Helvetia: 2nd Cyber Symposium shows the importance of cooperation between business, government and science

The federal government’s annual crime statistics show a 33 percent increase in cybercrime last year. This summer, the Federal Council published a report on cybercrime in Switzerland. The report once again emphasises the need to coordinate prevention and repression at both national and international level. Cooperation between all parties is necessary for the state, the economy and science in order to ensure the sustainable protection of the population and the economy against cybercrime.

Dr Martin Jara, CEO of Helvetia Insurance Switzerland, notes that progress has been made over the past year in the further development of cyber resilience. This includes the upgrading of the National Centre for Cyber Security to the current Federal Office for Cyber Security (BACS), as well as the expanded data situation in Switzerland, which was created last year by the insurance companies around the Swiss Insurance Association (SIA) and consultants from the broker industry, among others. Nevertheless, experts still consider the human and technical resources to be insufficient to cope with the development of cybercrime.

The volume of cyber insurance doubles every two years, which emphasises the need for insurance products, especially for systemic cyberattacks. Nevertheless, there is a growing insurance gap. Last year, Helvetia worked with the SIA to draw up a calculation, which RMS Moody’s prepared. According to the estimates and projections, there is a one percent annual risk of a cyber event in Switzerland causing a total economic loss of 2.5 billions Swiss Francs. Under current conditions, only 155 million of this would be insured, which represents 6 percent of the potential loss.

The repeatedly criticised gap in cover for major events is still there. One reason for this is that only 7 percent of companies in Switzerland have cyber insurance. Another is the constantly growing digitalisation of business processes. The dependency and vulnerability was highlighted a month ago by an IT breach at the US security company CrowdStrike, which was caused by an update to its software.

Deloitte Switzerland: People have a huge bias

Dr Klaus Julisch, Managing Partner for Risk Advisory at Deloitte Switzerland, has more than 20 years of experience in the field of cyber security and risk management. He talks about a huge problem that is getting worse, not better, and says that you shouldn’t trust your gut feeling when it comes to cyber security. It is misleading because people have a huge bias. This becomes apparent when something has been recently and visually presented is a big risk, if you’ve never seen it, it’s a small one. If gut instinct is not to be believed, axioms and principles of action are needed on how to deal with the topic of cyber.

Three points can be summarised: In companies, a person must be defined who is responsible and makes decisions for cyber security at the top level. This is followed by cyber hygiene and building resilience, which are extremely important. Simplifying the IT landscape is very important because the more complex it is, the greater the attack surface that hackers can exploit. Regulations are less popular, but necessary in this case. Governments have the task of creating incentives that push everyone in the right direction.

Moody’s RMS: Maintenance and consolidation of databases

Laurent Marescot, a catastrophe risk management expert at Moody’s RMS, advises large companies in the insurance industry. He compares natural catastrophes and cyber risks, with cyber threats being more dynamic and geographically unbound, posing significant challenges for the insurance industry. Modelling these risks requires extensive data, which is often lacking for cyber threats.

The identification of attacks ranges from lone hackers to state-sponsored attacks. It is crucial to model damage and data loss, where cyber hygiene plays a role. The key challenge lies in the availability of data to improve insurance modelling. Therefore, important steps such as maintaining and consolidating in-house databases are essential.

Microsoft: Increase in state-sponsored attacks

Dr Marc Holitscher has worked at Microsoft Switzerland for 20 years and has been National Technology Officer since 2015. Microsoft’s annual Digital Defence Report documents patterns and threat scenarios and shows that state-sponsored attacks have increased significantly, including broad-based disinformation campaigns. Cybercrime has become massively professionalised and industrialised.

Denial of service attacks (DoS) are available on the dark web for as little as 300 dollars, including a money-back guarantee. Ransomware kits even cost only around 60 dollars, which makes it easier to enter this industry. In addition, Microsoft recently registered a DoS attack in which 3.5 terabytes were fired at a target every second. The use of AI is intended to facilitate and improve the analysis of large amounts of data. Microsoft welcomes the initiative of the Federal Department of Foreign Affairs (FDFA) together with the AI Centre at ETH Zurich to develop a ‘Gen AI Redteaming Network’ dedicated to the security problems of generative AI systems.

Helvetia: Developing and testing an emergency plan

Christoph Guntersweiler, Head of Technical Insurance at Helvetia, emphasises the need to take a phased approach to cyber resilience. First, companies should analyse their data and IT landscape, followed by the definition of organisational measures, which also include raising employee awareness. Technical measures such as a backup concept are also required.

An emergency plan must be drawn up and tested regularly. This topic is always topical and requires continuous adjustments, especially with regard to dependencies that can arise with outsourcing solutions. Helvetia recommends providing basic awareness training from the first grade and emphasises the importance of training for managers. A free platform for SMEs that provides information on dealing with SaaS solutions and reducing dependencies is also desired.

The Geneva Association: Public-Private Partnerships PPP

Dr Kai-Uwe Schanz has worked at The Geneva Association for 17 years and has headed the research department of the association, which was founded in 1973 and is regarded as a think tank for the global insurance industry, since 2019. Its members include CEOs from the world’s largest insurance and reinsurance companies, including Mario Greco (Zurich) and Michèle Rodoni (Mobiliar).

