A senior member of the Cyber Monitoring Center (CMC), an organization formed last year to monitor, define and classify cyber events impacting UK organizations, this week questioned whether a £1.5 billion (about $2 billion) government loan guarantee provided to Jaguar Land Rover (JLR) should have happened in the first place.
Speaking at an event hosted by the Royal United Services Institute (RUSI) that reviewed the CMC’s activities in its first year of operation, Ciaran Martin, chair of the CMC’s cyber monitoring technical committee, discussed the loan guarantee announced last year following an attack that has been described as one of the UK’s worst cyber incidents.
“I must stress that I’m speaking personally now. I think the loan guarantee is an unfortunate precedent because the government intervened in a case-specific way, in response to a set of events, without the clear criteria of what form such intervention could take,” said Martin during a panel discussion with CMC executives and Tracey Paul, chief strategy and communications officer at Pool Re, a UK terrorism reinsurer.
Martin, who is also a RUSI Distinguished Fellow, said, “there clearly are a set of plausible, realistic, bad scenarios where most reasonable citizens would expect some form of government activity. But it would be better to have a framework, whether that’s compulsory insurance, incentivizing insurance with tax breaks, whether it’s a set of principles as to what would trigger state intervention. And in what form? Loan guarantees? Something else?”
To complicate things, Paul noted that today there is a cyber insurance protection gap. “I don’t know how we are going to bridge this gap between the potential economics loss and the insured loss without some partnership between government and the insurance industry and other parts of the cyber ecosystem,” she said. The industry has a prefunded model, and a contract with the government under which, if the insurer runs out of money, the government will step in and loan the money to pay the losses.
“But that is one way of doing it and I think they would like the flexibility to do it in another way,” she observed. “But what I do think is you cannot have a transfer of risk between the public sector and the private sector unless you have some kind of structure around it, and at some point the government are going to have to come to the table on what that looks like in order to make that happen.”
Event impact can ‘ripple across an entire economy’
Analysts share Martin’s concerns.
Erik Avakian, technical counselor at Info-Tech Research Group, said on Friday that he “has been predicting for years now that attackers would start to move on from pure small disruption types of attacks (think DDoS) to catastrophic disruption and destruction of a company’s operations.”
The incident at JLR, he said, “really speaks to impacting the overall resilience of a company’s business operations. And once that happens, the impacts can go well beyond just a quarterly earnings miss.”
Avakian added, “what we’ve seen with the Jaguar Land Rover attack is certainly exemplary of that, and has shown that a cyber incident can shut down real-world operations in a way where the impacts can ripple across an entire economy, not just IT systems; where a cyberattack can directly impact a nation’s GDP, employment, and wreak havoc on national exports.”
He agreed with Martin’s sentiments, explaining, “in my opinion, the government stepping in like this with a loan guarantee is creating and sending a signal that some companies could now be considered too important to fail due to cyber risk. That can create a dangerous precedent because large, critical organizations could become primary targets for cyber criminals if they know that a successful attack could cause such massive consequences.”
It could also lead to new risks, said Avakian, “where companies may potentially underinvest in their security if they believe there’s an implicit safety net that will be there for them. Cyber resilience is more important than ever and should be central to how organizations think about security and risk management; not just how to prevent a breach, but how to keep business operations running in the face of cyberattacks.”
David Shipley, CEO of Beauceron Security, added, “a monster has been created by using insurance to cheat our way out of hanging the risk in near-term more expensive, but long-term more effective ways.”
Why, he asked, should organizations “invest all the work in multifactor authentication when you can just buy insurance? The problem now is the cybercrime monster that insurance fed is now Godzilla sized, and we can’t insure all of the damage. Great job.”
Government bailouts of industry, said Shipley, “is just the next, bad leap in the same flawed decision. If insurance was the crack cocaine of cyber risk mismanagement, government bailouts are the corporate fentanyl. Maybe the smart answer is, we have to account for the real cost of proper security in our goods and services, and invest in ways that don’t put money in the hands of criminals.”
This article originally appeared on CIO.com.
