The Cyber Arms Race

‍

Introduction

The last 24 months in the wider cybersecurity ecosystem has been a whirlwind. The appearance of ever more insidious ransomware variants, a generational shift in working patterns, and unprecedented investment into technology and digitisation among large firms has shifted the balance of power between attacker and attacked.

In many cases, organisations have struggled to keep up with this new reality. Gallagher has worked with some of the largest organisations in the world to help them align their controls with their risk exposure. This report is the synthesis of that process and the lessons that we’ve learnt.

As with any major adversarial competition in human history, cybersecurity has become an ever-accelerating arms race to protect critical data, processes, intellectual property and reputation, and as a result the learning curves are relentless. The focus of conversations with Information Security and Risk Transfer teams have moved from deploying cloud security controls, to supply chain, to ‘beyond the network edge’, to ‘zero trust architectures’, and inevitably will move into even more novel areas over the next 24 months. In many cases, new initiatives are scoped and resourced before previous ones have come even remotely close to completion. This is the nature of an area of risk with malicious intent, where an adversary has as much choice about how the game plays out as you do. Chief Information Security Officers (CISOs) have been at the front line throughout.

It is this acceleration in the arms race which initially took the insurance markets by surprise. The explosion in ransomware losses just before and at the beginning of the pandemic revealed that many insurers had not been adequately assessing the exposure of their clients to cyber-related losses. We now use the term ‘silent cyber’ to describe how elements of insurance coverage for this esoteric risk were included in everything from property insurance policies, to kidnap and ransom response wordings. The industry had been talking about the perils of cyber for many years, with its aggregation and complex losses and impossible nature of attribution. Clearly, we learnt quickly that describing risks in the future was easier than proactively mitigating them.

Many of our clients now spend much of their time dealing with the fallout of the collision between these two worlds. The rapidly changing cyber threat landscape has precipitated massive losses and extensive changes in how organisations protect themselves. These same losses have led to a doubling, tripling, or more of insurance premiums to allow insurers to build up reserves against potentially systemic exposures. This same cycle had occurred recently in the Directors’ & Officers’ insurance market, a cycle which took six years to come to fruition. In cyber, the cycle took six months. The role of cyber insurance also changed as a result. It went from being the type of attritional insurance policy that picks up small, regular losses to something resembling a ‘catastrophe class’. In layman’s terms, organisations went from buying the digital equivalent of home and contents insurance, to trying to get hold of indemnification to protect them from hurricanes. As any Caribbean insurance broker will tell you, the information requirements for the latter are very, very different from the former.

This painful process does, however, create significant opportunity for Information Security teams and for Risk Managers. The insurance market plays a very important, and usually unrecognised, role in holding risk management accountable and also has the ability to measure the return on investment of risk mitigation measures. If risk management is not working in a particular area, insurance losses explode. The subsequent increase in premiums increases the return on investment of mitigation and resilience projects as they become cheaper than buying insurance, subsequently decreasing losses and eventually premiums.

This tide ebbs and flows over time, becoming less pronounced as the data gets better and better. Tsunamis of change like the one we’ve experienced over the last two years in cyber become more like gentle waves as the insurance industry reacts to more pedestrian changes in the threat environment. A clear example of this process playing out elsewhere is Somali piracy which became a huge problem for shipping in the early 2010s. The advent of pirate groups targeting international shipping in the waters of the Red Sea and Gulf of Aden led to significant losses for insurers and increased premiums. These losses then precipitated requirements from said insurers to deploy armed teams on vessels, which brought attacks by pirates back down to a level close to zero: eventually this led to a decrease in premiums. The process led to a collapse in the cottage industry associated with piracy in Somalia, permanently affecting the threat environment.

At least, that’s how it should work. Broadly it functions well for natural catastrophes, political violence, and a range of other classes where data has been built up over decades and nasty surprises become less and less common (and, therefore, easier to cover by insurers). The trillion-dollar question is whether cyber is the outlier - does continuous technological change at exponential rates mean that data on attack vectors and losses becomes obsolete as soon as it’s modelled? If that is true, it means the cyber market will be in continuous flux regardless of how well insurers try to manage it through premiums, exclusions, and other tools. How will the market respond to quantum computing threatening the cryptographic protocols which underpin most methods of data encryption? What happens when a cloud infrastructure-as-a-service provider experiences a significant outage across availability zones? Only time will tell, but what is for sure, is that heightened information requirements and expectations for risk management will remain long after the threat of current ransomware variants has passed.

This brings us back to the opportunity for Information Security teams. For many years, information security conference slots have been taken up by talks with titles like “Demonstrating the value of Security”, “Measuring the return on investment of Business Continuity”, or “Writing the Security business case”. A difficult cyber insurance market allows organisations an opportunity to try to measure the effect that their investments in security and resilience have, and it’s our job to try to help them do that. In this report we’ve outlined the type of measures best-in-class organisations are taking and how this aligns with the expectations of insurers, to help better align risk management and risk transfer for everyone. We hope you find it informative.