Dealing with an evolving threat


Dealing with an evolving threat

arda sarasciogullari /

Cyber crime is an increasing fact of life in a world that’s rapidly filling up with electronic devices. Are insurers keeping pace with what might go wrong or are they falling behind? Intelligent Insurer reports.

Mention the words ‘hacker’ or ‘cyber crime’ to most people and the chances are that they’ll think of a stereotypical scene from a film. Cyber crime is evolving and changing—but are people keeping pace with that change?

According to UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk, a March 2015 report issued by the UK’s cabinet office in conjunction with Lloyd’s, cyber threats are estimated to cost the UK economy billions of pounds each year, with the cost of cyber attacks nearly doubling between 2013 and 2014.

The report found that, while larger firms have taken some action to make themselves more cyber-secure, they face an escalating threat as they become more reliant on online distribution channels and as attackers grow more sophisticated. It issues a call to arms for insurers and insurance brokers to simplify and raise awareness of their cyber insurance offering and ensure that firms understand the extent of their coverage against cyber attack.

According to the report, companies are recommended to stop viewing cyber largely as an IT issue and focus on it as a key commercial risk affecting all parts of its operations. The product of collaboration between government and the sector following a summit held in November 2014, the report recommends that firms examine the different forms of cyber attacks they face, stress-test themselves against them and put in place business-wide recovery plans.

The report also noted a significant gap in awareness around the use of insurance, with around half of firms interviewed being unaware that insurance was available for cyber risk. Other surveys suggest that despite the growing concern among UK companies about the threat of cyber attacks, less than 10 percent of UK companies have cyber insurance protection even though 52 percent of CEOs believe that their companies have some form of coverage in place.

David Umbers, chief executive officer at Ascent Underwriting, explains that the world of cyber insurance was being driven by different factors.

“Around 85 percent of what we underwrite is cyber risk business, out of around $30 million in premiums in 2015,” he says. “Most of that was US business, because that seems to be where the market has matured to the greatest degree.

“Part of the reason for that is the regulatory environment—there are a number of regulations in the US which stipulate that companies that have breaches of personal identifiable information have to do certain things to figure out where the breach came from and to offer credit and identity theft monitoring, depending on how big the breach was and how it affected individuals.


Evolution in the marketplace

Umbers adds that the pace of change is such that it can be tough to keep up—but it is not impossible for underwriters willing to change and able to be nimble.

“It’s an evolving marketplace—regulations are moving forwards and sideways, as is the nature of the risk,” he says.

“To give you an idea we have updated our particular policy forms something like a dozen times over the last three years. It’s not that we’re getting it wrong, it’s just that there are different risks that need to be addressed, risks that are becoming more and more evident depending on the nature of some of our insureds.”

In May 2015 Lloyd’s issued Business Blackout: The insurance implications of a cyber attack on the US power grid, which brought up the issue of whether insurers properly realised the ramifications of new technology being misused to damage infrastructure. It highlighted a very real issue—that hackers are evolving outside the areas they had previously been associated with, such as identity theft or bank fraud.

Intelligent Insurer asked Charles Cowan, counsel at legal firm Drinker Biddle & Reath (UK), if he thought that the insurance industry properly understood the potential risks as technology infiltrates more areas of our everyday life.

“The answer is twofold,” Cowan says. “One, those who write specialised cyber cover are increasingly well informed—they’re doing their best to stay abreast of new developments in technology and in exposure, but that’s not the only place where cyber exposure potentially exists, so you’ve got a spectrum.

“You’ve got those who are highly specialised and very focused on underwriting and broking that risk and they have a fairly sophisticated understanding of technology and the needs of the customers.

“Also lurking out there is the potential for coverage in more traditional settings, such as property and general liability, where underwriters and brokers in these more traditional lines might not understand the exposure as well.

“That’s why there’s been a lot of talk over the past couple of years in Lloyd’s and other circles with respect to better understanding how non-specialised insurance, non-cyber specialised insurance, is exposed, and helping people who are writing those lines, who are broking those lines, buying that kind of insurance, to understand what is covered and what isn’t.”

Cowan agrees that the growth in the number of household goods that can be connected to the internet has made life somewhat difficult.

“Just look at your average household,” he says. “We’re increasingly seeing telecommuting, people working from their homes, and they may not be carrying cyber liability for the business that they’re conducting.

“In addition they’re probably using mobile devices, with electronic log-ins, to the central companies that they work for, and the environment in which they’re working at home can involve any number of devices that are ‘hot’, that are connected to the internet, and that will be increasing over time.

“Those vulnerabilities can, in ways that we might not yet be able to imagine, expose not only them, but through them their companies, to risks that aren’t expected.

“We’re at an interesting crossroads, because at the same time that telecommuting and distance working is becoming a more popular option, from the technological perspective it’s increasing the possibility of vulnerabilities, because home workplaces are not as secure. Add in the ‘internet of things’ and the additional exposures that adds and it’s very difficult to quantify.

