November 26, 2019
Insurers Must Collaborate on Cyber
by Jesse Lyon
Threat actors learn from each other as they create the next unstoppable attack. It is high time for insurers to pool their resources, too.
We are living in the accumulated aftermath of the countless cyber breaches that, since the turn of the century, have cost the global economy over $2 trillion. We are in the untenable situation where insurers find it nearly impossible to provide security for their insureds while safeguarding their own profitability.
However, the destruction and loss of the past need not be the fate of the future. If cyber liability and technology E&O insurers learn from the recent past, then insurers can help give rise to a future cyber realm that is free from the doubt and fear that are prevalent now.
Over the past two decades, insurers have not worked with members across the private spectrum to put into place unified laws governing the cyber realm, so there are now laws across the world that have been enacted or about to be enacted that are making it more difficult to provide cyber liability insurance. What may be even worse is that, for the past four years or so, different governments have argued against end-to-end encryption (E2EE), and insurers have not responded swiftly to that threat, either. If a country, especially one like the U.S, were to pass a law making E2EE unlawful, then providing cyber liability insurance to anyone would be made more difficult than it already is.
Thus far, insurers rarely speak to each other regarding their most prominent common adversary: hackers. Perhaps the only time that insurers might broach the subject of that adversary is when they are at a NetDiligence or PLUS Cyber Symposium conference, and even then hackers are treated as more of an appetizer than as a main course. If a hacker or hacking group causes five different insurers a combined loss of $50 million, then clearly such attacks represent a inconsequential loss. However, because insurers do not talk to each other, not only do they not know the common methods of attacks on their insureds, along with the collective loss they suffered, but they also have no way to focus efforts on removing that hacking threat. There is also no way to know that a hacker or hacking group is targeting a specific sector of the private sphere, because the only way to know that is through shared intelligence.
Every day, threat actors from nation states or hacking groups or standalone hackers are using the advances in cyber breach techniques learned from each other to create the next unstoppable attack. It is time for insurers to pool their own resources so that they and their insureds can begin to level the playing field with respect to the main adversary so that laws passed are to the benefit of insureds and insurers alike.
Insurers also need to look at the complete picture to be responsible netizens and help craft a safer cyber future. When semiconductor technology in the form of computers began to integrate with the personal and professional realms in the 1980s and into the 1990s, at least in the U.S, it was a very tortured process. Almost as soon as businesses had upgraded to 33Mhz processors, 66Mhz processors came out. Similarly, the original floppy disk drives quickly gave way to 3.5-inch disks, which gave way to Zip drives, CD-Roms and so forth. In software, things were no better. After finally using computers and learning DOS, businesses were introduced to Windows 3.1 and thereafter were upgraded to Windows 95, 98, 98SE and beyond. Every part of binary technology over the past 40 years has seen a relentless drive toward cutting-edge technology, and that pursuit thrust upon the people of this world a technological reality that very few understand.
Today, most people are unable to say what SoC (System on Chip) drives their smartphones, what a GPU stands for, what the differences are between 4G and 5G wireless technologies and what many other basic technological concepts are. Even among insurance professionals, there are still many people who hunt and peck and are unable to achieve a typing speed of 45 words per minute.
Worldwide, almost all schools lack a structured curriculum for the K-12 system that not only teaches binary fundamentals to the young but also helps them to understand computing history and the potential future of computing and networking technology. Consequently, despite the significant numbers of people using social media and smartphones, and the rise of IoT, most people do not know the fundamentals of our present binary world.
Perhaps more damaging is what the future holds. If most people barely understand current technology, then quantum computing, carbon nano tubes and neurotropic technology will be ever more unnerving for even more people. This disparity between the few who understand it, and the tremendous numbers who access the binary world without comprehension, creates a dangerous situation in multiple ways. Yet, this is the situation in which cyber liability and technology E&O insurers are trying to insure a binary usage world.
With the whole picture in mind, it is time for insurers to start implementing, soonest, solutions that will prevent the future from being like the past two decades. Insurers and insurance brokers alike need to start to act in accordance with what being part of a community means.
