Updated: Jan 31, 2019
The stealing of data, as well as attacks against harbors, power plants, payment systems and healthcare are the main cyber risks that humanity will face in the future. How can companies successfully protect themselves against hacker attacks today? Prof. Dr. Michel Dacorogna, a renowned risk expert, has been researching cyber risks at ESSEC-CREAR in Paris. His findings provide important answers to how insurers can properly cover cyber risks and where the challenges of traditional insurance coverage lie.
Prof. Dr. Michel Dacorogna, what are cyber risks?
For a good definition of cyber risks for insurance, I use the definition in the paper of the CRO Forum that appeared in June 2016 *:
“The definitions of cyber risk covers:
Any risks emanating from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks.
Physical damage that can be caused by cyber-attacks.
Fraud committed by misuse of data.
Any liability arising from data use, storage and transfer, and
The availability, integrity and confidentiality of electronic information – be it related to individuals, companies or governments.”
When did Cyber Risks first appear or become a threat?
There is a misconception about this risk. It is not new at all. It is as old as the use of computers linked with each other. In the early eighties, I was using the ancestor of Internet called Arpanet to access the Cray 2 supercomputer of the Lawrence Livermore Laboratory (the most important research centre of the US army). One day, I had two CIA officers visit my apartment in Geneva because some hackers used my account to try to break into their system. This was in 1985! They turned out to be hackers from Hamburg. You see, as soon as computers are linked, the risk of somebody breaking in, starts. However, with the wide use of Internet and the advent of the Internet of Things (IoT), this risk has become prevalent in the whole society and is not only limited to special centres.
What are the key cyber risks threatening businesses?
Our economy is based more and more on the heavy use of data. The GAFA (Google, Apple, Facebook and Amazon) made it a specialty to analyse their customers’ data to design targeted marketing and advertisement. The transformation of this data, in source of revenues, has made them a very interesting target for hackers. So in my opinion, the main cyber risks for business, is the stealing of their data. It is a strong infringement to a companies’ reputation, as we have seen for Facebook or Equifax, who saw their share price plummet by more than 40% after the announcement of the theft of personal data from more than 143 million Americans.
Another very important risk that has a strong systemic aspect is the attack against vital infrastructures. Like harbours or power plants and systems of payment. Such an event could have far-reaching consequences and bring the whole financial system to a standstill.
How can this be prevented?
As I said before, we will not be able to fully prevent such attacks. What we need to do, is to make them very expensive for the attackers. At the same time, we need to build systems that are more resilient. It is always a matter of costs and the IoT firms want to put them on the markets. This is incompatible with a good cyber protection for them. Here, the role of regulation and insurances will be important for pushing companies to produce more resilient products if they would like to access these markets. We are talking about a significant portion of the price of any product. Think of a sensor that would cost 2 to 5 EUR. I think in the future, half of this cost would be dedicated to make it safe against hackers. If this is not done, we will be facing potentially extremely invasive and disruptive events.
Are cyber risks insurable? If yes, which risks can be insured and which cannot?
In a recent speech, I said that although the first question is legitimate to ask, it is not the right question for insurers. For them, the right question is: how do we make cyber risks insurable? Because society demands protection for it and insurers are here to offer such protection. They can make it insurable in defining precisely what the scope covers, by giving incentives to firms or individuals and applying the necessary safety measures by themselves, by managing their own exposures properly.
We also see here a tendency of insurance proposing themselves to customers to protect their data, by offering disk space to the policyholders. They capitalize on their long tradition of successfully dealing with sensitive customer data. Moreover, they offer forensic services to help customers locate the cause of the attack. This is a general trend of insurances, proposing besides the protection services to customers. It is a way for the industry to get rid of the bad image it has taken on in the public and it is also a new source of income.
