No longer just an emerging risk, cyber risk is now a prominent threat. This year alone we’ve seen some of the biggest ransomware attacks in history, impacting hundreds of countries and thousands of businesses.
Cyber-crime is predicted to exceed $6 trillion annually by 2021, according to research firm Cybersecurity Ventures. Those extrapolated costs include damage and destruction of data, theft of data and money, business disruption, forensic investigation, system restoration and reputational harm.
Do rising costs and number of attacks result in action?
The recent attacks generated significant noise about cyber risk, but time will tell if businesses and individuals will invest more time, effort and money in cyber security and an insurance safety net as a consequence.
They have in fact already caused a bit of a surge in uptake of cyber insurance. “Absolutely,” says Emily Winwood, Commercial Manager for DUAL. “As soon as the recent attacks happened, we had a significant number of brokers contact us to obtain quotes and try to better understand how cyber insurance could protect their clients.”
Nick Daffy, Senior Account Manager at PNO Insurance, notes that client attitudes towards cyber insurance seem to be shifting: “Three to four years ago, brokers were initiating the cyber discussion. However, more recently clients are starting to proactively engage in the discussion – no doubt as a result of highly publicised cyber-attacks in all media forms.”
Daffy points to the rise in SME businesses as a target for cyber-related crime.
Don’t feed the phish
“With smaller businesses, their risk management, continuity/incident plans and security levels can be less complex, leaving them exposed to the likes of ransomware and extortion. There are plenty of examples relevant to clients’ different sizes and industries. If brokers aren’t already having the conversation with clients of all sizes, I would question why.”
Winwood adds: “In the SME market, brokers and clients have become, and continue to become, more aware of the significant uninsured exposures they have in relation to cyber.
“The global cyber-attacks have certainly heightened this, but many SMEs themselves have experienced some type of cyber incident, or know of someone who has experienced a cyber incident.”
Claims trends are changing, too, she notes. “There has been a lot of ransomware and malware recently.”
No silver cyber bullet
Pulitzer-winning journalist and cyber security expert Byron V. Acohido gets back to basics on the Insurance Thought Leadership website: “It’s critical to keep in mind that effective mitigation of ransomware (and similar) attacks is accomplished with good governance and risk management, not with the acquisition of expensive security solutions.”
Knowing the risk is one thing – dealing with it effectively demands the support of the most senior management and board, requires whole-organisation commitment from the top down.
Michael Parrant, Cyber Insurance Practice Leader at Aon, explains, “Knowing the risk is one thing – dealing with it effectively demands the support of the most senior management and board, requires whole-organisation commitment from the top down.”
Daffy adds, “Insurance is only one solution. Risk management procedures and practices, business continuity plans, incident response plans and software selection all work complementarily with insurance and may provide greater value when it comes to pricing the insurance. Insurers don’t want to be (and shouldn’t be) the only form of risk management.”
Changing legislative landscape
Tim Powell, Regional Manager, Asia Pacific, International Financial Lines at XL Catlin, believes that with events like the WannaCry malware, combined with the recent adoption of the mandatory notification legislation by the Australian Commonwealth Government, the Australian cyber risk landscape is set to undergo a transformation.
“Insureds are going to face increasing exposures from the cyber realm, and their brokers are going to have to be able to recommend insurance products that address these exposures and the subsequent losses that some of their insureds might incur,” he says.
Organisations are becoming more and more reliant on inter-connected computer systems and the internet to conduct their day-to-day business, resulting in continuously increasing cyber exposure.
Powell says, “The average business is struggling to keep up with the pace of change in the cyber-security environment, which may leave them vulnerable.”
Parrant adds that given the rapid advancement of technology, and the ever-changing threat landscape, the industry should evolve at an equal pace; however, in reality, this is virtually impossible.
“With the guidance of brokers, insurers should now use broad language around policy triggers and definitions to capture the essence of the threat, as opposed to being overly specific to the individual threat,” he says.
In the SME market, brokers and clients have become… more aware of the significant uninsured exposures they have in relation to cyber… Many SMEs themselves have experienced some type of cyber incident, or know of someone who has experienced a cyber incident.
A good example of this is affirmative broad language around ‘phishing’ attacks, as opposed to specifically listing different types of phishing attacks, such as spear phishing and whaling, and then failing to mention others such as vishing, SMiShing and pharming (see box).
