The number of cyber-attacks and with them the financial damage to business and society have been increasing for years. If we continue on this path, in the near future it will no longer be possible to insure against damages resulting from cyber attacks. A system of public-private cooperation is the only way to keep the risks affordable.
So says Mario Greco, CEO of Zurich, in an interview with The Financial Times (1). Zurich is one of Europe's largest insurance companies.
How many cyberattacks occur each year is impossible to say. To give you an idea, researchers at the University of Maryland (2) estimate that, on average, a cyberattack occurs every 39 seconds somewhere in the world. That means there are more than 2,200 digital attacks every day. And once hackers have infiltrated a corporate network or IT system, that's when the trouble really begins.
That is exactly what Greco warns against. The top executive of insurance company Zurich argues that the capture and theft of privacy-sensitive information or confidential business data can cause a lot of misery for those involved. Of particular concern are hackers who take over parts of vital infrastructure. "These people [hackers, ed.] can seriously disrupt our lives," he says in an interview with U.S. business newspaper The Financial Times.
As an example, Greco cites the ransomware attack on the U.S. oil company Colonial Pipeline (3). Using hostage software, the attackers managed to virtually disrupt the distribution of petroleum on the East Coast. To limit the social impact, the company decided to pay $4.4 million in ransom to the perpetrators.
"I realize it's a controversial decision. I did not take it lightly. I didn't feel comfortable watching the money flow away to the perpetrators. I did it in the national interest," CEO Joseph Blount (4) said in an interview with The Wall Street Journal.
The identity of the hackers is often not known. Security experts suspect that former Russian hacker group DarkSide (5) was behind the ransomware attack on Colonial Pipeline. Countries such as China, Iran and North Korea are also often mentioned as possible perpetrators.
The damage resulting from cyber attacks has been increasing for years, according to Greco. And with it, premiums for businesses to insure against them are also skyrocketing. The top executive refers to a study by British insurer AON. This shows that cybersecurity premiums rose 27 percent between April and May of this year compared to last year.
At this rate, cybersecurity insurance will be unaffordable in the future. To counter this, some insurance companies are imposing strict requirements on their customers. For example, customers of the American company AIG are presented with a questionnaire to get a picture of how a company's security and digital resilience is doing. Those who score poorly in this area are denied cybersecurity insurance.
That, according to Greco, is not the solution to keeping cybersecurity insurance affordable. The top executive calls for more public-private partnerships to provide policies for systemic risks.
Another solution the Zurich top executive sees salvation in are the strict cybersecurity directives being imposed on European companies from Brussels. In three weeks, for example, the NIS2 directive will go into effect.
'NIS' stands for network and information systems. The European Commission last year adopted a revised version of the original directive, which dates back to 2016. The purpose of this directive is to increase the digital resilience of European businesses. The updated directive applies not only to critical infrastructure, but also to companies in areas such as waste management, aerospace, chemicals and food industries.
In September, the European Commission introduced the Cyber Resilience Act (6). The purpose of the bill is to make manufacturers of smart devices responsible for their security. The bill states that the manufacturer must provide at least five years of support, unless the lifespan of the device is shorter. This includes software updates and patches that fix security problems. Furthermore, consumers have the right to be properly informed about the security of the devices they buy.
The rules apply to all products with an Internet connection. If they do not meet certain minimum requirements, the European Commission may decide to impose a fine. This can amount to up to 15 million euros or 2.5 percent of global turnover, whichever is higher.
It is up to the European Parliament to pass judgment on the Cyber Resilience Act. Then it is the turn of the Council of Ministers. If the bill is passed by all parties, member states will have two years to incorporate the rules into national law.
https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d
https://eng.umd.edu/news/story/study-hackers-attack-every-39-seconds
https://www.vpngids.nl/nieuws/colonial-pipeline-stuurt-6-000-mensen-een-brief-na-ransomware-aanval/
https://www.vpngids.nl/nieuws/ceo-colonial-pipeline-bevestigt-4-4-miljoen-dollar-te-hebben-betaald-aan-hackers/
https://www.vpngids.nl/nieuws/darkside-staakt-cyberaanvallen-servers-offline-gehaald/
https://www.vpngids.nl/nieuws/europese-commissie-wil-iot-apparaten-met-slechte-beveiliging-weren/
