Not surprisingly, the growing number and severity of “cyber attacks” in recent years has been accompanied by an increasing adoption of cyber attack liability insurance–up from 26% in 2016 to 47% in 2020, per the U.S. General Accounting Office. The results include rising premium costs (up by 40% in 2021 alone), and in some cases, more limited coverage.
It has been challenging for insurers to understand and manage risk in the face of nation-state attackers/advanced persistent threats, particularly because of a lack of measurable insight into their clients’ cybersecurity defenses. Nevertheless, the consensus is that such attacks could result in massive claims that potentially bring “unmanageable losses” to the insurance market.
The Attribution Problem
As a case in point, Lloyd’s of London recently required its insurers to stop covering state-backed cyberattacks in their standard cyber insurance policies. This policy has followed in the wake of concern over an increased threat of cyber attacks from Russian threat actors due to the war in Ukraine. Lloyd’s has indicated that standalone cyber-attack policies will require clauses that exclude liability to Lloyds from nation-state attacks, unless explicitly approved by Lloyds.
Attribution of cyber attacks is far from a simple task, however. We have seen that nation states are prepared to expand their use of malicious hacking to reinforce strategic goals, and that this trend is increasing. However, the lines between those actors and stateless cybercrime gangs are increasingly blurry, so many attacks are hard to attribute with any accuracy: Per RAND Corporation research, “The practice of attribution has been diffuse and discordant, with no standard methodology used in the investigations to assess evidence, nor a universal confidence metric for reaching a finding.” For those cases, Lloyd’s wants to take the conservative step of placing the onus of attribution on the policyholder.
The moral of this story is that it’s more than a lack of understanding about cyberattack attribution that is driving how insurance companies calculate risk. It’s also a lack of visibility into the security posture of their policyholders, too few of whom can understand or quantify their own risk by answering questions like: What vulnerabilities do we have, and how can they be exploited? Which and how many vulns have we identified and remediated? How long does it take us to remediate, and how does that compare to industry norms? (And so on). Without that insight, improving security posture in a measurable way is quite difficult for the CISO.
Access to that information requires a cybersecurity platform with rich built-in analytics and access to a historical knowledge about vulnerabilities, asset risk profiles, remediation strategies, and the hidden relationships between them. Those capabilities are key difference-makers in the Bugcrowd Security Knowledge Platform, which makes historical knowledge and modern data infrastructure and key product values–driving analytics, reporting, and even machine learning for important tasks like crowd matching and program discovery.
Learn more about the Bugcrowd Platform here!