Dealing with an evolving threat

Mention the words ‘hacker’ or ‘cyber crime’ to most people and the chances are that they’ll think of a stereotypical scene from a film. Cyber crime is evolving and changing—but are people keeping pace with that change?

According to UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk, a March 2015 report issued by the UK’s cabinet office in conjunction with Lloyd’s, cyber threats are estimated to cost the UK economy billions of pounds each year, with the cost of cyber attacks nearly doubling between 2013 and 2014.

The report found that, while larger firms have taken some action to make themselves more cyber-secure, they face an escalating threat as they become more reliant on online distribution channels and as attackers grow more sophisticated. It issues a call to arms for insurers and insurance brokers to simplify and raise awareness of their cyber insurance offering and ensure that firms understand the extent of their coverage against cyber attack.

According to the report, companies are recommended to stop viewing cyber largely as an IT issue and focus on it as a key commercial risk affecting all parts of its operations. The product of collaboration between government and the sector following a summit held in November 2014, the report recommends that firms examine the different forms of cyber attacks they face, stress-test themselves against them and put in place business-wide recovery plans.

The report also noted a significant gap in awareness around the use of insurance, with around half of firms interviewed being unaware that insurance was available for cyber risk. Other surveys suggest that despite the growing concern among UK companies about the threat of cyber attacks, less than 10 percent of UK companies have cyber insurance protection even though 52 percent of CEOs believe that their companies have some form of coverage in place.

David Umbers, chief executive officer at Ascent Underwriting, explains that the world of cyber insurance was being driven by different factors.

“Around 85 percent of what we underwrite is cyber risk business, out of around $30 million in premiums in 2015,” he says. “Most of that was US business, because that seems to be where the market has matured to the greatest degree.

“Part of the reason for that is the regulatory environment—there are a number of regulations in the US which stipulate that companies that have breaches of personal identifiable information have to do certain things to figure out where the breach came from and to offer credit and identity theft monitoring, depending on how big the breach was and how it affected individuals.

Evolution in the marketplace

Umbers adds that the pace of change is such that it can be tough to keep up—but it is not impossible for underwriters willing to change and able to be nimble.

“It’s an evolving marketplace—regulations are moving forwards and sideways, as is the nature of the risk,” he says.

“To give you an idea we have updated our particular policy forms something like a dozen times over the last three years. It’s not that we’re getting it wrong, it’s just that there are different risks that need to be addressed, risks that are becoming more and more evident depending on the nature of some of our insureds.”

In May 2015 Lloyd’s issued Business Blackout: The insurance implications of a cyber attack on the US power grid, which brought up the issue of whether insurers properly realised the ramifications of new technology being misused to damage infrastructure. It highlighted a very real issue—that hackers are evolving outside the areas they had previously been associated with, such as identity theft or bank fraud.

Intelligent Insurer asked Charles Cowan, counsel at legal firm Drinker Biddle & Reath (UK), if he thought that the insurance industry properly understood the potential risks as technology infiltrates more areas of our everyday life.

“The answer is twofold,” Cowan says. “One, those who write specialised cyber cover are increasingly well informed—they’re doing their best to stay abreast of new developments in technology and in exposure, but that’s not the only place where cyber exposure potentially exists, so you’ve got a spectrum.

“You’ve got those who are highly specialised and very focused on underwriting and broking that risk and they have a fairly sophisticated understanding of technology and the needs of the customers.

“Also lurking out there is the potential for coverage in more traditional settings, such as property and general liability, where underwriters and brokers in these more traditional lines might not understand the exposure as well.

“That’s why there’s been a lot of talk over the past couple of years in Lloyd’s and other circles with respect to better understanding how non-specialised insurance, non-cyber specialised insurance, is exposed, and helping people who are writing those lines, who are broking those lines, buying that kind of insurance, to understand what is covered and what isn’t.”

Cowan agrees that the growth in the number of household goods that can be connected to the internet has made life somewhat difficult.

“Just look at your average household,” he says. “We’re increasingly seeing telecommuting, people working from their homes, and they may not be carrying cyber liability for the business that they’re conducting.

“In addition they’re probably using mobile devices, with electronic log-ins, to the central companies that they work for, and the environment in which they’re working at home can involve any number of devices that are ‘hot’, that are connected to the internet, and that will be increasing over time.

“Those vulnerabilities can, in ways that we might not yet be able to imagine, expose not only them, but through them their companies, to risks that aren’t expected.

“We’re at an interesting crossroads, because at the same time that telecommuting and distance working is becoming a more popular option, from the technological perspective it’s increasing the possibility of vulnerabilities, because home workplaces are not as secure. Add in the ‘internet of things’ and the additional exposures that adds and it’s very difficult to quantify.

“One of the chief difficulties for the insurance industry is technical know-how, and I’ve been saying for some time now that the industry needs to get the appropriate talent. A lot of cyber underwriters these days are fairly young people who are technically adept, but they aren’t the kind of people who are experts with respect to emerging risks who can respond to hacking threats that the industry probably needs.

“Developing scholarships for computer technology programmes and those sorts of things to attract people from the technical world into insurance would be very helpful,” he adds.

The pace of change

The challenges of adapting to the changes posed by cyber attacks are also complicated by the speed at which the risk is evolving.

“Cyber has some specific issues that make it trickier and more difficult for people to get their head around,” says Morley Speed, managing director, Guy Carpenter.

“There’s obviously a technological dimension. It’s become a cliché that every article you see on cyber is talking about technological advances—but the issue is that even if you knew everything you needed to know, you’d have to learn it all again in 12 months’ time.