We are so privileged to have Admiral (Ret.) Mike S. Rogers bringing his unique insights on cyber threats to the CyberCube Board of Directors. His deep military background and recent experience as Director of the NSA help us to see the opportunities and the challenges for the insurance sector in a different light.
Here’s my 5-bullet point snapshot from Mike’s keynote speech at the Advisen’s Cyber Risk Insights Conference this morning (October 25) in NYC:
1. Even the unflappable Mike S. Rogers has concerns: He described the potential for attackers to transition from stealing or destroying data to amending data in systems that aren’t immediately detectable by the user. The financial markets, for example, are founded on a mutual trust in the integrity of the data it relies on. The ramifications of that data being manipulated are immense for the broader economy. Mike warned against complacency on the threat landscape: Both criminal and nation-state cyber attacks will only increase. So insurers have to be prepared to operate in a world where the list of actors and the breadth of their activity are growing
2. A challenge for the insurance industry is to create a sustainable business in such a high uncertainty environment. In the cyber landscape, there is historical data, but events in the past don’t correlate to the future. He challenged the industry to create models that can be predictive of both the frequency and severity of future cyber events
3. The insurance industry plays a crucial role in incentivizing companies to improve security standards – using the levers of lower premiums and better terms and conditions – thus raising the level of cybersecurity around the world
4. The Nation States are super-motivated and well equipped to escalate cyber attacks on targets. Motivations vary: from stealing intellectual property and other data, to disrupting operating systems, to the utter destruction of entire regimes…
5. …And Mike provided a peek behind the curtain of government, in the face of a nation-state attack: the US government has considered declaring an Act of War on multiple occasions, including Sony Pictures in 2014 and NotPeyta in 2017. So, if these 2 events (which were publically attributed to nation-states, as a criminal act) weren’t enough to declare an Act of War, what would that threshold be? Mike explained that there would likely be a number of attributes that would be considered, including:
- The cost to the economy
- Loss of life or injury threshold
- Attack against a core value of the nation (such as freedom of speech)
… This is not a decision to be taken lightly, he said: “Nation states need to be very cognizant of the implications of taking this step. If we are to cross this Rubicon, we need to make sure that the circumstances leading to that step are appropriate”.
“That’s not to say the government won’t do it,” he added.
Image Courtesy: Navy.mil