The Covid-19 global lockdown has set conditions for a desolate economic near-future. As the UK begins to ease confinement measures and adjusts to what is commonly being referred to as the ‘new normal’, it is worth considering how to mitigate against further disruption. With cyber security incidents increasing five-fold since the onset of the pandemic it is difficult to see the threat diminishing any time soon. What security should you consider to ensure that you stay ahead of the curve and not fall victim to cyber attack? asks Andrew Clarke, Chief Strategist at the cyber company Assured Cyber Protection.
To Bruce Carnegie-Brown, Chairman of Lloyd’s of London, the threat is clear and present. He expressed concern in a recent warning that cyber attack could cause economic devastation on the same scale as the current pandemic. Insurance providers should be concerned that a state-sponsored cyber attack could overwhelm the industry. The recent state-sponsored attack aimed at organisations in Australia’s public and private sectors are stark examples that cyber is being weaponised to destabilise, disrupt and undermine nation states as part of a ‘silent war’.
Indiscriminate
An attack on a large installation or sector could be catastrophic – and not necessarily just for those targeted. With collateral damage almost impossible to model, the fall out resulting from a cyber attack is near undefinable. An example of this is the 2017 WannaCry ransomware attack, which cost the NHS a total of £92m through services lost during the attack and IT costs in the aftermath, but also impacted over 19,000 patients, whose appointments were cancelled during the one-week period of the attack. When not used as an instrument of war, cyber attacks are often indiscriminate in application.
Better prepared
Research conducted by the UK Government this year showed that only 30 per cent were insured against cyber risk and over 50pc were victims of an attack. Whether the lack of uptake is a conscious choice or down to ambivalence is irrelevant. It demonstrates that there is a lack of understanding or, possibly something worse, ignorance to identify and deal with risk. Cyber security is not a technology issue; it is a board issue.
Fit for purpose?
Currently, most insurance policies pay out or replace like-for-like in the event of loss. However, this method does not adequately address actual losses when it comes to business – often losses are woefully underestimated and may not account for the projected losses, or worse, the total loss of the business. An example of this is Norsk Hydro, who lost $71m as a result of the Locker Gogo attack in March 2019 – and only received $3.6m from its insurance. When examined against the backdrop of the current state of the nation’s cyber health this paints a worrying picture. Last year, 99pc of the cyber claims in the UK received a payout but it is not clear how many of those businesses received full compensation for their loss or how many ceased to trade following the incident.
Refocus
Rather than concentrating on the concern for insurance companies, perhaps we need to look to how to better prepare our businesses. We should focus on inoculating them against cyber attacks. Legislation, like Cyber Essentials, that mandates a certain level of cyber hygiene to be achieved and constantly maintained, could help, but it is not enough. It does not ensure a continual and monitored level of security.
Additionally, regular external audits and inspections could create a better resilience against attack and could prevent an insurance situation from occurring. Protecting against loss should be first and foremost when considering the types of protection. Insurance does not protect it only compensates. Set the conditions to reduce risk through better security controls and ensure policies and processes are in place so that businesses are better prepared for cyber events. This will reduce the burden on insurance companies and present a more cyber resilient nation – it is a win-win situation.
