Apache Log4j vulnerability leads to "frying pan", who will protect network security?

With the in-depth application of digital information technology to all walks of life, it is accompanied by frequent cybersecurity accidents. Incidents such as hacker network attacks and data and information leakage occur in an endless stream. Recently, the widely used component Apache Log4j was exposed to a high-risk vulnerability, and an attacker only needs a piece of code to remotely control the victim's server. Most tech companies worldwide could be affected.

Global network security accidents occur frequently, and network security insurance, as an effective measure to disperse network security risks, is expected to play a big role in cyberspace governance. However, at present, network security insurance accounts for less than one-tenth of the scale of property insurance premiums, and the market still needs to be further tapped.

Cybersecurity incidents are constantly alarming, and insurance can build a defensive line

In the early morning of December 10, Apache Log4j, a widely used component around the world, was exposed to a high-risk vulnerability, and the attacker only needed a piece of code to remotely control the victim's server.

A computer network security practitioner told the Beijing Business Daily reporter that the vulnerability can lead to many systems being directly invaded and controlled, and most technology companies around the world may be affected, such as Baidu, Apple and so on.

The above incident is just the tip of the iceberg of the cybersecurity incident, according to foreign media reports, in May, the main U.S. fuel and gas pipeline operator Colonial Pipeline was hacked, and had to pay a ransom of nearly $5 million to the hackers; in August, the Japanese cryptocurrency exchange Liquid was attacked, and $94 million worth of crypto assets were stolen. Cybersecurity Ventures predicts that the global economic damage caused by cybercrime is forecast to reach $6 trillion in 2021, approaching 10% of the world economy.

Cyber security is a global issue, and some media quoted a relevant report released by Allianz Property & Casualty insurance to show that the economic losses caused by cyber attacks in China every year are as high as 399.6 billion yuan.

As the global network security accidents are intensifying, network security insurance, as an effective measure to prevent network security risks, is expected to play a big role in cyberspace governance.

The so-called network security insurance is an insurance product for the purpose of underwriting risks related to cyberspace risks, and protects first-party losses and third-party liability claims caused to the insured due to privacy events or security incidents.

Cyber security insurance is not a new thing, the White Paper on the Development of China's Cyber Security Insurance Industry (2021) (hereinafter referred to as the "White Paper") points out that there are currently more than 50 network security insurance products sold in the domestic market, including foreign insurance companies such as Zurich Property Insurance and Tokyo Marine Nichi dong fire insurance, as well as about 20 Chinese-funded insurance companies including PICC Property & Casualty, Ping An Property & Casualty, CPIC Property & Casualty, and China Life Property & Casualty.

What are the specific protection contents of cyber security insurance? Taking the "Comprehensive Cyber Security Insurance" jointly released by NSFOCUS Technology and Qianhai Property & Casualty Insurance as an example, it is understood that the product protection includes accident identification service fees, data recovery fees, computer ransom, data leakage liability, data leakage liability caused by outsourcers, data security liability, and legal service fees, a total of 7 items, covering most of the current network security risk points.

The scale of network security insurance is small, and the market demand has yet to be tapped

As cybersecurity risks continue to evolve, the future development market of cybersecurity insurance will be a blue ocean. Swiss Re predicts that by 2025, the scale of cybersecurity insurance premiums in China will reach 500 million yuan.

However, at present, network security insurance products are not "popular", the White Paper pointed out that China's network security insurance market has entered the initial exploration stage, the scale of premiums exceeded 70.8 million yuan, the maximum amount of insurance exceeded 400 million yuan, accounting for less than one-thousandth of the scale of property insurance premiums, and less than one thousandth of the scale of the network security industry.

Yang Zeyun, a teacher in the Department of Finance at the School of Management of Beijing Union University, said that the current network security insurance market is relatively low, and insufficient demand is the main reason. On the one hand, most enterprises do not recognize the potential risks posed by cybersecurity; on the other hand, some of them recognize the potential risks of networking, but may face higher risk exposure, and the consideration that needs to be paid to obtain adequate insurance protection is higher. In this case, it may be a fluke that is not insured or the sum insured is limited.

"Enterprises may also give up insurance because they are worried about encountering network security insurance claims, compared with general enterprise property loss insurance, many losses of network security insurance are difficult to clarify, such as data repair costs, information leakage liability, etc., losses are difficult to determine, and claims will encounter more disputes, thus affecting insurance." Yang Zeyun said frankly.

In addition to insufficient market demand, network security insurance is also facing the test of pricing and underwriting, Yu Baicheng, president of Zero One Research Institute, pointed out that network security issues are highly technical, full of variability, and a single hazard may be huge, but the lost data value lacks evaluation standards, and it is difficult to price and underwrite network security risks in traditional ways.

Opportunities and challenges coexist, and "insurance + technology" works together to build a protective barrier

Although factors such as difficult pricing and insufficient market demand restrict the development of network security insurance, the market prospects of network security insurance are very broad. Zhou Yanli, former vice chairman of the Insurance Regulatory Commission, once said that cyber security insurance is the security cornerstone of digital transformation and an important tool for risk management. To some extent, network security risks are invincible, and how to protect against the economic losses caused by such risks should be transferred through insurance.

Yu Baicheng also believes that under the digital economy, data has become the core production factor, and in the future, network data will become one of the most important assets, and the market will continue to increase. Similarly, the market space for cybersecurity insurance is broad.

"The Cybersecurity Law, the Data Security Law and the Personal Information Protection Law introduced in recent years have strengthened enterprises' awareness of network security and laid a legal foundation for relevant markets." Yu Baicheng added.

How should insurance companies move away from the "stumbling blocks" such as pricing difficulties in the future?

In fact, for solving the problems of pricing, underwriting difficulties, etc., the industry has carried out some exploration, including ZhongAn Insurance, Qianhai Property Insurance, China Life Property Insurance and other insurance companies, through the "insurance + technology" approach, collaborative development of network security insurance and other related product models and risk control systems, in order to enhance the pricing power and underwriting capabilities of insurance companies for network security insurance.

Yu Baicheng pointed out that insurance companies have increased investment in science and technology, set up technology subsidiaries or in-depth cooperation with technology companies, which has improved the technical guarantee for network security insurance business.

As for increasing the demand for network security insurance market, Yang Zeyun pointed out that the overall size of the network security insurance market is still low, especially the amount of protection is still far from the potential risks it faces. According to the law of other insurance development, the expansion of the network security insurance market depends on the promotion of some larger network security accidents.

Beijing Business Daily reporter Chen Tingting intern reporter Li Xiumei