Most cyber insurance contracts are innately flawed because they exclude losses arising from state-backed cyber attacks, and this will make proper attribution even more important in the future, says Cisco Talos’ Martin Lee

Insurance exists to cover the unexpected costs of loss, damage or injury. Despite our best efforts to avoid fire, theft or accidents, these things happen and can be expensive. We cannot predict if or when such an event will happen to us. However, we can measure the occurrence of such events and calculate their likelihood and consequences by analysing a large population sample.

The first insurance markets developed from insuring ships and cargos in the 17th century. The sudden loss of a ship could be catastrophic for businesses; however, insurance could mitigate the financial damage. Large losses could be absorbed by insurers who could predict these costs and charge appropriate insurance premiums. As businesses have evolved and digitised, so too have the risks to which they are exposed. Catastrophic losses to businesses have not disappeared, but changed in nature.

Cyber insurance policies have been around since the 1990s, emerging as a mature product over the subsequent decades. As the possibilities provided by technological advances grew, so did business risk exposure. The introduction of data privacy laws, with the obligation to disclose the breach of personal data to those affected, meant that incidents could no longer be kept quiet. A plethora of high-profile breaches in the mid-2010s cemented the need for cyber insurance.

Cyber incidents can be expensive. External incident response consultants, legal experts and communications specialists may need to be brought in to help manage the consequences of the breach and restore normal working order. These costs are in addition to the potential costs of lost days of operations.

Insurance markets have developed cyber insurance products to cover such unexpected losses. It is an adjunct to, not a replacement for, best practices. Neglecting cyber security, in the belief that cyber insurance will cover the losses due to the inevitable breaches, is simply a recipe for disappointment and ever-increasing premiums.

A good cyber security posture requires balancing investments in cyber protection to reduce the likelihood that a breach will occur and minimise the resulting damage, along with recognising that the unexpected can occur and seeking to mitigate those potential losses through insurance.

Knowing your policy, knowing your attacker

Just as cyber security is an ever-evolving field, so is cyber insurance. To remain a viable product, insurers must understand and manage their risk exposure. Understandably, many insurance policies contain exclusions restricting claims due to war (whether declared or not) or armed conflict. No insurer wants to be exposed to the simultaneous number of expensive claims resulting from a significant attack hitting many organisations across the world.

Probably the most destructive cyber attack to date has been the NotPetya worm of 2017. The estimated total damage across the world is around $10bn. Although no one has claimed responsibility, the US Department of Justice indicted Russian military intelligence officers for their alleged role in carrying out the attack.

Cyber attacks conducted with the resources of a nation state, such as an intelligence agency, can be particularly destructive. Nation states have the ability to invest in the long-term development of offensive cyber capability and can pick the most opportune moment to launch an attack. The potential consequences of a state-backed attack are so severe that such actions, which also disrupt a state’s functioning, have recently been excluded from coverage by cyber insurance.

However, this raises the question of exactly what constitutes a state-backed attack. Conflict in other theatres involves uniformed military personnel and national markings to identify armed forces. In the cyber domain, there are no such markings. Aggressors may be military or criminal, amateur or professional, and all shades in between. In the absence of a cyber equivalent of military uniforms, determining the nature and affiliation of an attacker is incredibly hard to achieve.

As with any crime, attackers leave traces behind at the scene of their crimes. But unlike other crimes, these traces do not necessarily uniquely identify the perpetrator. Many different criminals may share the same tooling, leaving similar traces at the scenes of their crimes. The most sophisticated attackers actively try to hide their identities to frustrate and confuse the identification of their attacks.

State-backed attacks may not be conducted by agents of the state. Proxy actors can carry out campaigns on behalf of their paymasters. Criminals can be given tacit approval or state direction in carrying out their attacks.

Determining who is responsible for a cyber attack is incredibly challenging at the best of times. In an increasingly complex threat landscape where the identity, motivations and backing of a threat actor are important, we risk making assertions that cannot be supported by evidence or the science of attack attribution.

The importance of attributing attacks is only likely to increase, but the degree of certainty to which attribution can be made is frequently weak. Where we can make statements of attribution, the assertions are shrouded in words of estimative probability. Attribution is rarely clear-cut and relies on a series of inferences that necessitate an explanation of the analyst’s certainty, which contrasts with the certainties required to satisfy contracts or policies.

Cyber insurance is part of any cyber security strategy. However, organisations need to understand exactly what they are insuring and the limitations that may restrict policy claims.

In the near future, attribution of attack may become a key feature for cyber insurance claims. Security professionals would do well to review the forensic evidence they collect and how this could be used to support or refute assertions of attribution.

One thing is certain – only the threat actor knows who exactly carried out an attack and for what purpose, and they are unlikely to snitch on themselves.