WITH KEN MUNRO <strong>Modern</strong> <strong>Insurance</strong> <strong>Magazine</strong> recently sat down with Ken Munro, Founder and Partner of Pen Test Partners, in order to discuss cyber vulnerabilities in our increasingly connected world. What susceptibilities are most in need of addressing urgently, and how can the security industry do more to protect its end-users? 12 | MODERN INSURANCE
Q Ken - what’s the appeal for hackers when it comes to planes, trains, ships and cars? Surely banks and large corporations are more lucrative? They are and they aren’t! Banks and large corporations know they’re more lucrative, so they’ve invested heavily in making sure Athat they have the most suitable defences in place. Hackers will always follow the money. We can’t think of them as kids in hoodies sat at a PC in the basement anymore; many ransomware operators are organised businesses, and operate as a serious threat. Some hacking groups have even got HR departments. Banks aren’t easy targets because they’ve spent so much money on stringent cybersecurity measures to combat this. Therefore, cybercriminals need to look at other resources further afield, and this is where we see the maritime industry being affected. For example, refuelling ships has been a really easy source of funds for cybercriminals in the recent past. If you can redirect a refuelling payment through invoice fraud and phishing emails, that’s potentially a huge lump sum being intercepted. The same goes for cars. <strong>Modern</strong> cars are increasingly connected, and many have now got payment systems in place which can unlock access to additional features. If money exchanges hands, it’s a potential source of income for hackers and other cybercriminals. Ransomware has even been developed for car systems, though fortunately it’s just proof of concept at the moment, rather than an immediate and pressing threat. Q As a fan of electric vehicles (EVs), what cybersecurity vulnerabilities do you feel are most in need of addressing as a matter of urgency? EVs themselves aren’t a concern so much as the charging infrastructure that supports them. We’ve already seen hacks A against EV chargers; there was a case in the Isle of Wight where an EV charger was hacked to display pornography, and another case in Russia where chargers were compromised and stopped from working altogether. Pen Test Partners completed a large project on domestic EV chargers recently, finding major security flaws in most of them. Of course, if an EV charger is compromised or out of use because it’s been hacked, that’s a huge problem for drivers. In addition, this does nothing to reassure prospective EV owners who are concerned about the range of an EV; those who rightfully want to know that they could access an EV charger without hassle whenever they need one. Broken charging infrastructure is enough of a problem as it is, and a bunch of hackers further destabilising EV uptake is the last thing we need when it comes to making that switch. Q A Some insurance companies wish to fit trackers in vehicles in order to lower premiums. Is this counterproductive given the flaws that trackers can have, and the opportunity it provides to hackers? In a way, yes. Fortunately, since finding and reporting those flaws, they have now been fixed. However, these vulnerabilities should not have been there in the first place. I really hope that affected manufacturers have taken some time to reassess and up their game in this regard. Selling a security product for a vehicle without first addressing a significant number of security vulnerabilities is really unacceptable, and I’d like to see more evidence of manufacturers taking their role as security providers more seriously. I’d also like to see a more robust approach to security throughout the industry in general. Insurers will often rely on certification bodies to be certain that a product improves the security of a vehicle. Sadly, some of these bodies have accredited products that made the security of the vehicle worse! This cannot be allowed to continue. Are we at a point where standard home and vehicle insurance policies should be inclusive of cyber cover, given the rise of the Q Internet of Things (IoT) and the hyperconnected world we now live in? A As things stand right now, any underwriter would be crazy to do this! There’s not enough data in place at the moment and not enough research being done in this space for an underwriter to accurately quantify the risk. Nothing could go wrong for years, and then an entire brand or fleet of vehicles could fall victim to a cyber-attack. This would leave one insurer on the hook for a very big cyber claim, so whilst I’d love to see more cyber cover embedded into other lines of insurance, I think that the risk would be way too high right now. Not enough research, and not enough data! “There are many competing interests, each with different motivations, and then there are a bunch of researchers in the middle trying to shine a light on poor behaviour - all in the hope that catastrophic hacks can be evidenced fast enough before hackers catch on and start exploiting it” Do you think the number of successful catastrophic hacks will increase in the coming months and years? Or is technology and Q security managing to evolve at a fast enough rate to keep them at bay? A Yes. It’s an arms race against the hackers. Organisations are trying to improve their cybersecurity quickly, and manufacturers are trying to improve their product security quickly in order to avoid an eventuality where security vulnerabilities bring down an entire fleet of vehicles, or an entire company’s data. There are many competing interests, each with different motivations, and then there are a bunch of researchers in the middle trying to shine a light on poor behaviour - all in the hope that catastrophic hacks can be evidenced fast enough before hackers catch on and start exploiting it. As an ethical hacker, what is the biggest challenge for insurers when it comes to providing cover for modern-day cyber risks? Q Many insurers and underwriters are really suffering from the effects of ransomware right now. A lot of cyber insurance policies A are priced based upon historic risk data, and the prevalence of ransomware has accelerated so much that a lot of underwriters have been left facing multiple sizeable claims. As a result of these loss ratios, cyber insurance premiums are increasing quickly, and insureds must do everything they can to demonstrate stringent security measures when they’re looking to obtain this kind of cover. Savvy underwriters really like to do business with companies that are able to prove their cybersecurity strengths. In terms of cars, the thing that worries me most is where a vulnerability is found in a vehicle, escalating to a fleetwide hack because they’re fundamentally all using the same systems. Hypothetically, the systemic losses from a particular model or brand of connected vehicle all turning left at the same time could be catastrophic. This was realised in the Jeep hack of 2015, for instance; it can be done, and we’ve since demonstrated similar outcomes with other brands throughout the course of our commercial engagement work. Fortunately, these brands continue to take security seriously, ensuring that their vehicles are well protected. From an underwriting perspective in particular, however, it’s a really difficult risk to price against. These challenges are almost certainly set to continue as the cyber insurance market evolves. Ken Munro, Partner and Founder, Pen Test Partners