“In late February, a typo at Amazon Web Services took down a portion of the cloud for a few hours. From an insurance perspective, this event served as a wake-up call that even the largest cloud vendors are vulnerable to downtimes. Due to insurance waiting periods, the insured loss was negligible from this event. Later in the year, we saw major outbreaks of ransomware, with WannaCry and Petya/NotPetya being most notable. While the loss from companies paying ransoms was minimal, the business interruption due to these events impacted major organizations such as Merck and FedEx. Toward the end of the year, we saw the major Equifax breach, which served as a reminder that while aggregation events are important to consider when managing cyber risk, it is imperative to also continue to consider individual company breaches, as well.”

The number and types of cybersecurity threats multiplies with each new online endeavor. The insurance industry, meanwhile, with its focus on risk analysis and prevention, is in a unique position to battle cyber criminals and malfeasance.

But this call to action for insurance comes at a time when the industry is already challenged to reinvent itself for today's digital consumers.

The impact of widespread cybercrimes in 2017 paired with InsurTech innovations are spurring change in the way cyberinsurance is sold and packaged along with the role that insurers play in cybersecurity.

Here are a half-dozen ways that cybersecurity is changing as a result of the major breaches of 2017:

|

6. Finance and insurance regulators are taking a stand.

On the heels of the cybersecurity regulation adopted by the New York Department of Financial Services, the NAIC issued its own cybersecurity model law meant to provide guidance for state insurance regulators.

“EY's 2017 Insurance Chief Risk Officer Survey reveals insurance CROs consider cyber threats a top five risk, and health CROs are particularly on alert as a serious breach would compromise sensitive customer data and personal information,” said EY principal Chris Lanzilotta. “It's been a key discussion at all levels.”

Company concerns include complying with current and forthcoming cybersecurity regulations, and stepping up protections of sensitive client data.

Lanzilotta continued: “Elevated regulatory scrutiny combined with the increasing frequency and sophistication of cyberthreats has carriers acknowledging the fact that cybersecurity is a key business issue, not just a technology issue, and needs to be addressed at all levels. This has our clients revisiting their strategy and investing in innovation, threat intelligence, cyber leadership and talent that is a fit for their culture and business environment, and integrating cyber risk management throughout the organization.”

|

5. Insurers are exploring more sophisticated cyber insurance and security services.

“As cyberattacks become more frequent and more complex, there are concerns that hackers could target America's industrial control systems, causing power outages and electrical grid failures,” said David Gerlach, senior director of information security and privacy at Applied Systems Inc. “This goes far beyond what cyber insurance was created to cover. So it begs the question, 'Should cyber insurance cover only financial losses caused by information breaches or with these potential threats in mind, should it cover all encompassing harm due to cyber technology?'”

Gerlach predicted that the coming year will see cyber insurers expanding their products and services.

He continued: “Cybersecurity is becoming much more than protecting information—it's become about protecting a client's well-being. There are many other questions insurers will have to answer, however. Will this kind of cyber insurance be available to everyday consumers? Businesses? The government even? What we do know is the cyber insurance landscape will continue to change drastically as new technologies and new hackers become known.”

Deloitte's cybersecurity analysts also deducted that there is now: “increasing pressure from insurance company officers and directors to enhance cyber security, vigilance, and resilience.”

|

4. Cybersecurity now demands a more sophisticated insurance workforce.

Gone are the days when information security was the function of an isolated, insulator department with a larger operation.

“It's not just that the cybersecurity and information security area needs to own that. It needs to be owned across the organization,” said Tracey Malcolm, the global future of work leader at Willis Towers Watson.

In light of findings in the “2017 Willis Towers Watson Cyber Risk Survey,” Malcolm said organizations are moving from the defensive to the offensive when it comes to cybersecurity, and that means training staff at all levels on best practices that serve both a security function and the business as a whole.

“It's the orientation that cybersecurity can no longer be part of a support function,” she said. New positions within insurance now tend to be hybrid roles filled by people with both a traditional business acumen and the ability to advance the organization's cybersecurity protocols.

|

3. Ransomware grows up.

Heretofore, most cyber crimes focused on stealing money or personal records with hopes that victims will pay to keep those records secure. Now, cyber criminals are learning to go after entire information security systems, the impact of which can be catastrophic, says Rotem Iram, CEO and co-founder of the new cyber insurance company At-Bay, whose products include a detailed cyberthreat analysis.

In June, for instance, the Danish shipping company Maersk was targeted with the Petya ransomware virus. Attackers demanded a modest amount of money to remove the virus. But the process of recovering from the event disrupted the company's international shipping operation, with a loss of business income reported to be around $300 million dollars.

“This is a huge exposure that isn't covered anywhere, because the traditional P&C policy that Maersk has now has a cyber exclusion, and the cyber policy that Maersk has has a very strong sublimit on business interruption,” Iram said. “Basically, this is where the core construct of the insurance product becomes visible, because as companies become more and more dependent on technology, risks to technology become risks to the business.”

|

2. Cyber risk modeling is evolving for the changing threat.

Scott Stransky with AIR Worldwide said that despite the many eye-opening cybersecurity events during 2017, the insurance industry did not suffer significant cyberlosses.

“Insurers have taken a conservative approach with cyber and while this is effective at protecting their balance sheets, there are some negative tradeoffs to that strategy such as missed growth opportunities or lack of innovation,” Stransky said. “To overcome these drawbacks, insurers have been increasingly been relying on flexible and transparent catastrophe models to test how their portfolios would respond to new and unforeseen cyber threats or evaluate the impact of introducing different policy terms and conditions to their book of business.”

|

1. Insurers stepped up cyber insurance sales and marketing.

Cyber insurance is no longer solely the concern of the commercial insurance world, according to GlobalData, a leading data and analytics company. Going forward, in light of the Equifax hack as well as the scope of the WannaCry and Petya events, individuals may have no choice but to seek personal insurance protection from cybercrime.

GlobalData financial analyst Daniel Pearce said insurers such as AIG, Hiscox and Hartford Steam Boiler Inspection and Insurance Co., and Oak Underwriting already offer personal cyber insurance, and the field is expected to rapidly expand, particularly for the high-net-worth (HNW) market.

“The cover will aim to provide HNW customers with support by investigating and rectifying any damage caused to their device, locating and removing viruses, as well as providing professional consultation in order to prevent future cyberattacks,” Pearce said.

Although such products may initially be offered as add-ons, the potential to offer cyber insurance as a standalone policy is likely to emerge over time, he said, once the market develops and uptake increases.

See also:

• 10 ways small businesses can fight cyber crime
• Cyber insurance must be a priority for small and midsize businesses
• Ransomware and the perils of shoddy attribution

From: PropertyCasualty360