This article was first published in Policy Magazine in November 2020, it has since been updated.
Digitization of businesses
Since the pandemic, digital infrastructures developed during the pandemic by governments and corporations have continued to grow for long-term use generally. We are therefore witnessing a dramatic global acceleration in technological developments and long-distance work, while at the same time trying to maintain a sustainable business and economic routine.
Cyber risks – effects on insurers
With the increase in the number of people working from home with personal devices, the volume of cyber-attacks has risen across the board. Generally, small businesses and home users do not have the same robust computer systems as large businesses, and they naturally become easy targets for cybercriminals.
There are also associated risks to systems based on cloud technologies. Cloud service providers deliver critical infrastructure for many users. If they fall victim to cyber-attacks that paralyze their operations, their customers suffer significant damages and as a result, insurers are exposed to such provider claims (as insureds) and to their customers' claims (as third parties).
In addition to financial damages caused as a result of cyber events, and damages to insured businesses due to disruptions to their business function, there is an increasing trend of lawsuits involving damages for reputational losses. The pandemic has therefore accelerated the exposure to potential cyber lawsuits.
Against this background, the need for the insurance industry to take a proactive approach towards its policyholders has increased. Many insurers are preparing, with the assistance of brokers and tech companies, to try to resolve crises as early as possible, and reduce damages before these intensify and become significant claims.
The exposure of cyber risks that stem from the pandemic is only starting to become clear. One of the most common types of cyber-attacks in organizations is a "business email compromise" in which hackers infiltrate corporate mailboxes and try to intercept money transfers. The entry vector of this type of attack is usually as a result of credentials being harvested from phishing emails. The transition to remote work has allowed threat actors to exploit an increase in electronic documents and the absence of close supervision.
However, the reality in the field shows that hackers who act in this way can "sit" in the victim's mailbox for many months before it is possible to know that such a problem exists. They often implement forwarding and automated deletion rules and wait until they see a payment being made - then they try to divert it to a fake email. Only when payment is not received at the original destination can it be understood that such a cyber-attack (and corresponding breach of personal data within the mailbox) has occurred.
As such, we are coming across hacking incidents that occurred as early as March or April 2020, but only recently coming to light. Hence, we are only now starting to see the peak of lockdown related incidents as the data is still coming through to insurers that provide such coverage.
We have also seen a huge increase in ransomware attacks over the last six months due to the following:
- Remote working is driving a need for remote connectivity, which will often result in RDP (Remote Desktop Protocol) connections being left open to exploitation
- Many businesses have furloughed or laid off employees including computer crews and are thus short-staffed, which facilitates intrusion into their systems
- Some businesses are struggling financially and have stopped investing resources in computer systems and protection software making it easier to hack into their systems.
After years of a soft market, the frequency and severity of claims over the past couple of years has meant that we are heading towards a period of market hardening, and the risks arising out of the pandemic may accelerate that hardening process.
In light of this, obtaining comprehensive cyber policies and advance planning is of great importance. The insurance industry will likely be required to guide, monitor risks and undertake proactive processes to reduce damages in the event of cyber-attacks. We are likely to see a number of changes in Insurers approach to risk including sharing risk with Insured entities, and requiring a much more thorough assessment prior to risks being taken on.
The insurance market has been examining the wording of policies regarding cyber risks for some time. In January 2020, Lloyds of London issued an announcement (Market Bulletin Y5277), stating that policies to be issued from 1 July 2020 must explicitly say whether they include or exclude cyber risks. We estimate that with the changes that are taking place in the market, such clarifications will be explicitly included in all policies that are marketed to businesses.
Comment
The pandemic has shown that businesses that have recently been able to make decisions quickly, conduct themselves with business flexibility, make use of technologies and data in new ways, while accelerating the scope of innovation and the transition to digital platforms, are able to deal (within existing constraints) with significant obstacles of the pandemic.
Those entities (and insurers) that think creatively, innovatively and adapt quickly to the changing demands and risk landscape, have a much better chance of succeeding.
Related items: