A new report by The Geneva Association has created checklists for insurers it says will help with the complex task of cyber “attribution”, or identifying the responsible actor.

Comparability of approaches across jurisdictions will be critical for industry-wide assessment of accumulation risk and, ultimately, for the insurability of cyber risk, the Mapping a Path to Cyber Attribution Consensus report says.

Attribution is a key factor in determining whether insurance will ultimately cover related losses yet currently, international consensus on cyber attribution is lacking.

“The insurance community would benefit from a recognised system for attributing cyber events, enabling the holistic assessment of potential industry exposures – and promoting insurability,” it says.

Improved comparability across jurisdictions would boost industry-wide assessment of accumulation risk and “facilitate the insurability of cyber risk”.

Attribution is an inherently difficult process, requiring differentiation between three types of actors: the cybercriminal, the cyber terrorist and the state actor.

Insurance policies covering cyberattacks typically exclude war risk and collaboration is recommended between insurance, technology, government and others.

“This would set the stage for developing an international norm to promote a consistent and streamlined approach for attribution,” the report says.

The paper, the second in a series on cyber, provides insurers with a framework and emphasises a need for international collaboration to promote a common method and conventions that could help streamline the process.

“There are many inconsistencies in the processes carried out by governments, their agencies and private organisations,” it says.

“This report has provided a framework for simplifying the process of attribution and characterisation.

"It might be possible to look at a potential harmonisation between best practices in the procedure and questions asked during the attribution process.”

A third report in the series will explore how a catastrophic cyber event might require government intervention with backstops or pools.

“There are questions around the ability of the private insurance industry to absorb the losses from a catastrophic cyber event that is not bound by geography or industry. More fundamentally, one can also ask why the private insurance industry should pick up the bill for nation-state induced attacks at all,” the Association says.