Parrant believes that failing to use broad language can result in uninsured exposures for newly identified threats, or threats which have not been specifically listed.
Powell on the other hand says, “While the methods used by criminally intended organisations against Australian businesses are becoming more and more creative, the wordings offered by the market seem to be sufficiently broad to respond to notifications made so far.”
He considers that the real challenge for underwriters is in identifying a good risk from a bad risk.
Perhaps the real challenge for all of us is to avoid a painful hindsight lesson and ensure the cyber message has truly hit home, for both our clients’ businesses as well as our own.
This article was written by Melissa Montang, with additional quotes provided by Tanaya Das.
TOP 5 STRATEGIES FOR BROKERS TO ADDRESS CYBER RISK WITH CLIENTS
By Samuel Rogers, Account Manager, Jardine Lloyd Thompson
Brokers can use several strategies to progress discussions with clients on cyber insurance. Perhaps the most important tactic is to focus on the risk first and the insurance solution second. Many clients are reluctant to spend money on a new insurance product, but once they have a full understanding of their exposure to cyber risk, they’re more likely to be open to the conversation when the prospect of insuring that risk is raised.
1. Educate yourself about the risk
It’s important for brokers to be aware of new trends and exposures when it comes to cyber risk to spur the discussion with their clients. New threat reports from the news and organisations such as the Ponemon Institute, Symantec and Mandiant provide excellent statistics and commentary on the kind of cyber threats and losses being seen around the world, and can assist brokers in gaining an increased understanding of their clients’ concerns.
2. Understand the insurance and the market
When it comes to insurance, many brokers may still have a limited understanding of the coverage that can be provided under a cyber insurance form, or only have knowledge of a select few policy forms from specific insurers. Cyber is a continually changing insurance market, with new insurers entering the market and new policy offerings with cutting edge cover being released on a regular basis, especially in the London market.
It’s critical for brokers to keep on top of developments to be able to speak confidently about the benefits of cyber insurance to their clients. If you’re unable to explain the risk and cover to your client, then why would they invest in a new product?
3. Shift the focus
Too many clients believe that if they don’t hold credit card information or have a substantial online presence then they really have no exposure to cyber risk.
It’s the broker’s challenge then to get their client to think about the other kinds of loss they could suffer following a cyber incident – how would they respond if their IT systems were taken offline for a substantial time, and what would be the additional cost to get back up and running? What could the consequential business income loss look like? What would they do if one of their key service providers was taken offline due to an error or a hacking incident?
Clients need to understand that cyber insurance now extends well beyond data breach caused by a malicious hacker and third party claims to include internal costs and business interruption loss caused by a malicious employee, human error and loss resulting from an outage affecting an IT service provider. Some specialised policies will even include blanket cover for any unanticipated system outage. Perhaps the greatest benefit of cyber insurance however is that the incident response costs – the immediate impact on cash flow resulting from an incident – can be covered, and that a cyber policy will also provide a client with a team of service providers to assist them in the immediate aftermath of an incident.
4. Focus on the unknown and use the news
Many clients will immediately refer discussions around cyber insurance directly to their IT department who will tell them that they don’t need to worry, and that they have everything covered. This is an understandable response – that’s their job after all. What clients need to understand, though, is that cyber insurance is there to respond in the event of a situation that the client and their IT department haven’t anticipated, and where for whatever reason, the controls they’ve put in place have failed, a situation which becomes increasingly likely as cyber threats continue to evolve in sophistication and increase in numbers and complexity.
Events such as the recent WannaCry ransomware incident, the British Airways system outage and the failure of the census website last year are all great jumping off points for discussions, and the consequential effects on the business if a similar incident were to occur.
5. Scenario testing
Once a client understands what coverage can be provided, scenario testing and tabletop risk assessment exercises can be very useful tools for clients and brokers in getting an understanding of a client’s reliance on their various IT systems, how those systems fit together and what the potential financial impact could be if a serious outage or breach were to affect them.
By getting all the relevant stakeholders within the client’s organisation to the table, including IT, communications, finance and legal, and working through potential scenarios involving a system outage or data breach, it’s possible to identify particular weak spots in an organisation’s IT architecture (especially where there is a reliance on third party providers), put the potential loss resulting from those scenarios in monetary terms, and then map those losses to potential insurance solutions. This gives the client a greater understanding of their own risk, as well as assisting the broker to determine which insurance solution, limit of indemnity and policy structure is best for that client.