You will suffer from a cyber incident. That's the message insurance providers should relay to current and prospective clients. Whether that incident involves malware, a phishing strike, a breached system, a ransomware infection, a lost or stolen laptop, or a distributed denial-of-service attack, all organizations will at some point suffer the direct or indirect consequences of a cyber incident. Gone are the days when providers and insureds could focus solely on preventing incidents. We must now take steps to prepare for when insureds do get hit.
Any organization is fair game
I’m being a realist, not an alarmist. Hackers, crypto-extortionists and just plain troublemakers are now targeting vulnerable companies regardless of their industry, not just data-rich banks and retailers. In fact, the new generation of cyber criminals is spreading its lures so widely that any kind of organization is liable to bite. Just look at the recent headlines.
Healthcare: United Kingdom's National Health Service was one of the organizations hit hard by WannaCry in May, forcing many hospitals within the country's healthcare system to divert or postpone operations and procedures.
Elections: A high-ranking official of the Department of Homeland Security told the U.S. Senate Intelligence Committee in June that election mechanisms in 21 states were targeted in cyber incidents during the 2016 presidential election.
Transportation: The Danish transport and logistics conglomerate Maersk revealed in August that the Petya ransomware let loose in June cost the company some $300 million in lost revenue. Other enterprises victimized by Petya include advertising shop WPP, food company Mondelez, legal outfit DLA Piper, French construction materials corporation Saint-Gobain, and Russian steel and oil firms Evraz and Rosneft.
Critical infrastructure: Reports emerged this June that late last year unknown hackers used malware to shut down an electric transmission station in Kiev, the capital city of Ukraine. In the same reports, cyber security experts were quoted as saying that the malware, known alternatively as Industroyer, CrashOverride or Electrum, is a threat not just to Ukrainian power grids. Any system run or monitored by automated controls (in other words, almost all the systems that make up critical infrastructure in the United States) is also vulnerable.
Disconnect between awareness and action
Expect more types of organizations to bite the cyber hook in the months to come. Many of them will be victimized through connected devices. The internet of things will vastly increase the number of points at which hackers, crypto-extortionists and other cyber criminals can access corporate digital systems and, just as important for insurers, expand the scope and complexity of risk. Pretty much everyone and everything will soon be connected to the internet — personal things such as the systems that heat homes, monitor babies and control medical devices; and public items such as security cameras, transportation networks and power plants. The analyst firm Gartner says that 26 billion connected devices will be in existence by 2020.
Owners and operators of many businesses and organizations are slowly starting to grasp the extent of the threat. Allied Market Research forecasts the global market for cyber insurance will rise from $3 billion today to $14 billion by 2022. Yet many organizations are still not getting the message.
Recent compelling evidence is found in the Cyber Governance Health Check 2017, a UK government report that supplies results on the levels of cyber security awareness and preparedness of the 350 largest firms in that country. Published in August, it reveals that more than 68% of these firms’ boards had not received training to deal with cyber incidents, despite 54% of these same boards saying that cyber threats were a top risk to their businesses. That separation between understanding the severity of the risk and failing to take an appropriate response is what I call the cyber insurance gap.
Insurers need to create the coverage businesses need for their exposures, especially since they are constantly evolving. (Photo: Shutterstock)
Four moves we must make
While that report deals with the largest UK companies, I would be shocked if the figures for awareness and action were much different for organizations in any other G20 country. I also believe there is a primary reason for the cyber gap: insurance companies aren't making it easy enough for prospective clients to get the coverage they need.
Which brings me back to that bold statement I made right off the top. If we must say to prospective clients, “You will suffer from a cyber incident,” we as insurance providers have a corresponding duty to supply them with coverage and other resources that limit the damage of cyber incidents, that help insureds get back on their feet after they suffer from an incident, and that cover any financial setbacks due to physical harm or lost business. We have a duty to bridge the gap between awareness and action.
Here are four straightforward moves providers can start making right away:
Have a product customers are eager to buy. Develop a policy that meets clients’ existing needs and keep it fresh so it addresses changing requirements. We must also be willing to tailor our policies to meet specific needs. An online retailer, hospital and water system are each vulnerable to different threats and damages. Serve them accordingly.
Determine the scope of cyber coverage you are willing to write. Then communicate these guidelines to your underwriting team and have team members adhere to them when they meet with brokers and organizational leaders to build a book of business.
Stay on top of evolving laws and exposures. New laws to govern cyber security are being introduced all the time, and existing laws are being enforced differently, often more rigidly. Remaining alert to changes will enable you to craft the most current and appropriate coverage for your clients.
Exposures are evolving even more rapidly. New breeds of ransomware, for instance, seek to destroy data and systems, not merely hold them hostage. This evolution in cyber crime technologies should guide both carrier and client to better understand what the client's potential exposures are, what type of insurance that client should carry, and how much insurance it should buy.
Gaining the proper understanding is critically important to the financial health of carriers and clients. As an example, the Petya ransomware rendered many companies unable to conduct business as usual for days, some for many weeks. Hopefully these companies bought enough business interruption coverage to cover their losses. On the flip side, I hope carriers didn't overextend themselves by supplying too much of that coverage. Some insurers reportedly had exposures of hundreds of millions of dollars in business interruption coverage.
Build a team of claims experts. Creating such a team starts by recruiting, hiring and retaining talented claims professionals. Then let them loose. Carriers need to give these people the latitude and resources to become cyber experts. They can't do so from behind their desks. That means making it possible for them to meet often with clients, brokers and vendors to share information, generate knowledge, and put together a network of specialists from a range of professions who can move into position the moment a cyber incident hits any one of your clients.
Four moves that are easy to put down in words, hard to do. Yet we must do them. We must make it easier for organizations to bridge the cyber insurance gap.
Bill Kelly (firstname.lastname@example.org) is a senior vice president at Argo Pro. A 25-year veteran of the insurance industry, he heads the company’s E&O business line, which includes cyber security. Find him on Twitter @Bill__Kelly.