AI may help insurers win the cyber-crime war

On the back of the most recent global cyber-attack, which took the form of the so-called ‘Petyrwrap’ ransomware attack, insurers and advisers have stressed that this represents something of an opportunity for insurers and technology companies to provide solutions to their apparently increasingly vulnerable clients.

This latest cyber ransomware attack created havoc around the world as it crippled shipping giant Maersk, advertising giant WPP, Russia's biggest oil company, Ukrainian banks, a Cadbury chocolate plant in Australia and the property arm of French bank BNP Paribas.

The virus, which froze computers and demanded a ransom for their release, had a huge economic impact as it spread from Europe to the US and South America.  Losses from this week's attack and last month's WannaCry attack are estimated at $8 billion.

While many have stressed that the key to mitigating such threats lies with tackling it from the top down and establishing an awareness of the threat in all levels of an organization, others have pointed to the opportunity this provides to better insure the risk and even how artificial intelligence (AI) can be used to manage this threat.

The threat is changing

“This second major international ransomware attack in as many months highlights two things clearly: large-scale attacks of this nature are something that everyone can be affected by, but many businesses remain unprepared and under-protected against them,” says Paul Gooch, a cyber underwriter in the Enterprise Risk division of Tokio Marine Kiln (TMK).

He notes that up until now cyber insurance has typically focused on breach response, notification and liability costs incurred by companies holding high volumes of sensitive data, such as healthcare providers, financial institutions and retailers. But the threat has changed.

“What we have seen in the recent WannaCry and Petrwrap outbreaks, however, is the crippling disruption that can be inflicted by ransomware across all industry sectors. Even large-scale, blue chip, globally recognised brands are not immune. The costs of such incidents are not limited to the paying of ransom; decrypting files or restoring from back-ups takes time, consumes valuable resources and can destroy hard-won reputations,” he says.

“No business can ever be impenetrable from a breach or determined hackers, but defences against this sort of indiscriminate, self-replicating ransomware attack can be vastly improved through relatively straightforward procedures.

“Businesses need to engage with their insurers, brokers, and other risk management specialists to ensure that their risk management procedures and cyber security protocols are kept up-to-date in the face of this developing threat, with a particular focus on patching, back-up and business continuity planning which helps reduce the impact of such events and prevent subsequent reputational damage.”

Mike Gillespie, a senior information security expert who is the co-founder and managing director of Advent IM and also a special adviser to the International Institute of Risk & Safety Management (IIRSM), also stresses that the vast majority of these successful ransomware attacks are only made possible as a result of human activity.

“Ransomware is not a cyber ‘attack’, it is an active and offensive head on assault on our defences. It is the dangling of a poisonous and indiscriminate bait that staff then take and bring into our organisations thus facilitating this destruction,” he says.

“Almost all of the organisations affected will find, when they do their incident investigation thoroughly, that one of their staff has downloaded unauthorised software, or clicked on a phishing email or attached an infected USB device to their network. Without this human intervention, very little malware has any potency.”

He continues: “Often businesses that have received a Ransomware attack like Petya concede to the attackers demands because they don’t have good security, good education and good crisis management strategies in place. Often they feel paying up is their only option.

Ransom should not be paid

Some insurers have been paying ransom when their clients have been hit by ransomware. This is, however, a controversial issue from a legal and ethical perspective. It could, for example, motivate perpetrators to launch more such attacks.

“If businesses pay ransom to get files back, they’re essentially asking the attackers how much money they want and they’re telling them they’re prepared to pay so they will likely be targeted again.

“If businesses were in a better place to begin with, they wouldn’t be held to ransom in the first place.”

Michelle Crorie, partner at Clyde & Co, adds that companies should also be aware that in addition to the damage that a cyber-attack can cause, new regulations could also see companies hit fined by the EU. He stresses that this is now a board room issue for all companies.

"There are two main ways in which hackers can hold a business to ransom. The first is by extracting data and threatening to release it unless a ransom is paid. This leaves businesses in a very tough situation as there are data protection consequences to allowing a release,” he says.

"With GDPR regulation on the horizon this is a very severe threat as businesses collecting data from EU citizens could consequently face fines of €20m or up to 4% of turnover.

"The second technique, which appears to be what Petya is using, is a 'lock-out'. The hacker blocks the company from accessing its own data, which of course ceases nearly all business activity, especially when the business relies heavily on access to digital data.

"Data protection is now a board room issue. Businesses need to take this seriously and ensure they have robust procedures in place if such a situation occurs, as well as an understanding of the legal consequences of the options available."

AI can be part of the solution

But one potential weapon against this crime could be AI, says John Cammarata, insurance expert and vice president of development at PointSource.

“This is where cyber insurance and AI can work together. When AI is added to the mix, it can be used to analyse patterns and predict risk beyond what humans can fathom and strengthen cyber insurance offerings immensely as it helps businesses learn where they are vulnerable,” he says.

“Companies can no longer deny the need for cyber insurance.”

According to a recent PointSource report, 95 percent of insurers say their organization has the expertise and resources to maintain and improve its infrastructure, indicating an opening to advance their cyber offerings.

As insurance companies beef up their digital capabilities and extend their cyber insurance offerings, they should prepare their systems to integrate with AI to fight against the growing threat that is posed by advanced hackers, Cammarata says.

Meanwhile, others have stressed that as cyber risks become more complex, traditional insurance policies held by corporations are not sufficiently comprehensive to cover the cyber threats facing companies.

Dan Cotter, partner at Butler Rubin, says the need for cybersecurity insurance is top-of-mind for clients and some insurers are responding to this need by developing standalone insurance products.

He notes that the continued growth of standalone cyber insurance products offers a number of potential benefits to insurers and insureds alike, including better understood needs for the insurance and better certainty about what is covered.

But he also warns of the risk of cyber covered by traditional policies where insurers may have exposure to “a silent killer” — the potential for insurers to incur liability for cyber losses that have not been explicitly excluded by endorsement and which can create greater exposure and clashing coverages.

“New and untested wording in this area of coverage opens the door to increased litigation by those insured,” he says.

Five tips on avoiding becoming a cyber victim

Mike Gillespie, a senior information security expert who is the co-founder and managing director of Advent IM and also a special adviser to the International Institute of Risk & Safety Management (IIRSM), offers five pieces of advice.

1. There is a saying that goes “A fish rots from the head down” – get your senior board members up to speed on the threat landscape including cyber. They have invaluable strategic skills, which combined with the next steps will place an organisation on the front foot instead of the back one.
2. Ensure training is relevant and regular. The threat landscape changes fast, as the last few days have demonstrated. Make sure all staff, including senior management are thoroughly trained and enabled to question emails, files or activities they feel are counter to organisational security.
3. Make sure there is a policy in place that covers behaviours such as surfing inappropriate websites (where malware is often deposited for drive-by infection) and for ransomware, so staff know exactly what is expected of them.
4. Technology is a great supplemental support to human interaction when it comes to virus scanning and network monitoring, but don’t rely on it 100 per cent. There is no magic button and security is achieved by cultural establishment.
5. If you have any device, component or system that is web enabled or networked, make sure it is part of IT Change management; getting patches and updates on relevant systems and equipment and making risk-based decisions about keeping any systems with outdated operating systems.

Learn more about cyber security at our event Intelligent InsurTECH Europe 2017