Why Cyber Insurance May Cease To Exist In Under 4 Years!
I have always been one to be a visionary and follow trends in my various positions in life.?This is one I think is of the utmost importance to share, since I believe that most organizations will be unprepared.?I predict in less than 4 years (way less but I don’t want to jinx myself and the industry) cyber insurance will cease to exist.
I’ve worked with numerous insurance related engagements in my career and consulting and sadly the basic recipe for insurance is always the same:
·??????Find a new line of business with few claims
·??????Sign up a bunch of people
·??????Make lots of profit
Then the model changes as profit falls to:
·??????Deny claims whenever possible
·??????Add in new restrictions to coverage
·??????Wrack up exclusions
·??????Toughen standards in an industry where underwriters have little knowledge of said standards
·??????Cancel policies upon a claim being made
Finally, the industry moves to:
·??????Most carriers get out of the business
·??????Specialty carriers offer vastly reduced coverage models
·??????The expense and restrictions make coverage unattractive for most clients
Seems like we are entering phase 2 of my “insurance business” model and I am waiting for phase 3 to hit.?Intelligent visionary stakeholders will start to plan for phase 3 but those are usually very rare.?Phase 3 for education and state and local government will be quite a shock to most administrators and government officials as they struggle to pivot to a new landscape where their “entity” will now be responsible of the financial burden of a breach should one occur.
“What’s your plan for a breach? I’ll probably put in for retirement!”
The quote of the year from one of our customers!?Unfortunately, this is a common situation among many districts and government agencies. Much of the IT staff is aging and vastly overworked to meet the challenges of a modern AI based threat landscape. I’ve written in the past on Artificial Intelligence based threats and the exponential growth of exploits that AI is driving.?
Cyber-crime is often a business and the way the business is conducted is like any “software” based business:
1.????Number of target resources (market size)
2.????Cost/ Time to develop an exploit (investment)
3.????Ability to collect funds due to the nature of the data and need for availability (market penetration)
4.????Payload value (return)
Thus, when looking at endpoints or software targets, entities have been lulled into a false sense of security for both hardware and software due to variables 1 and 2 in our simple business calculator.?Sadly, I am seeing increased resources and software targets being identified by AI based “assistance” on variables 1 and 2.?
The change in the security landscape comes from AI’s vast reduction in finding a valid exploit for a target or even more dangerous, developing one. ?Thus, most administrators have been lulled into the false belief that securing windows devices will keep 99% of the attackers from a data breach or ransomware attack.?People used to buy MacOs devices for that very reason. ??
Did anyone really buy anti-virus for MacOS 2000-2016??No…BSD Unix (the underlying OS) is exceedingly difficult to use, being case specific on syntax. (I can tell you a story of trying to recover my Mac hard drive in Panama circa 2008 using only a BSD command prompt…the guy at the Mac store looking at me like I was speaking Ugandan when I told him I could get it booted up to a BSD command prompt).
Back to the matter at hand…the reason no one bought AV for Macbooks in 2007 was not because there were not exploits for MacOS (I think it was OSX back then but whatever), moreover that the knowledge and expertise to write such exploits was not common and there were less Mac targets on the market.
Thus, the Apple Macintosh was considered “safe” by most standards and AV was considered unnecessary.?As Macbooks became more popular, there were exploits written for MacOS and ultimately, the need for anti-virus and modern end point protection (EPP).
Making Yourself An Unattractive Target Is Not Really An Option
Another example is my customer who is still using Firefox OS on his phone for “security”. I saw him at a conference in 2022 after 10 years and he pulls out a pink device with a mono screen running Firefox OS.?He’s quite a privacy advocate and I suggest he is correct, one of the safest cell phones on the planet would be this device.
Not that Firefox OS is inherently safe (although he researched it) but more than that he is the only guy in the world still making calls on an OS that never sold more than 1000 phones in total. He would have to be an unbelievably valuable individual making calls and storing data on his phone of a sensitive nature to make this investment worthwhile.?
Not A Good Business to Develop an Exploit for Firefox OS Phones
How does this relate to AI and cyber insurance you ask?
ChatGPT 4 and other AI based tools…vastly cutting down time to develop, find and deliver exploits…
领英推荐
AI, specifically ChatGPT4 and its many open-source clones are being used to VASTLY cut down on the time to develop and deliver an exploit.?Thus, those formerly unattractive targets like that HVAC system which hasn’t had a firmware update in 8 years or those camera’s you installed in 2012 to record the Mayan “end of the world” are now rich targets for those who wish to pull down the source code from Github and develop an exploit using AI.
