Modern Insurance Magazine Issue 65
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Q<br />
Ken - what’s the appeal for hackers when it comes to planes,<br />
trains, ships and cars? Surely banks and large corporations are<br />
more lucrative?<br />
They are and they aren’t! Banks and large corporations know<br />
they’re more lucrative, so they’ve invested heavily in making sure<br />
Athat they have the most suitable defences in place. Hackers will<br />
always follow the money. We can’t think of them as kids in hoodies sat at a<br />
PC in the basement anymore; many ransomware operators are organised<br />
businesses, and operate as a serious threat. Some hacking groups have<br />
even got HR departments.<br />
Banks aren’t easy targets because they’ve spent so much money<br />
on stringent cybersecurity measures to combat this. Therefore,<br />
cybercriminals need to look at other resources further afield, and this<br />
is where we see the maritime industry being affected. For example,<br />
refuelling ships has been a really easy source of funds for cybercriminals<br />
in the recent past. If you can redirect a refuelling payment through invoice<br />
fraud and phishing emails, that’s potentially a huge lump sum being<br />
intercepted.<br />
The same goes for cars. <strong>Modern</strong> cars are increasingly connected, and<br />
many have now got payment systems in place which can unlock access<br />
to additional features. If money exchanges hands, it’s a potential source of<br />
income for hackers and other cybercriminals. Ransomware has even been<br />
developed for car systems, though fortunately it’s just proof of concept at<br />
the moment, rather than an immediate and pressing threat.<br />
Q<br />
As a fan of electric vehicles (EVs), what cybersecurity<br />
vulnerabilities do you feel are most in need of addressing as a<br />
matter of urgency?<br />
EVs themselves aren’t a concern so much as the charging<br />
infrastructure that supports them. We’ve already seen hacks<br />
A against EV chargers; there was a case in the Isle of Wight where<br />
an EV charger was hacked to display pornography, and another case in<br />
Russia where chargers were compromised and stopped from working<br />
altogether.<br />
Pen Test Partners completed a large project on domestic EV chargers<br />
recently, finding major security flaws in most of them. Of course, if an EV<br />
charger is compromised or out of use because it’s been hacked, that’s<br />
a huge problem for drivers. In addition, this does nothing to reassure<br />
prospective EV owners who are concerned about the range of an EV;<br />
those who rightfully want to know that they could access an EV charger<br />
without hassle whenever they need one. Broken charging infrastructure is<br />
enough of a problem as it is, and a bunch of hackers further destabilising<br />
EV uptake is the last thing we need when it comes to making that switch.<br />
Q<br />
A<br />
Some insurance companies wish to fit trackers in vehicles in<br />
order to lower premiums. Is this counterproductive given the<br />
flaws that trackers can have, and the opportunity it provides<br />
to hackers?<br />
In a way, yes. Fortunately, since finding and reporting those flaws,<br />
they have now been fixed. However, these vulnerabilities should<br />
not have been there in the first place.<br />
I really hope that affected manufacturers have taken some time to<br />
reassess and up their game in this regard. Selling a security product<br />
for a vehicle without first addressing a significant number of security<br />
vulnerabilities is really unacceptable, and I’d like to see more evidence of<br />
manufacturers taking their role as security providers more seriously.<br />
I’d also like to see a more robust approach to security throughout the<br />
industry in general. Insurers will often rely on certification bodies to be<br />
certain that a product improves the security of a vehicle. Sadly, some<br />
of these bodies have accredited products that made the security of the<br />
vehicle worse! This cannot be allowed to continue.<br />
Are we at a point where standard home and vehicle insurance<br />
policies should be inclusive of cyber cover, given the rise of the<br />
Q Internet of Things (IoT) and the hyperconnected world we now<br />
live in?<br />
A<br />
As things stand right now, any underwriter would be crazy to do<br />
this! There’s not enough data in place at the moment and not<br />
enough research being done in this space for an underwriter to<br />
accurately quantify the risk. Nothing could go wrong for years, and then<br />
an entire brand or fleet of vehicles could fall victim to a cyber-attack. This<br />
would leave one insurer on the hook for a very big cyber claim, so whilst<br />
I’d love to see more cyber cover embedded into other lines of insurance, I<br />
think that the risk would be way too high right now. Not enough research,<br />
and not enough data!<br />
“There are many competing interests, each<br />
with different motivations, and then there<br />
are a bunch of researchers in the middle<br />
trying to shine a light on poor behaviour -<br />
all in the hope that catastrophic hacks can<br />
be evidenced fast enough before hackers catch<br />
on and start exploiting it”<br />
Do you think the number of successful catastrophic hacks will<br />
increase in the coming months and years? Or is technology and<br />
Q security managing to evolve at a fast enough rate to keep them<br />
at bay?<br />
A<br />
Yes. It’s an arms race against the hackers. Organisations are trying<br />
to improve their cybersecurity quickly, and manufacturers are<br />
trying to improve their product security quickly in order to avoid<br />
an eventuality where security vulnerabilities bring down an entire fleet of<br />
vehicles, or an entire company’s data. There are many competing interests,<br />
each with different motivations, and then there are a bunch of researchers<br />
in the middle trying to shine a light on poor behaviour - all in the hope that<br />
catastrophic hacks can be evidenced fast enough before hackers catch on<br />
and start exploiting it.<br />
As an ethical hacker, what is the biggest challenge for insurers<br />
when it comes to providing cover for modern-day cyber risks?<br />
Q<br />
Many insurers and underwriters are really suffering from the<br />
effects of ransomware right now. A lot of cyber insurance policies<br />
A are priced based upon historic risk data, and the prevalence of<br />
ransomware has accelerated so much that a lot of underwriters have been<br />
left facing multiple sizeable claims.<br />
As a result of these loss ratios, cyber insurance premiums are increasing<br />
quickly, and insureds must do everything they can to demonstrate<br />
stringent security measures when they’re looking to obtain this kind of<br />
cover. Savvy underwriters really like to do business with companies that<br />
are able to prove their cybersecurity strengths.<br />
In terms of cars, the thing that worries me most is where a vulnerability<br />
is found in a vehicle, escalating to a fleetwide hack because they’re<br />
fundamentally all using the same systems. Hypothetically, the systemic<br />
losses from a particular model or brand of connected vehicle all turning<br />
left at the same time could be catastrophic. This was realised in the Jeep<br />
hack of 2015, for instance; it can be done, and we’ve since demonstrated<br />
similar outcomes with other brands throughout the course of<br />
our commercial engagement work. Fortunately,<br />
these brands continue to take security<br />
seriously, ensuring that their vehicles are<br />
well protected. From an underwriting<br />
perspective in particular, however,<br />
it’s a really difficult risk to price<br />
against. These challenges are almost<br />
certainly set to continue as the<br />
cyber insurance market evolves.<br />
Ken Munro,<br />
Partner and Founder,<br />
Pen Test Partners