The unpredictable nature of cyber attacks is making it hard for the insurance industry to create policies that offer adequete protection for businesses facing this threat.
This was the view of industry experts at a London roundtable event organised by Kaspersky Lab to discuss the main issues faced by the insurance industry and how cyber threats have changed how companies must try and protect their assets.
Nick Beecroft, manager of emerging risks and research at insurance firm Lloyds, explained that cyber threats have three unique characteristics that make them a challenge for insurers.
"The first is that it's intangible and that means that just understanding the nature of the risk exposure is a real challenge. The second is that it is truly systemic," he said.
"We have to think about cyber as a truly interconnected threat where threats can propagate throughout networks and as an insurance challenge that creates the issue of a single attack potentially generating loss events throughout connected networks in quite unpredictable ways."
Beecroft, who also completed 12 years' service in the Royal Air Force, listed the third component as the fact humans are actively looking to find new ways to breach systems, making it hard to define the protection that is required.
"The way the threat evolves is about humans employing their imagination, studying the defences in front of them and trying to come up with new ways to exploit surprise. It remains very much a human-driven threat," he said.
"Those three things - intangible, systemic and human threats - in combination create a very challenging threat for us to measure and keep ahead of."
Human error was also mentioned throughout the discussion as another challenge faced by the insurance industry when drawing up insurance plans for firms.
Lauren Cisco, cyber, technology and media chief at JLT Group, said: "A great proportion of data breaches actually result from just general human error, so not necessarily intentionally or maliciously perpetrating a data breach but just, for example, leaving a laptop in a car," she added.
John Hurrell, chief executive of Airmic and fellow of the Chartered Insurance Institute, added that another issue is the fact that while insurance firms are reacting quickly to how to deal with cyber threats, they cannot move fast enough.
"The threat is evolving but the awareness of the threat is also evolving. I think it's an evolutionary process but I think it's got a long way to go," he said.
"The challenge for our members is that as soon as they get their head round the current state, the current state moves off rapidly in another direction."
Hurrell said that the threats facing business from this threat are generally seen in three ways: the theft of intellectual property, loss of systems integrity and damaged brand reputation.
The final threat is something that the insurance industry cannot protect against.
"Once customers lose confidence [...] the brand can be affected and that's where I think the insurance industry has very few solutions," he said.
No solution in sight
David Emm, principal security researcher at Kaspersky Lab, agreed that the unpredictable and evolving nature of cyber crime does not make it easy for insurers to quantify the risks facing their clients.
"If we were to represent the threat landscape as a pyramid, the bulk of that pyramid, probably 90 percent, would be random speculative attacks, banking attacks, things designed to capture passwords and other confidential information," he said.
"The 10 percent at the top of the pyramid would be targeted attacks, and that is gradually growing."
Emm added that it is also very difficult to insure businesses against cyber threats because of the hugely varying estimates of financial risk that a breach can cause.
"Quite often the first stage in an attack is tricking someone into clicking on a link or an attachment. The headlines are full of incidents that take place, Carphone Warehouse for example or the attack on Ashley Madison, and you do see various numbers bandied around," he said.
"These costs vary. You see different numbers from different places. How do you come up with figures for insurance purposes?"
Summing all this up Beecroft from Lloyds said it is clear no sector is safe from the threat of cyber attack and, while threats remain so hard to define, it will be tough for insurers to offer adequete protection - which is worrying for all concerned.
"One of the challenges we have is that every sector is exposed so there is no such thing as a sector of the economy that can avoid cyber risk," he said.
"Uncertainty in cover is not good for anyone. It's not good for clients and it's not good for insurers."
Russian Taiga smartphone promises snoop-proof communications - coming soon to employees of Russian state-owned firms
Eugene Kaspersky's ex outs smartphone that claims to prevent apps from spying on users
Deloitte accused of leaving its internal Active Directory server exposed to the internet with RDP open
Deloitte accused of lax systems administration and security practices over email hack
Lax systems administration practices blamed for exposing millions of sensitive client emails
The new processors support Intel's Optane memory acceleration technology