“One of the chief difficulties for the insurance industry is technical know-how, and I’ve been saying for some time now that the industry needs to get the appropriate talent. A lot of cyber underwriters these days are fairly young people who are technically adept, but they aren’t the kind of people who are experts with respect to emerging risks who can respond to hacking threats that the industry probably needs.

“Developing scholarships for computer technology programmes and those sorts of things to attract people from the technical world into insurance would be very helpful,” he adds.


The pace of change

The challenges of adapting to the changes posed by cyber attacks are also complicated by the speed at which the risk is evolving.

“Cyber has some specific issues that make it trickier and more difficult for people to get their head around,” says Morley Speed, managing director, Guy Carpenter.

“There’s obviously a technological dimension. It’s become a cliché that every article you see on cyber is talking about technological advances—but the issue is that even if you knew everything you needed to know, you’d have to learn it all again in 12 months’ time.

“The issue is that even if you knew everything you needed to know, you’d have to learn it all again in 12 months’ time.” Morley Speed“The other issue is that cyber is embedded in all our industrial business and social activities—it’s nothing less than another industrial revolution. Because it’s embedded in so many of our activities it’s very difficult for people to understand what the true implications are.

“Accompanying that you have globalisation—you have supply chains, whether they’re real world supply chains or cyber supply chains, so the interdependencies of businesses with one another are incredibly complex. I’ve spoken to a number of experts in this field and it really is mind-boggling trying to understand what the common interdependencies are, should certain core providers fail.”

Speed adds that on top of that there is also a changing legal framework, with European legislation on data breaches likely to be introduced in 2017. As a result the market is facing a series of changes—technological, social, legal, economic—that are all happening at the same time as the cyber risk grows.

“Another complication with cyber is that while a lot of insurance is about trying to predict the throw of the dice, cyber is more like a game of chess, because you are actually confronting people who are active players, they’re adversaries and they’re learning to play the game better and better all the time,” Speed points out.

“The actors in cyber attacks may be terrorists, government-sponsored agents or simple criminals. That makes it very difficult for people to keep abreast of the latest developments in cyber.”


The chicken and the egg

The insurance industry is adjusting and finding solutions, but it is hard to move as quickly as the risk is changing.

“Insurance finds its way around new problems, perhaps not as fast as people might like,” says Speed. “There is a fundamental problem that probably, in the UK, for cover for UK-based businesses, insurance income from pure cyber cover is probably less than £50 million ($71.5 million). How much training and expertise can people afford on that base of income?

“So you have a kind of chicken and egg situation—it’s only when you start to get more volumes of income that you’ll get a situation where a company can invest time in having a cyber survey bureau, full training for underwriters and so on.

“You’ve got a new class of business where people are learning as they go along. It hasn’t yet reached the critical size where the size of business is likely to cause that business to fail—but I think we’re going to reach that point fairly soon in some areas, where businesses will not be able to write cyber because they can’t clearly articulate the impact of a bad event on that business.”

As events occur, what do insurers also need to bear in mind?

“A lot of insurers see cyber insurance as a major opportunity for growth but are quite reluctant to write huge limits and increase their exposure in case they have a large-scale ‘cyber catastrophe’,” says Andrew Coburn, senior vice president of Risk Management Solutions (RMS).

“The primary market’s need is a structured way to quantify accumulation management—in a bad year what could an insurer with a portfolio of cyber insurance pay out in claims?”


Organise the data

According to Coburn, to manage accumulations insurers need to have well-structured exposure data. In the London Market, Lloyd’s has requested its management agents to report their cyber exposure in a consistent way, and will be using the RMS exposure data schema as a standardised approach to identifying, quantifying and reporting cyber insurance exposure.

“About a year ago RMS gathered a development consortium of eight insurance companies that were interested in creating a framework for tackling this problem,” Coburn says.

“We began by developing an accumulation management suite that we’ll be releasing in February. The first part of the suite is a structure for organising your exposure data by tagging individual accounts with information so that, in your exposure management system, you can assess your accumulation risk by groupings that are likely to be of interest to senior management.

“What you’re trying to assess is ‘cyber catastrophe’ potential—if you have 10,000 companies in your cyber insurance portfolio, what might cause large numbers of them to have a massive cyber claim all at the same time? The first thing you’re interested in is what kind of coverages are you offering to those insured—and every product on the market at the moment has a mix of coverages—and second, what are the attributes of the company.

“One of the things that stands out when you look at cyber losses is that company size is very important. Large companies are targeted much more by cyber criminals and data exfiltration (the theft of data) happens much more frequently and severely in Fortune 1000 companies than it does in small and medium sized companies.”

Coburn adds that RMS has compiled data on all the recent cyber attacks and potential attacks in the future, to help companies run management scenarios, or war games, which could then be used to bring home to companies just how vulnerable they can be to attack—as well as to inform insurers about the potential size of their exposures.

cyber, insurance, cybercrime, , risk, exposure, insurers, technology, world, evolving, threat, Lloyds, underwriters

Intelligent Insurer