• Dhaka Tue, 24 DECEMBER 2024,
logo

The small print leaving UK plc exposed to ‘nuclear level’ cyber attacks

International desk

  24 Jan 2024, 17:03

At a press conference in the heart of Silicon Valley, five men in suits posed for a photograph that shed unprecedented light on the world’s most powerful intelligence partnership.

The men belonged to the Five Eyes espionage alliance, each representing intelligence services from Britain, Australia, Canada, New Zealand, and the US. Until then, they had never appeared together in public.

Their smiles to the camera contrasted against a dark warning shared by one group member, Britain’s head of MI5, Ken McCallum.

The UK had seen a sharp rise in aggressive attempts by foreign states to steal the country’s high-tech secrets, he warned. The biggest threat of all: China.

According to McCallum, more than 20,000 people in the UK have been approached by Chinese agents online as part of “epic scale” espionage efforts.


One alleged Chinese spy created fake profiles on LinkedIn to contact thousands of British officials – offering cash, trips to China and paid speaking gigs as ways of extracting state secrets.

Reports of China’s covert spy network in the UK will weigh on the minds of City bosses, as corporations fortify their offices with costly cyber defences to protect their data being stolen by ransomware gangs.

While some UK companies are now spending millions of pounds spent on cyber insurance, many remain uncovered.

Most vulnerable are Britain’s small and medium-sized businesses, according to Jamie MacColl, a cyber research fellow at defence think tank Royal United Services Institute.

“A lot of organisations just don’t view it as an important risk, particularly smaller companies. They might think, you know, a cyber attack is something that happens to someone else, or it’s something that only happens to large corporations,” he says.

The coverage gap can be partly blamed on insurance fees.

A decade ago, cyber insurance was cheap and easy to buy. Insurance companies cut their prices to spark demand in a nascent market.

“Naive insurers entered into the cyber insurance market with not a lot of cybersecurity expertise, wrote policies that had very high limits and no kind of security requirements to get a policy. They all got burnt when ransomware became an issue,” says MacColl.

The rise of Russian-backed cyber hackers demanding multi-million pound ransoms from City firms left underwriters lumbered with mounting losses. Some insurers were forced to leave the cyber risk market entirely.

Profit-seeking insurers hiked prices and made it harder to qualify for protection, with many companies not meeting the higher minimum security requirements.


While costs have since come down as more cyber insurers re-entered the market over the past year, how much these policies will actually cover has also been hotly debated.

Where trade secrets are stolen by cyber spies, the answer is typically straightforward.

While insurance will often pay for follow-on investigation and compliance costs after a cyber attack, the loss of intellectual property and proprietary information is not usually covered.

Insurers can easily determine the value of financial losses from a company’s day-to-day operations being disrupted, but the same can’t be said for trade secrets.

“It’s hard to put a value on them. That’s not to say there’s no damage, but it’s harder for insurers to quantify,” says Josephine Wolff, an associate professor of cybersecurity policy at Tufts University in the US.

More complex is who foots the bill in the case of a catastrophic cyber attack.

Lloyd’s of London, the biggest and oldest global insurance market in the world, last year began excluding devastating “state-backed” cyber attacks from its standard insurance policies.

The new rule stopped insurers selling protection against state-sponsored cyber attacks which are so severe they “significantly impact” a country’s ability to function.

It sought to protect insurers from being exposed to enormous costs of systemic cyber warfare, updating war exclusions first introduced to protect earlier risk managers from being crippled by the costs of replacing sunken battleships during the Spanish Civil War.

“Think the digital equivalent of a nuclear strike. This remotest of possibilities, like a nuclear strike, is not one that insurers can cover as standard,” James Burns, head of cyber strategy at insurance company CFC Underwriting, wrote on LinkedIn.

The overhaul came after Western powers blamed Russia for the NotPetya hack in 2017, one of the most destructive cyber attacks in history which shut down computer systems of companies in more than 60 countries.

After a lengthy legal battle, insurers were left on the hook for billions of dollars in insurance claims.

However, it is not clear how the cyber exclusions will actually work in practice.

“We haven’t seen a lot of big tests of them yet. We haven’t seen a lot of attacks where insurers have denied big claims and people have gone to court to fight out what it all really means,” says Wolff.

Source: BSS

Comments

  • Most Viewed News Of International
Read More
PM appreciates pilots, crew of Biman exposed to hijack threat
38 per cent banks ready to tackle cyber attacks