Evolving cyber risks and the benefits of cautious opportunism in the face of uncertainty
Cyber attacks represent a growing danger that threatens businesses of all sizes, irrespective of sector. This became increasingly evident in 2017 following the WannaCry and NotPetya attacks and unfortunately, the severity and frequency of attacks is continuing to grow. Insurers and insurance brokers globally are becoming increasingly aware of the importance of the cyber insurance market and the scale of its growth of the next few years. Indeed, according to the FT, analysts at investment bank Jefferies have stated that the cyber insurance market will grow from US$3 billion of premiums last year to US$7 billion by 2020.
The anticipated exponential increase in the cyber insurance market is as a direct result of the increasingly sophisticated cyber risks faced by businesses as they embrace the rapid advances in technology. Cyber attacks are perceived to be the global risk of highest concern by business leaders in advanced economies who fear they are losing ground in the ongoing arms race between enhanced cyber security and those seeking to exploit it. As such, it has become vital for businesses to obtain adequate cyber coverage.
Understanding the risks and protecting clients - whilst also protecting their own balance sheets - is going to be particularly challenging for insurers over the next few years and will undoubtedly lead to continued uncertainty in the market.
Nature of the threat
The increasing sophistication of cyber attacks makes them particularly dangerous. An attack or incident resulting in a huge data loss, business interruption and/or significant reputational damage could put a corporation out of business.
The recent exposure regarding Office 365 vulnerabilities is particularly concerning. Office 365 subscription plans include access to all Office applications as well as other internet enabled productivity services, such as cloud services. A major security flaw resulted in hackers being able to completely bypass all of Microsoft’s security. This type of attack is known as the ‘basestriker’ method. It effectively enables the attacker to circumvent Microsoft’s security settings and allows malicious links to be sent to the end-user. It is virtually impossible for insurers to predict or quantify this type of risk.
Further evidence of the scale and impact that a cyber attack can have on a company became evident in the recent TSB scandal. Issues surrounding TSB’s IT systems during a data migration resulted in a wave of fraudulent attacks on their customers. The bank’s difficulties were compounded when the confusion surrounding these attacks was further exploited by fraudsters. Opportunistic fraudsters used ‘smishing’ (SMS + phishing) to defraud unsuspecting victims out of money using specialist software which changes the sender ID on text messages so that it looks like the messages are being sent by TSB.
Understanding the risk
It is clear from these examples that cyber attacks can have potentially enormous repercussions for the businesses involved, particularly if the impact of risks are underestimated. Often, much of the damage results from an inadequate response to the breach. Indeed, the FT recently interviewed Mr Chia Tai Tee, chief risk officer at GIC, who noted that “the days in which your strategy is based upon preventing cyber-attacks is over. Now it’s much more about what you do if you are attacked”.
Central to what companies are able to do will be determined by the extent of their cyber cover. When pharmaceutical company Merck was hit by a seriously detrimental cyber attack last year, the effects of the incident lasted for months - but there was some comfort in knowing that they did not have to pick up the full bill because of the insurance policy it had taken out before the attack.
Companies will be uncertain of their needs and will look to their broker for the correct type of cover. It will therefore be vital for brokers to fully understand the evolving risks that companies face and to provide advice on the right level and extent of cover required. The absence of this will likely lead to a rise in broker negligence claims.
Depending on the nature of the organisation, clients may require cover for privacy liability, network security liability, media liability, cyber extortion, data asset loss and business interruption. Importantly, companies will want to have the support of an incident response team to assist them from the moment the attack happens and insurers may want to consider incorporating cover for these costs into their policies. However, in the absence of clear models, insurers will need to create products which appeal to their clients and limit their own exposure.
Challenges for insurers and some practical advice
Whilst the increasing demand for cyber cover is undoubtedly excellent news for the insurance market, there is a difficulty in pricing this risk. Insurers may therefore wish to enhance their existing underwriting talent pool and seek advice from the cyber security and technology industries.
It may also be beneficial to both underwriters and claims handlers to ensure that they have a de-brief with insureds that have suffered major data breaches, in order to fully understand what has happened and what could be done in the future to better tailor the product to that type of situation. A slightly more controversial suggestion is that the market as a whole might want to consider sharing claims information with each other until cyber risk is better understood.
An additional cause for concern is silent cyber risk, where insurers may be exposed to the costs of cyber attacks through other policies where cyber is not specifically excluded. Insurers will need to be extremely clear about whether or not cyber attacks are covered in their policies.
It is clear that insurers are having to grapple with risks in relatively unchartered territory. Whilst there is the potential for huge growth in this market, which many may wish to capitalise on, it will be essential that insurers truly understand the nature of the risks involved and update their policies regularly in order to keep up with the constantly evolving nature of cyber risk.