What makes Cyber Geospatial? Or what elements of Cyber are Geospatial?
From my perspective, there are two main areas to consider. First, there is Cyber as a domain in itself. Here, we’re dealing with tension points related to data location, data ownership and information flow, as well as the location of IT equipment and the location of attackers. This aspects need to be seen in the context of our traditional understanding of territory and nation states, applicable laws to cyber space under their jurisdiction. Additionally, the lack of any actual physical boundaries defies the whole notion of geospatial constraints when it comes to cyber. Whereas “in the real world”, we can define areas that are more susceptible to earthquakes, it is virtually impossible to fence in cyber problems.
Second, we have the deep penetration of the geospatial space with digital tools and services. As a society, we are ever more dependent on those being available and functioning correctly. Good examples are self-driving cars or auto piloted airplanes. The integrity and availability of these tools and services is directly associated to their connectivity into the cyber domain.
Why is it so difficult to model for cyber risk, compared to other risks?
Compared to other risks, cyber risks present us with some challenges that differentiate them from regular risks. On the one side, it is hard to lower your cyber risks objectively: If one tries to prevent fires from happening or spreading, there are certain things that can be done to limit the likelihood of a fire breaking out, e.g. installing fire resistant materials or preventing the fire from spreading, e.g. sprinkler systems or fire doors. Implementing these measures will lower the fire risk for one building. If similar measures are taken in a different building, the risk of a fire is also lowered for that building. In cyber, this concept does not work, since the likelihood of falling victim to an (targeted) attack depends not just on your own defenses, but also on the threat against your organization and defenses of your peer-group, including organizations that you depend on (dependent business exposure and supply chain). If an attacker has the choice between several banks for his attack, he might likely choose the one that has fewer security controls in place—compared to other banks. In reality, this can result in your organization being the leader in cyber security in your peer group, and while your own controls did not degrade, but everyone else invested into additional security controls, you could become the lowest hanging fruit for the attacker.
Additionally, the paradigm of assumed breach puts a unique twist onto the traditional risk modeling thoughts—an adverse event has already happened, and it is the assumption that those events happen almost on a daily basis. The challenge then is determining how malicious the event is and reacting accordingly, which could result in a benign modification of one of the protection devices or result in a full-blown threat hunting, working against the clock trying to prevent a data-breach or business interruption.
Finally, frequency of incidents is significantly different compared to other risks. Whereas a building can usually only burn down once or the likelihood of you being affected by an earthquake or flood is somewhat deterministic depending on your location, cyber risks are almost countering this approach. Usually, if you get hit by a cyber-attack there’s a fundamental problem that needs to get fixed first before your overall security is improved in the long-run. That actually could lead to an increased risk of being hit by another incident again in the near future, instead of a lower or at least similar risk. In other words, contrary to traditional risks, cyber risks are completely man-made risks, and looking for patterns in the past has very limited relevance to predict future events.
When do you think models will be ready to take on the risks of Cyber fully?
I believe the models exist. AIG, for example uses an underwriting model for cyber that is based on defining the risk along the well understood lines of impact multiplied with probability, while taking the actual threat landscape and the geolocation of the insured, as well as the effectiveness of the installed security controls into account. While no model reflects reality perfectly, this allows us to model and quantify cyber risks quite realistically.
How will Cyber change the Insurance Industry?
Insurances address real-world risks that individuals or businesses face. With the ongoing digitization of businesses and value generation being more and more depending on IT, as well as our personal social lives becoming more digital, there is a need to insure risks originating from the cyber domain. Therefore, insurance companies, of course, have brought cyber insurance products to the market. However, cyber is also becoming a component that has a growing influence on traditional insurance areas like property, casualty, or professional liability. It is therefore key for insurance companies to fully understand the cyber domain with all its facets and real-world consequences to ensure that cyber risks are correctly identified across the various insurance products – making cyber are true insurance peril.
What attracted you to work in this area of the Insurance Industry?
I always had a strong interest in IT and cyber. While starting out in communication, I also spend some time in system development and of course in cyber defense directly. My technical and operational approach in the beginning of my career slowly shifted more toward a business risk based thinking. But I was always looking at risks from a business-internal perspective. Working for an insurance company gives me the opportunity to get a much broader understanding of risks. Additionally, working within the area of cyber insurance, I have an opportunity to work in an area that is still new for insurance providers as well, which brings some existing opportunities to be part of something new.
We will be discussing these issues and more at GeoInsurance Europe, 2019 event this January. To find out more about the event, including the agenda and full speaker line-up – Click here. To hear more from Sebastian Hess, join us within Discussion Group 4B – Practical strategies for penetrating into Cat perils