CFC’s cyber development leader Lindsey Nelson (pictured) joined team leader, cyber threat analysis, Tom Bennett to address several pressing cyber topics, including the role that threat intelligence plays in levelling the cyber playing field. In the context of the current corrective market conditions, she said, the role of proactive solutions in creating a healthy, affordable market has come into its own.
Overall, as an industry, the cyber market has done a good job of maintaining the integrity of the product – particularly at the smaller end – and it’s in large part due to the development and uptake of proactive measures instead of a reliance on reactive solutions. Cybercrime isn’t going to go away, Nelson said, and, in the last 12 months, while CFC has seen the frequency of ransomware decline, it still accounts for 80% of the cost by severity of claims.
“As you can imagine, we are particularly invested in the idea of reducing the frequency of cyberattacks for businesses in the UK and around the world,” she said. “And our aim is to shift the question you should ask cyber insurers from ‘how many claims have you handled?’ to ‘how many claims have you prevented?’ I think that’s the key criteria to determining experience.
“I asked Tom how many policyholders our cyber threat analysis team have notified since their inception and he mentioned they potentially prevented over 12,000 attacks through notifying customers. So, benchmark that against the 3,000 claims that were handled reactively in the last 12 months. And I think that’s an incredibly powerful statistic [for brokers] to share to show the true value of cyber insurance today and what the product has evolved to become.”
Nelson noted that the evolution of cyber into a proactive product had been interesting to watch, and one that had its early roots in the development of cyber ratings. And conceptually, she said, cyber ratings had noble goals as historically it was very difficult for organisations to assess their own level of cyber maturity.
The early 2000s saw the emergence of these ratings services that could run a scan to provide that assessment, which understandably became very popular as they took a highly technical area and simplified it into a score out of 100, or a rating from ‘A’ to ‘D’. The problem, Nelson said, was when the narrative shift around cyber ratings moved from them being a tool to help identify vulnerabilities to a perceived authority on how secure you are as an organisation and how likely you are to have a claim.
Read more: CFC’s Lindsey Nelson on the first steps to take in the event of a suspected cyberattack
“Lots of security professionals really struggle with cyber ratings, because they can be misleading,” she said. “And it’s because the quality of cyber ratings is completely contingent on data used to produce them and that data is often limited… So the potential for misleading a business owner into a false sense of security or the reverse where reports generate a false positive with an incorrect high score is a dangerous one for that client.”
At its core, she said, the technology that underpins most risk reports is a form of a vulnerability scan, which can be used to help policyholders spot issues but, after 20 years of security report cards, the industry needs to recognise that relying on them can be “dangerous and not particularly useful”. In CFC’s view, there’s a new battleground for cyber which is going to determine who wins and loses in the fight against cybercrime – threat intelligence.
“And in the very simplest of terms, threat intelligence is essentially information companies receive about cyberattacks that are being planned and about companies who are being targeted,” Nelson said. “That information is then used to plan, prepare and prevent cyberattacks from happening to those targeted organisations. I think a lot of people do confuse vulnerability scanning with threat intelligence – they are two totally different things and lead to totally different outcomes for clients.”
CFC’s cyber threat analysis team collect this data on a daily basis, using a combination of government and private sector insight, as well as the firm’s own proprietary threat intelligence sources, to identify policyholders who are on the target lists of hacking groups around the world. The team gets to the client before the threat actors can, she said, stopping them from becoming the victims of catastrophic ransomware attacks.
“[Threat analysis] allows us to identify who their next victims are going to be and our data sources for threat intelligence are richer, more specific and more predictive than ever before with a lot of collaboration with government agencies,” she said. “Unlike risk scores, which are not very predictive of cyber claims, threat intelligence is incredibly predictive of cyber claims.
“If a client has already been compromised, or they’re on a threat actor’s list, then they’ll almost certainly be attacked and extorted at some stage. Our ability to flag that before it happens is the most powerful tool that has been developed to date in the fight against cybercrime. And it’s also completely dynamic in that we’re hunting for signs of threats to our policyholders 24 hours a day, seven days a week.”
By their nature cyber threats are truly dynamic, Nelson said, with the solution that protects against one form of attack potentially ineffective against another. The core principle of threat intelligence, however, never changes – there’s always a threat actor and there’s always a victim. A good threat intelligence service should be able to provide immediate security information tailored to the client’s network which priorities vulnerabilities, predicts threats and enables security teams to rapidly take action.
“And more advanced services like the ones that CFC are using can also integrate vulnerability alerting with real-world threat intelligence covering geopolitical and business intelligence,” she said. “So we can get better at gaining insight into who the victims are going to be and we can prevent attacks irrespective of how it happens. And that’s going to be the most valuable service that any cyber policyholder can ever subscribe to.”