A senior member of the Cyber Monitoring Center (CMC), an organization formed last year to monitor, define and classify cyber events impacting UK organizations, this week questioned whether a ÂŁ1.5 billion (about $2 billion) government loan guarantee provided to Jaguar Land Rover (JLR) should have happened in the first place.
Speaking at an event hosted by the Royal United Services Institute (RUSI) that reviewed the CMCâs activities in its first year of operation, Ciaran Martin, chair of the CMCâs cyber monitoring technical committee, discussed the loan guarantee announced last year following an attack that has been described as one of the UKâs worst cyber incidents.
âI must stress that Iâm speaking personally now. I think the loan guarantee is an unfortunate precedent because the government intervened in a case-specific way, in response to a set of events, without the clear criteria of what form such intervention could take,â said Martin during a panel discussion with CMC executives and Tracey Paul, chief strategy and communications officer at Pool Re, a UK terrorism reinsurer.
Martin, who is also a RUSI Distinguished Fellow, said, âthere clearly are a set of plausible, realistic, bad scenarios where most reasonable citizens would expect some form of government activity. But it would be better to have a framework, whether thatâs compulsory insurance, incentivizing insurance with tax breaks, whether itâs a set of principles as to what would trigger state intervention. And in what form? Loan guarantees? Something else?â
To complicate things, Paul noted that today there is a cyber insurance protection gap. âI donât know how we are going to bridge this gap between the potential economics loss and the insured loss without some partnership between government and the insurance industry and other parts of the cyber ecosystem,â she said. The industry has a prefunded model, and a contract with the government under which, if the insurer runs out of money, the government will step in and loan the money to pay the losses.
âBut that is one way of doing it and I think they would like the flexibility to do it in another way,â she observed. âBut what I do think is you cannot have a transfer of risk between the public sector and the private sector unless you have some kind of structure around it, and at some point the government are going to have to come to the table on what that looks like in order to make that happen.â
Event impact can âripple across an entire economyâ
Analysts share Martinâs concerns.
Erik Avakian, technical counselor at Info-Tech Research Group, said on Friday that he âhas been predicting for years now that attackers would start to move on from pure small disruption types of attacks (think DDoS) to catastrophic disruption and destruction of a companyâs operations.â
The incident at JLR, he said, âreally speaks to impacting the overall resilience of a companyâs business operations. And once that happens, the impacts can go well beyond just a quarterly earnings miss.â
Avakian added, âwhat weâve seen with the Jaguar Land Rover attack is certainly exemplary of that, and has shown that a cyber incident can shut down real-world operations in a way where the impacts can ripple across an entire economy, not just IT systems; where a cyberattack can directly impact a nationâs GDP, employment, and wreak havoc on national exports.â
He agreed with Martinâs sentiments, explaining, âin my opinion, the government stepping in like this with a loan guarantee is creating and sending a signal that some companies could now be considered too important to fail due to cyber risk. That can create a dangerous precedent because large, critical organizations could become primary targets for cyber criminals if they know that a successful attack could cause such massive consequences.â
It could also lead to new risks, said Avakian, âwhere companies may potentially underinvest in their security if they believe thereâs an implicit safety net that will be there for them. Cyber resilience is more important than ever and should be central to how organizations think about security and risk management; not just how to prevent a breach, but how to keep business operations running in the face of cyberattacks.â
David Shipley, CEO of Beauceron Security, added, âa monster has been created by using insurance to cheat our way out of hanging the risk in near-term more expensive, but long-term more effective ways.â
Why, he asked, should organizations âinvest all the work in multifactor authentication when you can just buy insurance? The problem now is the cybercrime monster that insurance fed is now Godzilla sized, and we canât insure all of the damage. Great job.â
Government bailouts of industry, said Shipley, âis just the next, bad leap in the same flawed decision. If insurance was the crack cocaine of cyber risk mismanagement, government bailouts are the corporate fentanyl. Maybe the smart answer is, we have to account for the real cost of proper security in our goods and services, and invest in ways that donât put money in the hands of criminals.â
This article originally appeared on CIO.com.
