Insurances against cyberattacks are not effective
Insurances are a necessity. They are essential in many cases. When a flood makes business premises unusable or a fire renders production facilities inoperable, a good insurance policy can be the key factor ensuring a companies survival.
However, nobody would seriously consider to stop building dikes because insurances against flood damages exist. Just as little would a petrol station operator say “Let’s have a barbecue party at the dispensing pump two, we are insured!”
In the case of insurances against cyber attacks, however, this mentality appears to be quite present. That is surprising considering the fact that the consequences of an attack are difficult to quantify even for the insurance experts themselves. According to a model calculation by British company Lloyds of London, a large and globally oriented cyber attack could cause damage at an enormous scale. Losses could possibly get as high the damages of Hurricane Sandy in 2012 in the U.S.A.
Risk-modelling for a hypothetical cloud service provider
In their model calculation, Llodys, together with risk modeling company Cyence, created a hypothetical cyber attack based on a “Logic Bomb” targetting two companies. One was, in the assumed case, a globally operating cloud service provider, the other a multinational company, which is running computer systems in several countries. The potential economic losses were examined. As a basis for the damage calculation, Cyence considered the economic costs (business interruptions and computer repairs) of recent Ransomware attack “Wanna-Cry” ($ 8 billion, impact on 100 countries) as well as the “NotPetya” attack ($ 850 million).
Realistic damage projections are difficult
But what are the actual economic losses that could be caused by such an attack? In their calculation, Lloyds projected a range from 4.6 billion to 53 billion dollars. This could even lead to up to 121 billion dollars in subsequent damages – an enormous range.
How can this range in calculation be explained? Insurance providers face an immense problem here: Floods, storms and major fires as well as their impact have been known for centuries. Organized cyber attacks of this magnitude have only been around for a relatively short time. Due to the lack of historical data that can be used as reference for their policies, they simply lack sufficient data. At the request of news agency Reuters considering the report, Lloyd London Chief Executive Inga Beale explained:
„Because cyber is virtual, it is such a difficult task to understand how it will accumulate in a big event“.
Real security might be the better investment
This illustrates a problem with any cyber insurance: the data collected so far by the providers does not seem to be meaningful enough to provide valid figures for the scenario drawn. The answer to this problem can therefore only be this: meaningful and appropriate investment in real IT security measures can in no case be replaced by an insurance. Preventive protection of critically exposed endpoints is urgently required (especially in the industrial environment, we have seen crucial innovations in endpoint defence). This protection is definitely more sustainable (and possibly even more cost effective) than an insurance. In the event of attack, insurance can possibly avert the bankruptcy of the company. But as the frequency of massive attacks increases there remains a justified question: How often can it do the trick? And at what price, considering insurance companies hedge against possible damages in the billions – and pass this risk on to policyholders?
And even in the event of a successful attack, direct action must be taken for mitigation in order to revive production ASAP. An insurance policy is of very limited use in this scenario either.