SECTOR INSIGHTS: CYBER SECURITY AND CYBER INSURANCE
A brief introduction: From time to time, Dymon Asia Ventures creates detailed primers summarizing our research into sectors of interest that we share with our portfolio companies and Limited Partners. These Sector Insights posts are a summary (or a periodic update) of our findings.
- Cyber threats are evolving rapidly, and cyber security solutions must as well
- Cyber security solutions that can recognize and defend against zero-day threats are the best lines of defence
- Most companies today do not have adequate cyber insurance coverage, but new policies are emerging to give stakeholders true protection against cyber threats
The Cost of Cyber Crime
In 2017 alone, cyber crime cost the global economy $600 billion – more than the entire economic output of Sweden for an entire year. The problem continues to escalate, and the spillover effects can be substantial. Take NotPetya, which infected hospitals, power companies, and banks around the world in 2017. One of the virus’ victims was Maersk, the world’s largest shipping conglomerate. The virus shut down Maersk’s global network for 10 days, and as Maersk remained in lockdown, the domino effects spiralled outward: Maersk’s shipping capacity froze, leading to days of lost revenue; fresh produce on their way to supermarkets rotted on board Maersk’s ships; cargo remained stuck in port and warehouses overflowed with goods scheduled for shipment; and the production lines of Maersk’s customers stalled because their shipments failed to arrive.
Types of Cyber Threats
NotPetya exploited a vulnerability in older Microsoft Windows operating systems that had been discovered several months before the attack. But the bogeyman of the cybersecurity world is zero-day threats, which exploit vulnerabilities unknown to developers. Traditional antivirus software relies on comparing suspicious code against a black/white list, which works well against known viruses. But it’s hard to blacklist a threat when you don’t know what shape it will take. Zero-day exploits can sometimes go undetected for years.
Cyber threats are also categorized by source: insider vs. external. 58% of cyber incidents in the financial industry in 2016 came from insider triggers. Of those, 93% were unintentional – people falling prey to “phishing” schemes. Like zero-day threats, attacks facilitated by oblivious insiders are difficult to guard against. Humans aren’t programmable by antivirus software, and no line of code can prevent humans from clicking on what looks like a legitimate link or downloading what looks like a legitimate file.
As cyber threats evolve, cyber security solutions have to as well. Solutions that make use of machine learning and virtualization will be our best lines of defence. Zero-day threats may not be on the blacklists of antivirus software, but they all share similar goals – typically the theft of data. As a result, they tend to exhibit a similar set of behaviours that suggest malicious intent. Instead of relying on a list of known threats, next-gen cybersecurity solutions learn what normal behaviour on a computer network should look like, and flag behaviours that are indicative of a cyber attack. Cyber security solutions that use machine learning behavioural analytics include Deep Instinct, Crowdstrike, and ReaQta (DAV invested in ReaQta in 2017).
The other great weakness of traditional antivirus solutions is that they live in the application layer of a system. Once a virus reaches the operating system, it can shut down any and all applications, including the antivirus software. If the infected computer is connected to a larger network, the virus now has free reign to spread. However, virtualized cyber security solutions sit in the operating system layer rather than in the application layer. Even if the operating system is infected, the virtualized solution can detect and contain the infection, saving the rest of the network.
Which brings us back to the story of Maersk and NotPetya. As the virus jumped from machine to machine throughout Maersk’s network, employees raced through Maersk’s offices, physically yanking cords out of computers. Later, the virus’s entry point was traced back to a single computer in Maersk’s Odessa office. If Maersk had been able to quickly identify and isolate that point of vulnerability, it might have avoided a companywide shutdown.
Once a virus reaches the operating system, it can shut down any and all applications, including the antivirus software.
Cyber threats also pose a massive financial risk. Cyber insurance policies are meant to defray that risk, but the blunt truth is that most cyber insurance policies are poorly structured, because most insurance companies don’t know how to price cyber risk. When your actuarial teams are used to rich historical data sets about the frequency and severity of well-defined loss events (e.g. life policies and auto policies), cyber risk is a black-box mystery. Most cyber insurance policies today come with laundry lists of exclusions that render them essentially ineffective. Firms adopt them as a check-the-box exercise to minimize legal liabilities, but payouts tend to be minimal.
Home Depot’s gross expenses from its 2014 data breach hit $298 million and involved settlements with Visa, Mastercard, and class action lawsuits filed by banks and customers. Insurance reimbursements only covered about one third of Home Depot’s losses. Similarly, Target’s 2013 data breach cost the company $292 million. Insurance policies reimbursed $90 million. And those are fairly rosy numbers. Most companies still have grossly inadequate cyber insurance coverage – especially in Europe and Asia, which combined only accounts for 10% of the global cyber insurance market today.
The good news is that insurance companies and governments are waking up to the massive underpenetration of cyber risk insurance. Singapore recently launched a cyber risk pool to provide cyber insurance to Asian corporates. MS Amlin recently announced a partnership with Envelop Risk Analytics, using Envelop’s AI-driven cyber risk modelling capabilities to accurately price cyber reinsurance. (Envelop is a company co-founded by QxBranch, one of DAV’s portfolio companies.) As cyber threats, and the software that counter them, continue to evolve, new opportunities will arise to offer the market true protection: smart security solutions that can isolate and remediate cyber attacks, accurately priced insurance policies that offer real payouts in the event of a breach, or combined solutions that can prevent against attacks, mitigate operational risk and provide financial protection.
*The opinions expressed in this publication belong solely to the author (Jennifer Ho) in her personal capacity, and do not in any way represent those of individuals, institutions or organisations that Dymon Asia may or may not be associated with in a professional or personal capacity