by Kristof Terryn

Securing the cyber space age through public-private collaboration

Mar 14, 2019
Financial Services IndustrySecurity Software

Half a century ago, Neil Armstrong became the first human to set foot on the Moon. This remarkable achievement is testament to what is possible through public-private collaboration.

During the 1960s, roughly 90% of NASA’s overall budget went to the private sector. Businesses powered man to the moon – building the Saturn V rocket. Protecting against the complex risks of space travel was just as vital. Goodyear Aerospace regulated engine temperatures, whilst ILC Dover created spacesuits which protected against the moon’s extreme conditions.

Technology developed for the Apollo programme is still used – from kidney dialysis to water purification. Even our smart devices owe their roots to it.

Today, that smart technology has created a new ‘cyber’ space age. The combination of connectivity, mobility and data presents almost boundless opportunities. Once again, success requires public-private collaboration and a focus on security and protection against the risks.

The task is formidable. Cyber attacks continue to rise in frequency, cost and impact. The World Economic Forum (WEF)’s Regional Risks for Doing Business 2018 report found them to be the number one concern for businesses in Europe, East Asia and the Pacific, and North America.

Neither the public nor private sectors can solve this alone. We need to increase collaboration, resist silo thinking and recognize geopolitical tension as a hindrance to the crucial work needed. Organisations like WEF play an important role in bringing stakeholders together and coordinating activities. An example is WEF’s Center for Cyber Security which convenes experts and thought leaders to address systemic cyber risks and create tools to better understand them.

Collaboration has three key aims. First, we must build a general culture of resilience against cyber threats. In one survey last year, PwC found most organisations had not conducted a cybercrime risk assessment. Only 30% had a cyber-response plan. Many lack a thorough understanding of their critical data assets, where they reside, and whom they support.

Insurers have a role to play. Zurich Insurance has invested in a new, state-of-the-art Cyber Fusion Center to establish collaboration between highly-skilled cyber threat intelligence, response, forensics, and vulnerability management teams. We also work with security service providers, such as Zeneth Technology Partners (Zen-Opz), to help customers identify cyber security vulnerabilities before an attack takes place.

For their part, policymakers should look to improve ‘cyber education’ among businesses – particularly SMEs. The US Department of Homeland Security’s National Risk Management Center is particularly welcome. The Center will work with financial, energy and telecomms providers to identify sectoral security weaknesses, develop response plans and run cyber drills.

Achieving resilience also requires monitoring and improving incident response on a global level, particularly to systemic cyber events. This means improving global governance. Policymakers must identify those governance institutions that are fit for purpose, strengthen and clarify their roles and isolate them from geopolitical tension. Governance could also be improved via the use of networks to allow national entities to interact; creating trust, increasing coordination, and facilitating joint responses. This approach would mirror the informal coordination among central bank governors – successful during the financial crisis. One further idea could be to establish either a Cyber WHO or G20 structure, which would coordinate preparedness, resilience and response to a systemic cyber-attack or failure.

The second area for collaboration is facilitating conditions that allow the insurance sector to play its risk management role. As with any exposure, in order to effectively underwrite cyber risk – and assess frequency and severity – insurers must have access to credible and consistent data. This includes incident reporting, impact assessments, forms of attack and threat analysis. The public sector can support by protecting victims of cyber-attacks from liability concerns.

Establishing common attribution protocols will also aid underwriting. This is under discussion within the insurance industry and among businesses across the globe. Clarity will support the growth of the cyber insurance market and ensure that customers have the correct coverage in place.

But even with these efforts, not all large events may be insurable. Such is the systemic and complex nature of cyber-attacks – with uncertain levels of ‘accumulation’ risk – that some government capital support needs to be considered. Cyber warfare such as a state-sponsored attack on national infrastructure may fall beyond the appetite of the market.

The third and final action for collaboration is therefore to consider the feasibility of government-backed reinsurance schemes, similar to those addressing natural catastrophes and terrorism. Solutions must strike a balance between a sustainable cyber insurance industry and mitigating risks for consumers and the economy.

Today’s cyber space age may not have a moon landing, but its benefit for society could be even greater. Success is within our grasp, but the stakes are higher and the risks more complex. A collaborative focus is required. It’s time to come together in this next giant leap for mankind.

Kristof Terryn is Group Chief Operating Officer of Zurich Insurance. He has been working in the financial services industry for more than 25 years, and for more than a decade at C-level with CEO and COO roles