AIG, Geneva Association, IFTRIP and more highlight the sensitive subject of cyber incidents attribut

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Read more: Cyberattacks by nation states evolving to become more aggressive

Christian Wells, special counsel, Pool Re and secretariat, IFTRIP, highlighted that, while government involvement undoubtedly helps with attribution in the sense of providing an answer, it doesn’t necessarily provide a wholly accurate answer, even where there is an agreed process. A lot of national pools around the world don’t actually have formal processes, he said, they merely have contact with their governments.

“In the case of Pool Re,” he said, “we have a formal process for the certification of an event but it’s a bit like a black box – we submit a request for certification to the government who will then issue a certification that something is or isn’t, in the case of Pool Re, an act of terrorism. So, there may be a number of factors at play on whether a government certifies something as terrorism or as hostile cyber activity or otherwise. It’s an easier approach, not necessarily a failsafe one.”

Offering his perspective, Chuck Jainchill, cyber product development leader at AIG noted that the best-case scenario is having some form of governmental or international way of certifying or determining attribution. But, as with all things relating to insurance policies, he said, attribution may have to be determined legally in court. And the standard in the US, and most places, for civil litigation hinges on factors such as a preponderance of the evidence.

Even though a state may not be willing to take the position that an adversary or a friend was the perpetrator of an event, he said, the court has the standard of expert testimony and a variety of sources. Public-private partnerships and government buy-in is the ideal – but in the absence of that, the insurance industry must establish how to determine where these events fall on the spectrum.

Offering a non-insurance view Kaja Ciglic, senior director for digital diplomacy at Microsoft, who has previously been involved with governments on this subject, stated that public attribution tends to be a political process. When governments call out other governments for malicious…