A simple scan of a network will yield data to identify targets and open software ports to identify target software. Combine that information with a simple search of said port combinations, feed that result into AI along with the source code and wait for an exploit… Much easier than spending months developing one yourself by “hand” if you are a bad actor.
AI Based Exploits Are Increasing Exponentially
How does this relate to cyber insurance you might ask??Simple business calculation.?Organizations are no longer going to easily cover their environment while underwriters don’t have the knowledge to enforce appropriate standards for information security.?Thus, insurance carriers will likely just throw in the towel once the pay outs get to a breaking point.?We are close to that breaking point IMHO. I’ve seen it in other industries, and I suggest it will happen in cyber-insurance soon.
A Simple Audit: A Typical K12 District
The threat of AI is just starting to be understood but here is a list of simple items school districts need to think about securing that perhaps might have been considered “safe” in the past (EPP = modern endpoint protection):
Not to mention the thousands of Chromebooks out in the eco-system without EPP!?
Here is a list of the potential “bad actors” that need to be considered for a K12 district:
·??????BULLIED STUDENTS
·??????DISGRUNTLED STAFF
·??????STRAPPED CONTRACTORS
·??????GRUDGE HOLDING FORMER STUDENTS
·??????ANGRY COMMUNITY MEMBERS
·??????FINANCIAL FRAUD PERPETRATORS
·??????UNFRIENDLY NATION STATES
·??????PROFESSIONAL HACKERING SYNDICATES
All these potential threats now have access to free, open-source AI tools to create exploits and each of them have a variety of access to the organization both physically and virtually.?I simply don’t think most districts, organizations and government entities are prepared to counter the threats and the growing potential bad actors that now have access to open-source research, development, and payload tools.
MDR/XDR Will Have To Be Part of Every Cyber Policy
The biggest challenge to keeping a secure environment in my opinion is staffing.?While there are amazing tools and the patches are very quickly distributed, typical staff cannot keep up with the rapidly changing security landscape.?
Due to A.I., there are more exploits being created than ever before and this means more insurance claims from compromised organizations. ?As one security technical writer said:
“Ransomware attacks have never been this popular, a new report from cybersecurity researchers Securin, Ivanti, and Cyware has stated.
New ransomware groups are emerging constantly, and new vulnerabilities being exploited are being discovered almost daily, the alert says, but out of all the different hardware and software, Microsoft’s products are being targeted the most.
In general, attackers are now targeting more than 7,000 products built by 121 vendors, all used by businesses in their day-to-day operations.” ?(Sead Fadilpa?i? TechRadar.com)
According to the World Economic Forum “95 percent of cybersecurity breaches are caused by human error”. Understaffed organizations represent the biggest risk to cyber-insurance claims and organizational breaches.?Whether it’s from a vacationing team member, short-term leave or even losing a team member, it’s just not good security to wait the 4-9 months on average it takes to replace a lost IT security staff member.?Managed Detection and Response will most assuredly become a requirement in the near future as 24/7 eyes on glass are necessary to protect critical assets from ransomware or even worse...exfiltration.?
Cyber-Insurance Is A Luxury…For Now!
Turning in your poorly defended institution to a cyber-insurance incident response team will likely become a thing of the past.
Insurance companies are surely not in business to lose money on poorly contracted insurance coverage and weak standards for the insured.?Thus, I conclude that within 4 years cyber insurance will be outdated, likely replaced by self-insured groups that work together to build a common framework of standards to combat cyber threats, supported by a pool of self-insured entities.
Smart administrators/executives will start to plan and hopefully lead these efforts before they are caught without coverage for the potentially large federal requirements for reporting and remediating a breach. The days of “turning in a cyber-insurance claim” and going about your day will likely end very soon and I hope as cyber-professionals we will be proactive vs. reactive in this modern organizational challenge.
For an industry that is just now requiring MFA for IT resources, it’s unlikely that most insurance carriers will be skilled enough to weather the upcoming cyber storm of new payouts and claims to a typical environment and will likely get out of the business.?We might soon see cyber-insurance coverage be as attractive a line of business as insuring asbestos insulation contractors.
Eric Marchewitz is a security solutions architect, recovering former CISSP and AWS Cloud Practitioner. His career in information security has spanned 23 years, working for companies such as PGP Security, Cisco Systems and Check Point. Most recently he is a Field Solutions Architect for CDW Corporation. This article does not reflect the views of CDW and is for information purposes only and should not be considered professional advice. No warranty for the information contained within is given.