Beware of data integrity key and rogue software when tackling cyber risk

In addressing cyber risk it is important to understand the difference between encryption and data integrity, David Piesse chief risk officer, Guardtime, said in a panel discussion at the EAIC conference.

“Many executives believe that because their data is encrypted, they are secure,” he said. “They also believe that their IT department has control of that, when in fact this is not the case.”

He explained that the issue of data provenance can be overlooked.

“How do you know an individual piece of data – its origin, lifecycle, who has accessed it in its lifecycle, and whether it has been tampered with? You cannot do that with encryption on its own, so we need to look at the data provenance.”

He gave as an example the network of delivery vehicles in New York, which have telematics devices in them feeding put data into a big data store - a health and safety data exchange which is sold to insurers.

“If those telematics devices have data integrity in them at the point of origin of the data, the insurance companies will have warranty of that provenance right from the point where they buy that data to write their policies on.”

The internet of things generates similar useful information for factories and power stations – but, he said, you have to be able to be sure that no rogue software has got into them.

Discussing the potential of the capital markets entering this field, he highlighted a further problem around data.

“I see a potential threat from the capital markets because you don’t need too many data points to start up a cat model or a benchmark. There is no cyber index, there are some data points out there, and people do want to create ILS products from cyber.

“That could need to a large investment of non-correlated portfolio funds into a cyber index. The big problem we have at the moment is that it’s difficult to tell the difference between a cyber-attack and change management carried out by IT on a Saturday morning – and that potentially could trigger a claim on an ILS.

“Once that is sorted out maybe the ILS market will enter. Hopefully the insurance industry will really start to get to grips with in the next couple of years.”