Corvus’ Rebholz: Cyber premiums not keeping up with threat landscape

Corvus’ chief information security officer Jason Rebholz has warned that premiums in the cyber market are failing to keep pace with the current threat landscape.

Speaking to The Insurer TV, Rebholz noted that the ransomware world is rapidly evolving, with “bad actors” starting to embrace specialisation.

Arriving at the same conclusion as Adam Smith in his seminal 1776 work The Wealth of Nations, Rebholz explained that ransomware actors have come to realise that the best way to increase output is by becoming great at a very small part of the production process.

“You just have these groups that are doubling down on the things that they're good at. And then outsourcing other capabilities, which is really just adding fuel to this ransomware fire,” he said.

This, according to Rebholz, has led to the “diversification of roles” within the ransomware underworld.

One niche area in the ransomware ecosystem created by this turn to classical economics is that of the access broker.

“These act as a middleman between various hacking groups, where these certain hacking groups can just go out and specifically just try to get access into an organisation … And so, you have these other ransomware groups, or actors who want to go and deploy ransomware, who will buy that access,” he said.

Rebholz said this approach has dramatically lowered barriers to entry to the world of ransomware, to the point where the ability to code is no longer an essential skill when it comes to deploying malware.

“These ransomware service groups have evolved to really take on that burden and that solved one of the key issues of: ‘Hey, I don't know how to write malware.’ Well, now you can just subscribe to somebody and say, ‘Hey, I'm going to sign up with this ransomware group and I'm going to use all of their tools,’” said Rebholz.

Despite the growing threat posed by ransomware, critically for the cyber insurance market and its future sustainability, Rebholz does not see premiums rising to match it.

“[We are] seeing this lag right now where we have just this disconnect of what's actually happening out in the threat landscape, and where we are at with premiums,” warned Rebholz.

Another key concern Rebholz cited is the issue of some insurers withdrawing the mandated “security controls” necessary to qualify for insurance.

Rebholz did not see the pairing of looser controls and flattening premiums as particularly good for the sector.

“This [pairing] is where we're really kind of setting up an environment where there could be a lot of future pain, because we haven't quickly adapted to where these attacks are going,” said Rebholz.

Capital will follow the data

For Rebholz, the “unpredictable” nature of cyber will always be a concern for the capital coming into the sector, but better access to reliable data will help encourage more capital into the market.

“I know, there's been a lot of concerns in the past. Is there enough [capital]? And, you know, this obviously impacts everything about cyber insurance. But really what I see as the underlying issue here is, there's a lot of uncertainty in cyber,” he said.

“And so really, what I think the answer here is, is make sure that we can try to bring more data to the situation, to just get a better comfort level of how we can mitigate the risk.”

This year saw the first cyber cat bond but Rebholz said there are still some challenges that need to be addressed before cyber ILS becomes a more mainstream risk transfer solution.

“I think we're really experimenting right now as an industry to help deal with the uncertainty of what are potential aggregate risks in cyber and this all goes back to that level of uncertainty.

“So, there's a lot of planning happening right now and we’re just really trying to think through, what is a worst-case scenario and what is the likelihood of that. And I think it's a bit of a double-edged sword in cyber, because while you can take a logical flow of scenario planning, at the same time, when you look at the level of complexity required to get to that point, it's essentially a compounding probability issue, where it becomes so difficult to scale.

“I think this level of uncertainty is really what's fuelling a lot of these different [solutions]. It's unclear on what's going to stick but, at the end of the day, the most important thing that we can be doing as an industry is really look at how can we encourage the right security controls, the right resilience controls in all of the environments to make sure that we're just raising the overall bar of security,” he concluded.

Watch the 14-minute interview with Corvus’ Jason Rebholz to hear more about: