industry would do what insurance industries usually do best in the nation’s insurance context, or in the home insurance context, to develop to identify and develop a set of best practices, and then impose two economic incentive structures on the market, the compliance will set best practices. And until we’re ready to adopt that mentality, we should not for example, make it compulsory by no stretch. And we should be careful in in our government regulation that compels insurance companies to do X or Y, because we don’t know what X or Y should look like. And so, the problem is a problem across industry and across government. And I just don’t think regulation is necessarily the bullet solution that would solve all our problems at this time across the board.
Dr Danny Steed 53:05
Jan, anything to add on that?
Dr Jan Lemnitzer 53:07
This is the permanent battle between the perfect and the good enough solution. And is the good enough solution, that actually a bad thing, if it’s poorly thought out, that is basically the debate we’re having here. And my extra argument is, we’re in a crisis moment, we don’t have time. And at the same time, we’re starting to have some understanding of what works. So there, it’s incredibly difficult to establish by research, which particular IT security control reduces your chance of breach by which percentage. There are people who give you those numbers, but they’re not serious. It’s incredibly different difficult to do this in a practical and ethical way. You can’t have like, trials with various groups of companies over time and then sort of measure the breaches. And, but we can look at this through the eyes of cyber-criminal and say, what is the control that they are most annoyed by that we know redirects their attention? And one thing here would be, for example, multi factor authorization. We know that it really makes their life easier, much harder if just working with one crack password, and then waiting, working their way through the system isn’t possible, because the passport doesn’t give you access. And they will usually go away and go somewhere and steal money from people where the password gives you access. If you’re a state hacker, that doesn’t stop you. There are ways around that and you will know them. But for the sort of run of the mill cyber-criminal that is attacking Western companies and non-Western companies at scale. That is we know an incredibly effective thing. So, if we can talk about how can we get lots of companies who haven’t really thought about that in that depth to adopt multi-factor authorization quickly, even though the employees are initially going to hate it. That’d be my guess.
Dr Asaf Lubin 55:06
Yeah. So know one thing. I think I completely agree with you. A small to medium business, a mom-and-pop shop has a choice to make whether or not they buy multi factor authentication solutions, that is direct cyber security solutions, or whether they buy a cyber insurance product, that it down the line might offer them certain services as a reverse of fact. I’m not sure yet the cyber insurance market is necessarily the solution that should go by. And so if they have a choice between the two, we might want to just have them buy better cyber security products, without the involvement of the cyber insurance market, especially when we talk about the small to medium businesses.
Dr Danny Steed 55:49
Gentlemen, thank you. I’m going to answer Peter Balfour’s last question asking about insurers insist on their own security software being used as a condition being insured against them. The easy answer for this one, Peter is the same reason why National Cybersecurity Center here in the UK won’t endorse products or services they’re scared to because when Microsoft Exchange is going down or solar winds is being hit, they don’t want to be seen giving endorsements and potentially, you know, vicarious liability, going back to that phrase. I’m going to wrap up here, I’m conscious, we’re on the hour and most people are going to be wall to wall zoom calls. And that’s just life these days. So, thank you. I think we’ve achieved that that spirited, not quite debate, not quite caricature, European blunt regulation, American free market anarchy and let it evolve naturally. But I think we we’ve really highlighted the many, many, many different areas of contention and genuine challenges that keep popping up. And as Jan, you rightly identify, in a threat landscape that is only accelerating and growing in terms of the losses that we’re seeing, we know we have to find solutions pretty quick. So, my thanks to you both for today. My thanks to all of you as my guest for such spirited line of questioning as well. I’ll be back in touch with what the next event is going to be for the Center on Cybersecurity and Online Threats. We’re not yet booked just yet on the next events, but I will let you know and wishing you all a very pleasant rest of your days. Take care.