Cyber attacks are increasing and becoming more sophisticated, costing companies billions. The range of risks is huge, covering everything from cyber crime to cyber war to cyber terrorism and hacking. At the same time, the motivation behind attacks is also varied – it can be money, pleasure, ideology or political. Conventional security concepts are increasingly proving to be powerless. We spoke to Martin Kreuzer, cyber risk expert in the Corporate Underwriting department at Munich Re, the global reinsurance company and a market leader in cyber insurance and associated services and security solutions.
Based on the results of the Global Risk Report 2019, published a few weeks ago at the World Economic Forum in Davos, 82 percent of experts questioned expect to see an increase in cyber risk scenarios leading to theft of money and data (82 percent) and business interruptions (80 percent). What developments do you see and expect on the cyber risk map?
Martin Kreuzer: These expectations largely correspond to our own assessments. Incidentally, concerns about business interruptions and data loss are the main reasons why companies take out cyber insurance policies. In general, the main things we are seeing on the risk map are increasing professionalisation of cyber criminals, constantly greater networking of devices and increasing cyber risks in the supply chain. The new 5G communication standard, which provides ten times higher data speeds, will bring another huge surge in this trend.
The investigation in the Global Risk Report 2019 reveals that new instabilities are primarily caused by increasing integration of digital technologies into all areas of life. It sounds like a choice between plague and cholera. Surveys repeatedly show that companies agree that digital transformation is of critical importance for their future success. Is there any way to resolve this conflict?
Martin Kreuzer: I think that almost every fundamental technical advance involves this kind of conflict. Digitalisation is having an impact on all areas of society, from professional life in all sectors to child raising, education and social life through to a country's political and economic system. However, as well as risks it brings numerous opportunities and huge potential, and we shouldn't lose sight of this. In Germany, the overwhelming view tends to be critical, so this plague and cholera metaphor is not something I'm totally unfamiliar with (laughs).
Even more reason to ask about solutions ...
Martin Kreuzer: The "plague and cholera" metaphor is one we can come back to here. It should encourage us that the cholera pathogen was extensively researched, from the transmission method to propagation, which enabled vaccines and medications to be developed that can completely pre- vent infection or at least alleviate the symptoms. To a certain extent, this can be applied to digital risks. Specific and very effective measures are definitely possible! And, at least here in Germany, health insurance is available to cover the costs in case of infection. It's a good analogy in this respect too.
Cyber weaknesses can result from completely unexpected causes such as the Spectre and Meltdown processor vulnerabilities in 2018. They affect almost all devices that have a processor chip from affected manufacturers. These include computers, smartphones and tablets running all major operating systems. How can we deal with these kinds of accumulation risks?
Martin Kreuzer: Increasing networking actually leads to a higher number of weaknesses being identifiable. The example you mention relates to hardware. In this case, it primarily comes down to the manufacturers of hardware or smart products. Unfortunately, the issue of security plays too small a role in the Internet of Things and smart devices. But I think that software vulnerabilities are even more significant. To give an example: Imagine a software update is used to spread malware. Both events can have a global effect, impacting hundreds of thousands of users. It's this kind of accumulation scenario that really gives underwriters, and particularly us as reinsurers, a headache. That's why we have IT specialists, insurance experts, lawyers and mathematicians working on models to map accumulation risks.
The Global Risk Report 2019 also discusses the scenario of a successful cyber attack on a country's power network triggering devastating spillover effects. How can we protect a country's critical infrastructure from these spillover effects?
Martin Kreuzer: What we call spillover effects – events that can have a knock-on impact on other situations or events – are taken very seriously by governments, operators of critical infrastructure, IT specialists and researchers, but also by insurance companies.
Because almost all critical infrastructure – and the power supply is just one example – is networked, cyber attacks can trigger negative cascade effects these days. The necessary protective measures are slightly more complex but in principle comparable to the measures that individual companies have to take to safeguard their IT infrastructure. This mainly involves processes and organisation, IT, technology and the human factor.
And what does that mean in concrete terms?
Martin Kreuzer: That technical and organisational measures need to be taken in all the areas I mentioned – in terms of the human factor, for example, this would be training employees, raising awareness of the issue and engaging internal and external specialists. For processes and organisation, emergency plans need to be put in place – known as an incident response or business continuity plans – along with audit processes and clear responsibilities. In the latter case, this should always involve senior management.
There are also numerous technical solutions and service providers, from network security to password and rights management to monitoring, right through to encryption technologies. It is important to consider the criticality of processes, departments or data. For critical infrastructure, it is generally stored differently than in a medium-sized manufacturing company or a small business.
In 2018, representatives of the US law enforcement agency the FBI and secret services the CIA and NSA issued warnings about smartphones and hardware from the Chinese manufacturers Huawei and ZTE. According to FBI Director, Christopher Wray, if US citizens use devices from these manufacturers, information could be modified or stolen. From a risk perspective, how do you assess the use of this kind of hardware, for example in a critical internet and communication infrastructure? What would you recommend?
