The New Reality That Cyber Risk Brings

The growing value of the cyber insurance market demonstrates that dependence on technology is becoming ever more complex. In fact, we are now well into the 4th industrial revolution, where manufacturing as the engine of industrial productivity is tech-driven. The impact of this can be seen in CNA Hardy's latest Risk and Confidence report, where 49% of businesses predicted that cyber would become their major corporate risk by March 2019.

While no enlightened business executive would argue that this, as with previous industrial revolutions, has not delivered huge rewards, the growing popularity of cyber insurance shows that companies are beginning to recognize that their dependence on technology can be both a strength and a weakness.

On the plus side, technology does everything businesses could ask for: enabling more efficient operations, improving customer engagement – even delivering step changes in performance. Its impact can be seen in corporate investment, where the pendulum has shifted away from investing in people towards technology – in our last Risk & Confidence research - 70% of business leaders said they were prioritising investment in technology, against 24% who were planning on cutting back investment in staff. However, if complex tech-led systems are disabled by ransomware or hacking, then the activity of a company can be heavily impacted, both financially and operationally; as we saw with attacks last year on the Marriott chain.  Cyber losses are also not just the domain of big businesses and SMEs, in particular, need to consider how they can improve their cyber risk management.

Accepting this as a reality, both businesses and insurers need to adapt their risk management to cope with the new realities of technologically-led, interconnected risk.

Adapting to the new reality
What is the new reality that cyber risk brings, and what should the insurance industry do differently? Key to cyber underwriting success is a clear understanding of the risks we are underwriting. To really understand the true scope and scale of cyber risk, will require changes in underwriting practice across the market.

Wordings need to be more clearly understood by brokers and clients. Insurers need to do more to help brokers understand (and communicate) their wordings – like any new and complex class of insurance, an education programme is required.

We also need to understand the risk we are underwriting, but with increasing capacity driving competition, cheaper pricing and broader wordings, some insurers are failing to base their underwriting decisions on the appropriate underwriting information. Adding on additional coverages without having a strategic overview of the total exposure is a risky game, and one that underwriters play at their own risk.

Aggregated risk
Aggregated risk across cyber portfolios is another significant risk – and should be considered in a similar way to natural catastrophe risk. This sounds exaggerated, but if one critical service provider experiences a cyber outage (for example a major cloud service or broadband provider), it is likely that numerous clients would be hit, creating significant accumulated loss in the market. As more and more companies continue to purchase cyber insurance, this aggregation risk will increase for insurers. If the scale of cyber risk is underestimated there is a real risk that carriers could experience some catastrophically unprofitable years, which could impact clients and the global market.

Better data protection is required
Clients have an important role to play, as many still do not fully understand their cyber exposure or take appropriate steps to protect their business. Even basic security is often overlooked.  For example, numerous firms still fail to implement two-factor authentication (requiring two separate pieces of unlinked evidence before log-in is permitted to any corporate system). While companies will employ cameras, gates and security guards to protect their physical assets (effectively 3-step authentication), it seems that they don't apply that ‘multiple layer' logic to protecting data.

The human factor is often overlooked
Allied to this is the human factor, sometimes referred to as social engineering or simply human error. The majority of successful cyber crimes exploit human habits and weaknesses, targeting times such as lunch hours, exploiting access given to unvetted contractors, or using credible stories and fraudulent online identities to change staff behaviour (inducing sharing of passwords or access to bank accounts).

Clients need our help in managing their people risk, both in raising awareness, and in prioritising the protections that they have in place for their non-physical assets. The principle is simple. Invisible doesn't mean invincible, and assets that can't be seen still need protecting.

Augmentation
Finally, we need to use technology better as part of our cyber fightback. While technology can augment risk, it also brings the power to augment our own skills, and developments such as AI can help hold back cyber-crime, especially large state-sponsored attacks. It is predicted that 2019 will see big growth in AI-on-AI cyber battles, as we seek to harness technology to protect digital assets, and this is positive all around.

The cyber market offers huge potential, but there is a lot we need to do to support this maturing process. Underwriters need to be mindful not to jump on the bandwagon and underwrite cyber risk carelessly, without a clear understanding of the potential frequency and severity of losses. We also need to help clients to understand their policies and what they can do to improve their own cyber risk protection, and this requires ongoing education. Finally, employing technology of our own to fight cyber-crime, and working with third parties to thwart cyber criminals making it hard for them to access vital data and disrupt systems will be key to long-term stability in this market

With careful management cyber insurance has the potential to become one of the most successful products in today's insurance market, which offers great benefits to many businesses around the globe.  If we abuse this potential and underwrite for short-term growth instead of creating a mature and successful market, it could end up in significant losses and disillusioned clients.

Blog created for Canada. Reference: David Legassick, AVP Head of Life Technology and Cyber, CNA Hardy: Cyber risk requires careful handling (Insights/Blog) Retrieved from: https://www.cnahardy.com/news-and-insight/insights/english/cyber-risk-requires-careful-handling-insurance-day-article