In its most basic form, a community is a group of people or organizations that exist in the same area or share a common purpose, and the most successful communities are the ones that come together and put the good of the community ahead of any individual member. Insurers would do well to start to establish a series of townhalls in physical communities to talk about not only what cyber liability and technology E&O are but also go over every aspect of what cybersecurity is, from anti-virus software to which CPUs and GPUs are the least vulnerable, to cyberattacks.
It would be especially helpful if some of these townhall seminars were dedicated to people 65 and older, because many organizations are wanting to “help” seniors without providing them with reasonably secure cyber products. To date, seniors do not seem to have borne the brunt of cyberattacks. However, it is only a matter of time before cyber criminals begin to realize the monetary value of focusing cyberattacks on seniors.
Many insurance professionals are eager to point out that small and medium-sized businesses are extremely vulnerable to cyberattacks, but warnings from a distance are not an acceptable substitute, on such an urgent issue, for face-to-face human interaction. There is a reason that property and auto insurers in the 20th century, used a phrase such as “like a good neighbor, State Farm is there.” A neighbor is a community member who is invested in the success and challenges of others.
With the 2020 U.S census coming up, there still has not been a unified community outreach effort on the part of insurers to help the census begin and end in a secure form at the community level. The most efficient way insurers can help with the census is to provide public libraries and community centers with new computers and networking equipment and lending IT staff.
Insurers also need to work with the cybersecurity community and with K-12 schools around the world so that students understand how to be responsible netizens. There needs to be encouragement in education, from letting the young follow what is popular technologically, to what is actually effective and useful. If
insurers do not work with the cybersecurity community, then how can educators and parents ever really know what responsible netizen activity looks like? Insurers can either work with others to start reducing that deficit, which will also reduce the frequency of breaches, or insurers can repeat their mistakes and forever put their profitability and the safety of their insureds in doubt.
In terms of effective global communication, we who are living now are standing where once stood those who coped with the changes in communication wrought by the printing press and its transformation of the world. However, modern global correspondence faces challenges that require insurers to start putting solutions into place now that will have benefits that last in terms of decades and centuries. With that in mind, it is time for insurers to bring to life an international competition that will encourage students in the seventh to 12th grades to create educational websites or advanced robots or allow for a structured and interactive way for them to point out zero-day exploits and other vulnerabilities that would have a $500 million or larger impact on the world economy if the exploit were to be used against the netizen community.
Insurers also need to start to rate every piece of technology with an independent testing lab. The lab needs to be built with the authority and autonomy to ensure that its ratings are as impartial and accurate as possible so that insurers can work with information that is as close to factual as possible. Insurers also need to tackle higher education and work with an organization like IEEE to finally bring the training of software developers/engineers into the 21st century. It is time for software engineers to have to meet requirements that are on par with structural engineers and attorneys. Not only will this enable a minimum higher level of coding competency, but it will prevent the non-certified engineers from being allowed to put pieces of inept software code into programs upon which this world depends.
Helping the brilliant young become useful and positive contributors to the cyber community, creating an independent testing lab and working with other members of the netizen community to produce certified software engineers can only enable a netizen community that appropriately values and pursues safety, the common good and the future success of the cyber realm. All of this would be to the great benefit of cyber liability and technology E&O insurers and their insureds.
See also: Surveying Wreckage of Cybersecurity
People often cite the increasingly sophisticated breach techniques of hackers or the hyper evolving technological innovations of technology companies as reasons why dark knight cybersecurity specialists have managed to become so formidable. However, the reality for the rise of hackers is the inaction of implementing long-term solutions by insurers.
Cyber liability and technology E&O insurers perhaps have the best vantage point of any other part of the private sector, because they get to watch in real time everything that happens before, during and after a breach. It is those insurers, especially cyber liability insurers, who say they can help and protect insureds, and who are actively offering their services on the world’s stage. Unfortunately, insurers have thus far acted as if they need only sprint to the finish line to help their insureds. This is not, though, a sprint. It is in fact a very long journey that insurers must undertake.
However, if insurers pace themselves, unite with each other to overcome shared challenges and reach out to other members of the netizen community, then they will be able to leave the winter of desolation behind and step into a future spring that is lively, safe, profitable and enduring.