To the second part of the question, what risks can be insured, as in any cover, there are limitations. Generally, insurances cover the risks defined at the beginning of this interview by the CRO Forum. What they cannot insure, is the cyber risks originating from acts of war (as it is the case for most insurance policies) and from wrongdoing by the policyholders. There are other potential systemic risks due to obvious weaknesses of the software that will present a big danger for companies. These are potentials for many legal fights to determine responsibilities, but I think those risks are and will be included in insurance covers. Which makes the work of modelling it correctly even more important.
What kind of research are you doing in this field?
Currently, I am doing two kinds of research: some on a theoretical level and trying to define the cyber risks clearly. I am looking for the best strategies to cope with them, as well as doing some empirical work on data on cyber incidents. The second part is quite important and difficult, as we do not have a lot of experience with these risks. Fortunately, I have a colleague at ESSEC-CREAR in Paris. We have been in close contact with researchers from the French Gendarmerie Nationale, who have recorded all the cyber complaints they have received over the last three years. This database contains more than 180’000 incidents from the whole of France. The goal of our study is to first understand the main statistical properties of the data and then detect patterns that could be used to design good insurance covers.
What are your key findings so far?
On the theoretical front, we can see that we need to tackle these problems from many different angles. We simply cannot limit ourselves to the traditional actuarial techniques of modelling the frequency and the severity of incidents. Approaches like game theory, scenario-based evaluation or artificial intelligence, will play an ever-important role in our understanding of the problem. Recently, I was at a conference on this subject in Singapore.
I heard two very interesting discussions related to this subject. One was presenting a study of the motivations of hackers in order to determine where to put the most efforts in protection. The other one was using game theoretic approach to determine the optimal amount, which should be invested in cyber protection.
On the empirical part, it is a bit too early to arrive at a definite conclusion. We already see the potential for systemic risks in the data that present very heavy tailed distributions (the potential of extreme events causing huge damages is much higher than in usual risks, quite similar, in probability, to earthquakes). From the number of complaints in our database, we can estimate that the extent of attacks using a statistical study of what we call the “iceberg effect”. We find a very wide implication of cyber-attacks. We estimate it to be around 12 to 15% of the entire French population that has already been subject to serious incidents. This is a lot.
We are going to edit a special issue of the scientific journal Risks on cyber risk and security with Professor Marie Kratz from ESSEC where we will certainly get interesting contributions of top researchers in this field.
What is the challenge on insuring Cyber Risks compared to other traditional insurance covers such as health, fire and car?
There are at least four key challenges compared to traditional insurances. The first one is that we are facing with a risk that is changing rapidly. Every day, new products are put on the market that have a potential to be hacked. New technologies appear that make society more and more dependent on ICTs. The second challenge is related to the first, and is the lack of data to analyse these risks. We are building those databases, but this takes time and given the fast-changing environment, the data might become obsolete quickly. We need to develop theoretical methods to cope with data coming from a highly dynamic system. Third, we live in a more and more interconnected world, which makes cyber risks particularly susceptible to systemic risk. Fourth and not least, the cyber world is built in a web of dependences between the various exposures. Think of the wide spread of software like Microsoft Windows, the use of clouds to store the data, the IoTs. All of these make the modelling of cyber risks particularly complex.
What is your prediction for the future: What kind of cyber risks will we have to deal with in a couple of years?
As some may say, future predictions are particularly difficult to make (laughs). It is very hard to identify what the weak spots will be in the future, especially in such a rapidly changing environment. However, we can already see some trends. Cyber-attacks against the personality of individuals is on the rise. For firms, the main targets are financial institutions, power plants and the health industry. My particular worry is an attack on the systems of payment at a time of turmoil in the financial markets. This could be the origin of a new financial crisis. It is exceptionally important to do the research on the motivations of hackers, as mentioned above, in order to better identify the places where the attacks could happen.
More on the subject: What are GPS spoofing attacks and how can they be successfully detected in the future?
In cooperation with an international research team, armasuisse's department of Science and Technology S+T developed an innovative system to protect the global airspace against cyber attacks on the GPS satellite navigation system. Watch the video to find out more.
Source: Federal Office for Defence Procurement armasuisse, department of Science and Technology S+T