Cyber attack attribution key to insurability

Calls have been made for the creation of a new system which can attribute the cause of cyber risk, in an effort to enhance the industry’s ability to insure the threat.

In a new research report, Mapping a Path to Cyber Attribution Consensus, the Geneva Association and The International Forum of Terrorism Risk (Re)Insurance Pools (IFTRIP), propose a common approach to cyber attribution, both in terms of the actor and the behaviour, as the pandemic increase the threat level.

In the forward to the report Jad Ariss Managing Director, at the Geneva Association warned: “Cybercriminals are known to exploit society’s vulnerabilities during times of crisis. That is why authorities were quick to sound the alarm on cyber threats in early 2020, when the pandemic emerged.

“The warning was justified. In mid-2020, the United States Federal Bureau of Investigation (FBI) reported a 400% increase in the number of cybercrime incidents. In a July 2020 survey of 1,000 global IT leaders, 90% of them indicated an increase in cyberattacks due to the pandemic.”

He added: “We are seeing one invisible virus compound another. In this context, businesses need to be proactive on two fronts: 1) safeguard themselves against the spectrum of cyber risks by exercising rigorous ‘cyber hygiene’, and 2) plan their event response.

“There is a role for insurance in both respects.”

The report said the rapid pace of digital transformation, accelerated by COVID-19, is driving increased demand for cyber risk protection.”

It added even though insuring cyber risk is challenging, not least due to the potential for large accumulations of loss, insurance as part of a broader security strategy can reduce overall losses.

However, the report added that to enable the insurance cover to be enacted the cause of the attack had to be accurately assessed and attributed.

“Attribution is a key factor,” it said. “It is an essential component in discerning the type of attack, whether cyber terrorism, hostile cyber activity (HCA) or cyber war. Consequently, the outcome of the attribution process is an important factor to determine whether insurance will ultimately cover a loss or who should ultimately pay. This also relates to issues associated with how to hold malicious actors accountable.

“Responsibility and accountability are critical in safeguarding society from malicious cyber acts. Specifically, for cyber insurers and insureds, attribution and accountability can be critical, given the widespread use of war exclusion clauses within policies and the values at stake.”

The report added insurance policies covering cyberattacks – both dedicated cyber policies and more traditional policies that extend to cyber events – typically exclude war risk.

War is not an insurable risk under traditional insurance policies, but the scope of ‘war exclusions’ has been subject to debate and differences in application and language used by insurers.

“At present, it is debatable whether it is sufficient to establish if the hostile actor is a state, rather than having to also establish which particular state or state actor is responsible,” said the report. “In traditional military conflict it is often (but not always) obvious to discern from where a hostile act emanated. However, with a cyberattack it can be more difficult to determine whether the accountable party is a nation-state and, therefore, whether a war exclusion might apply to an insurance policy.”

Last year the Geneva Association and IFTRIP introduced the term hostile cyber activity (HCA) to help clarify behaviour where there was previously a degree of ambiguity. In terms of responsibility, HCA seeks to distinguish between what is potentially insurable and what is not (war).

“Since the introduction of the term, divergent opinions regarding its insurability have emerged,” stated the report. “It is likely that any products available to cover hostile cyber activity will be determined by individual carriers and specific markets based upon commercial considerations.”

In an effort to solve the issues around attribution efforts are being made to develop a widely-accepted framework for cyber attribution, focusing on a common approach, both in terms of the actor and the behaviour.

“Although there would be advantages to such a framework that extends beyond cataloguing technical factors, it is unlikely to get the required support in the foreseeable future due to differences in commercial priorities, legal systems, and other factors,” explained the report. “These barriers notwithstanding, this report seeks to promote international collaboration, validating international norms or conventions that could help streamline the attribution process.

“Comparability of attribution and characterisation approaches across jurisdictions will be critical for industry-wide assessment of accumulation risk and, ultimately, for the insurability of cyber risk. This is all the more important as the dependence of businesses, governments and societies on interconnected online systems has the potential to facilitate large-scale disruption and destruction upon the occurrence of a viral cyber event.”

In mid-2020, the United States Federal Bureau of Investigation (FBI) reported a 400% increase in the number of cybercrime incidents. In a July 2020 survey of 1,000 global IT leaders, 90% of them indicated an increase in cyberattacks due to the pandemic.