Martin Kreuzer: Regardless of specific cases, there's no doubt that today's hardware manufacturers play a crucial role – whether they make private smartphones or country-wide communication and IT infrastructure. When choosing manufacturers, it's important to closely analyse the quality of a product and its compliance with standards, which should ideally be demonstrated by certificates. The bottom line is whether you have confidence in the relevant hardware provider.
How do we need to rethink our concept of security in a world of comprehensive digitalisation and networking?
Martin Kreuzer: We need to adopt a global and all-encompassing approach that includes manufacturers of hardware and software, IT experts, IT security service providers, users and security agencies, as well as legislators, educators and research institutions. Only together will we be able to establish an effective security architecture in a globalised and digitalised age. One hundred percent security will never be feasible – but we need to do everything we can to achieve the maximum possible security.
How do you assess the human risk factor and appropriate risk culture in the context of the cyber risk map?
Martin Kreuzer: The human factor is and will remain one of the most important elements of information security. I find the assessment that people frequently are and will remain the weakest link in the chain to be definitely plausible. For this reason, a key issue remains raising employee awareness, for example through targeted communication and training.
Where can the biggest cyber risks be found – specifically for SMEs and major corporations?
Martin Kreuzer: The biggest risks can be found at the critical and sensitive points, which vary from one company to another – regardless of their size. This could be critical data, such as health or financial data, or intellectual property. However, in addition to data there are increasingly sensitive digital processes – for example in production or sales – which require maximum system availability. But the entire supply chain and service providers are increasingly proving to be what we could call bottlenecks, with a lot depending on them – cloud solutions are providing a very good example here.
If a cyber attack occurs, SMEs suffer a much greater impact as a consequence than major corporations, as they cannot normally call on in-house specialist departments such as IT forensics, legal advice or IT emergency management. As well as pure financial risk transfer, the insurance sector can offer valuable services in this area.
What sectors are a particular focus for cyber criminals?
Martin Kreuzer: We are observing significant demand for insurance protection against cyber risk from almost all economic sectors and industries. At the top are companies in healthcare and manufacturing industry, closely followed by the financial industry, the service sector and IT companies.
Is it not true that methods for analysis and, especially, evaluation of IT and cyber risks are hugely inadequate when it comes to coping with the highly complex IT risk map? Do we not also need to use IT risk management methods that are appropriate for dealing adequately with the complexity of the risk map, for example using stochastic simulation methods or system dynamics?
Martin Kreuzer: New or supplementary methods and standards are definitely needed. Simulated vulnerability and impact analyses, for example, have to include digital risks and dependencies – throughout the entire value chain of course. In addition to simulations, there is also a need for changes in monitoring; measures adopted have to be continuously reviewed in terms of their efficiency. Also correctly chosen and constantly monitored key performance and key risk indicators should increasingly take account of digital dependencies.
How you do assess the development of the market for cyber insurance?
Martin Kreuzer: We are satisfied with the development; however, we believe that there is still great market potential. Above all, we think that there is scope for development in the penetration of insurance for cyber risks among SMEs. We want to do our bit – with easy-to-understand and comparable solutions, transparent risk assessment schemes and simple processes for smaller companies. At the same time we offer industrial customers and major corporations tailored coverage concepts.
Safeguarding against financial losses, however, is only part of an overall concept. Along with our technology partners, we develop highly-effective and automated prevention services for our customers. They are designed to consistently monitor customers' infrastructure, promptly identifying risks and preventing losses.
And very important, in case of loss, a company must be able to respond quickly to limit the loss and re-establish normal operations as rapidly as possible. We support our customers with a network of experts – from legal advice to IT forensics.
How can cyber insurance cover business interruptions caused by a cyber attack? What are the normal time excesses?
Martin Kreuzer: Business interruptions as first party loss after a cyber attack is now the most important reason why companies are buying cyber policies. Lost operating profit and ongoing costs can be insured. As well as a financial excess, there is frequently a time excess, after which the policy comes into effect. This is normally twelve hours.
You deal with the negative impacts of cyberspace every day. Mr Kreuzer, how do you deal with cyber risks yourself?
Martin Kreuzer: Well, I could also do with improving my protection – for passwords I still rely on my memory, but unfortunately it's getting worse over time. And passwords are getting more and more complex. I may soon have to switch to a password manager. Also, I've not yet found an effective way of convincing my wife to do less online shopping (laughs).
The questions were posed by Frank Romeike, managing director of the RiskNET competence network.
Martin Kreuzer is an expert in the field of information security. After studying law, Martin Kreuzer worked for almost a decade in operational information gathering for the German intelligence service in Pullach near Munich, before spending three years at the Bavarian state intelligence authorities, in the department responsible for protecting business against espionage and cyber warfare.
One of the few people in Germany who has dared to abandon a stable public sector career, Martin Kreuzer moved to Munich RE at the beginning of 2016. In the Corporate Underwriting Cyber Risks department, Martin Kreuzer is responsible for ongoing development of cyber insurance products, assessment of cyber risks, cyber risk consulting and monitoring of cyber risks and their originators, with the aim of expanding Munich RE's leading role in the booming market segment for cyber coverage.