Cyberattacks a question of when, not if, Risk Summit told
Artificial intelligence will strengthen cyber attackers but will also help defenders, delegates at the Bermuda Risk Summit, taking place in Bermuda this week, have been told.
A panel on cyber insurance also agreed that Bermuda was one of the leading centres for cyber re/insurance.
Damini Mago, head of strategy and product development of cyber modelling solutions at Moody’s, said AI was "the new kid on the block" and enabled relatively unsophisticated attackers to do more sophisticated attacks while also driving more frequent attacks.
She said AI could also introduce new vulnerabilities to manage as the technology evolved.
But she noted that defenders can also use AI to detect and prevent attacks.
Oliver Brew, international cyber practice leader at Lockton Re, said ransomware remained the biggest source of concern for many businesses, but in the last 12 months, interruption of digital supply chains had increased and were a real source of vulnerability.
George Alayon (pictured), deputy director, supervision (FinTech) at the Bermuda Monetary Authority, said the BMA was conducting a consultation on operating resilience which would close on Friday.
He said disruption was not a question of whether you will be disrupted but when.
“We need to know a company’s ability to recover, to get back up and serve customers,” he said.
Devin Page, the head of specialty at Ascot Bermuda, said the fact disruption will occur showed the need to prepare in advance for attacks. The Crowdstrike interruption was a good example of this, he said.
Mago said Crowdstrike, in which an error in a software upgrade for cyber protection, crashed multiple computer systems around the world, delivered several lessons.
One was the need to identify critical systems and how supply chain software could affect critical systems. She suggested companies should test computer updates in a sandbox before pushing them through critical systems.
The second was the recognition that cyber events will happen.
“It is not a matter of if, but when,” she said. “How quickly can you get back up online? Most systems in CrowdStrike were back up within 24 hours but some airlines could not get back online for several days.”
Alayon said CrowdStrike highlighted the distinction between malicious and non-malicious triggers for cyber policies. Learning from this, cyber insurers should consider both attack vectors in their underwriting models and policy language. N
on-malicious events, like the CrowdStrike update failure, can cause widespread disruption as an outcome similar to coordinated attacks but may fall into grey areas under traditional cyber policies focused on malicious acts, further adding to their silent cyber exposure of cyber insurers, he said.
Brew said a huge difference in the way insurers look at cyber risk is the dramatic increase in computing power.
“You can take data in and look at all parameters,” he said. “There are a lot of ways to supplement the way you view a risk.”
Alayon said the Bermuda market wrote $7.8 billion of cyber risk , a 64% increase from last year, and 58% of the global market.
He added there remained a big gap between protection and risk – the second largest at $900 billion after the pension gap.
But he said Bermuda was in a great place to expand, both in terms of underwriting coverages and the use of ILS vehicles.
Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.