Public-private partnerships (PPP) are co-operations between the state and the private sector that aim to make risks that are difficult to to insure. The cyber coverage gap is estimated at 900 billions dollars per year, while the insured loss is only 10 billions dollars, which is a significant societal problem. One of the main reasons for this gap is the lack of controllability and quantifiability of cyber loss accumulation. The spread of malware via supply chains has been modelled with an expected economic loss of 200 billion dollars, while the insured loss amounts to 27 billions dollars. In addition, attacks on critical infrastructures are valued with an economic loss of over 1 trillion dollars and an estimated insured loss of 70 billions dollars, which shows the limits of cyber insurance.

In order to make such risks more manageable, the private insurance industry must cooperate with government agencies. These partnerships should encourage the private sector to take on risks that are difficult to insure, supported by government backstops that provide loss guarantees for systemic cyber risks once certain thresholds are exceeded.

Federal Office for Cybersecurity (BACS): Cyber threat situation from the federal government’s perspective

Manuel Suter, Deputy Director of the BACS, emphasises the need to look at cyber threats from different perspectives. The population’s perception of threats, such as fraud or blackmail, differs greatly from the actual threat situation. The attacks by pro-Russian hacktivists, which most recently took place during the speech by Ukrainian President Volodymyr Selensky in Switzerland, are particularly worrying. Cybercrime has also become more professionalised. In June, the BACS received 32,000 reports, compared to 50,000 last year.

The Federal Office for Cyber Security, which emerged from the National Cyber Security Centre (NCSC), has only been in existence since the beginning of the year and is to be increased from 13 to 67 employees. The budget amounts to CHF 15 million. The National Cyber Strategy (NCS) was developed for the third time together with the private sector, the cantons and the federal government. It comprises five fields of action, including the development of secure digital services and an effective fight against cybercrime.

According to Manuel Suter, cybersecurity also harbours opportunities, as the example of Israel with its many cybersecurity start-ups shows. Switzerland should also follow this path. A steering committee headed by Maja Bundt, Cyber Practice Leader at Swiss Re, has been set up to implement the strategy, which also includes representatives from the private sector. This committee is drawing up a roadmap and proposing additional measures and funding to the Federal Council.

Federal Office of Communications (OFCOM): AI as an opportunity for Switzerland

Bernard Maissen, Director of OFCOM since July 2020, sees himself as part of the cybersecurity system and welcomes the establishment of the BACS. OFCOM is responsible for media communication and telecommunications in Switzerland, both of which are severely challenged by cyber threats. While OFCOM and the Federal Office of Information Technology and Telecommunications (FOITT) are responsible for security, the SRG, as the largest media provider, must ensure that it is armed against cyber attacks. In the telecommunications sector, OFCOM ensures that providers have secure networks.

OFCOM is also responsible for AI. Federal Councillor Albert Rösti took part in the first international summit on the security of AI in the United Kingdom at the beginning of November 2023. OFCOM is working on regulations together with the FDFA and the Federal Office of Justice. Maissen sees AI as an opportunity for Switzerland to position itself successfully and have a positive influence on the industry.

Cyber Defence Campus: research, the state and the private sector

Dr Vincent Lenders heads the Cyber Defence Campus, which is affiliated to the Federal Office of Defence, armasuisse. With over 2 millions new networked devices every month and the networking of new vehicles from next year, critical infrastructure is increasingly at risk. One example is the recent incident at CrowdStrike, in which over a million devices failed due to a configuration error.

Had a malicious cyberattack taken place, the damage would have been significant. The global growth of security vulnerabilities is documented by the Common Vulnerabilities and Exposures (CVE) with over 30,000 new vulnerabilities this year; security updates are often difficult to implement, especially in certified critical infrastructures. Cooperation between the state, industry and science is therefore essential.

In this context, Federal Councillor Viola Amherd founded the Cyber Defence Campus, which links universities and companies. It focuses on AI, quantum and space technologies as well as new communication networks. One result is the open-access book ‘Large Language Models in Cybersecurity’, which was published in June 2024.

One example of successful research is the RUAG incident in 2016, in which malware remained undetected for two years and leaked sensitive data. This led to the founding of the spin-off Exeon Analytics, which uses AI for IT/OT security analyses. The Cyber Startup Challenge promotes innovative solutions such as ONEKEY, which automatically prioritises vulnerabilities.

At the DEF CON Hacking Conference, Dr Lenders learned from DARPA that the US government considers its critical infrastructures to be infiltrated and is increasingly relying on AI developments to automatically detect and fix software vulnerabilities – a strategy that will also be crucial for Switzerland in the future.

In today’s digital world, cyber security is a key concern for governments, companies and research organisations. The need for public-private partnerships (PPP) to manage the risks is therefore emphasised. Particularly affected is the area of cyber attacks that are difficult to insure, with annual coverage gaps of up to 900 billion dollars. The Cyber Defense Campus demonstrates the importance of cooperation between business, government and science as well as the use of innovative technologies such as artificial intelligence (AI) to identify vulnerabilities. Incidents such as the RUAG incident and initiatives such as the Cyber Startup Challenge emphasise the urgency of proactive action. Given the increasing complexity of cybercrime, Switzerland and other countries must continue to invest in their cybersecurity strategies in order to effectively combat existing and future threats.

BK

Read also: Shira Kaplan: Building up a Cybersecurity Ecosystem in Switzerland