Nathan Smith from the NBR talks to Ian Pollard about the impact of cyber on business and on the insurance companies covering cyber liability:
Security folk talk about the cyber threat as not a matter of if a company is attacked, but when. Given this, companies will naturally want to purchase cyber insurance, and many insurers now offer the product.
But if no company is safe, and it’s only a matter of time before a breach occurs, what’s going to happen if policy holders all start submitting claims at roughly the same time? This existential risk is precisely the reason global ratings agencies are pulling out their magnifying glass.
Fitch, Moody’s, Standard & Poors and others are noticing many insurer’s dangerous exposure of packaging ever-expanding cyber insurance policies, not only for corporates, but for SM& too. The veiled threat, Delta Insurance chief executive Ian Pollard says, is those agencies may start downgrading firms if they find them too overexposed.
“Insurance is about risk. A hurricane is specific, striking only one area but causing massive property damage. In cyber, a virus, piece of malware, ransomware or a government-sponsored attack could impact a majority of the world’s computers or networks at the same time.
“These threats could rip through entire industries. This represents a horizontal exposure insurance companies have never really experienced before. So ratings agencies are starting to assess the amount of cyber risk companies are taking on,” he says.
Insurance is typically defined by historic events. Cyber threats represent a different phenomenon. A key for the future of cyber insurance will be to map how the threat will affect different sectors differently, because all of them are at risk.
According to PwC, more than half (55%) bf New Zealand organisations do not have an operational cybercrime management plan, yet 40% expect to experience a cybercrime in the next two years. Mr Pollard says risk management plans will be crucial.
“Ransomware events, for instance, are often a result of lack of education after someone clicked on a bad email. Companies will always be exposed to this, so they must create appropriate response plans so they can continue operating.”
For SMEs, the average cyber claim costs $20,000 if a risk management plan is in place. Many insurance companies also have an ecosystems of expertise drawn from four key sectors – academia, IT, forensics and security – to respond to cyber intrusions. Yet for companies lacking such a plan or access to expertise, costs can run far over $50,000.
Packages filling gaps
Large corporates have the resources to maintain a robust risk management plan, but SMEs often don’t. Insurance companies are creating packages to fill this gap, although Crombie Lockwood head of financial and professional risks Mark Jones says cyber policies are like an emergency number. An SME should still educate staff on security and enact pre-emptory security measures.
“Behind many insurance policies is a panel of experts, ranging from forensic to legal, or even public relations. For SMEs, buying cyber insurance could be seen as outsourcing their risk management plan.
“It will be interesting to see how underwriting will be done in the future. It’s fair to say right now the process is unsophisticated. Firms ask rudimentary questions, such as whether a company has anti-virus software or if it backs up its servers regularly. Rarely do they ask investigative enquiries, and few conduct penetration tests of their potential policy holder’s computer systems,” says Mr Jones.
But there’s still a lot of sunlight between what a company’s actual cyber risks are, what a company thinks its cyber risks are and how well an insurer can verify those two aspects. That makes insuring much more difficult, as ratings agencies are noticing, because it’s near impossible to know a company’s true cyber exposure, says BDO national leader of cyber security Leon Fouche.
“Due to the lack of reliable data about cyber security trends in local markets, insurance companies are limited in their ability to develop robust risk modelling for the costs of cyber-attacks. They mitigate this by having restrictive terms and exclusions in their cyber insurance policies.”
Mr Fouche says businesses can take steps to better understand their risks. Firstly, they can conduct a risk assessment to outline present cyber risks, quantify those risks and then model the potential impact it would have on the business.
Secondly, they can evaluate insurance policies for risks which can’t be remediated. As a final check, validate whether a policy will provide the required cover by looking at potential cyber -attack scenarios to confirm it would help in those scenarios.
One piece of the puzzle yet to be added is the creation of cyber credentials to both guide businesses toward minimum security standards while supplying insurance companies with the information they need to better assess risk. The government is in talks with the private sector to set up such a scheme, but the process may not be formalised until at least early next year, according to National Cyber Policy Office.
Mr Pollard says cyber credentials will create a standardised baseline. In the meantime, New Zealand companies can access overseas frameworks such as the National Institute of Standards and Technology (NIST) measurement standard in the United States.
The difficulty of creating cyber credentials, says Mr Jones, wraps back around to the difference between physical threats and cyber threats. For instance, no one is building a more damaging earthquake, but they are in cyber. The bad guys are “adept at changing how they are bad” so credentials will quickly go out of date.
“Perhaps underwriting will get more sophisticated. For instance, buildings must have sprinklers. If that could be done, it would make an enormous difference in cyber. However, sprinklers are fit for purpose and protect against fire.
And all fire is the same, it doesn’t change. Cyber-attacks do change and won’t be the same tomorrow or in six months’ time,” says Mr Jones.
And this gets to the heart of the problem. Perhaps only a handful of companies manufacture sprinklers and all of them do exactly the same thing, at exactly the same time, against exactly the same threat. But if a company needs a firewall, it can choose from hundreds of products, and it isn’t immediately clear if the software protects in the same way, or even at the same time.
“Insurance companies could start asking more important questions,” says Mr. Jones. “Does a company have regularly updated virus and firewall protection? Does it back-up its computers every two or three weeks and is its data stored offsite?
Yet nobody asks whether the back-up itself is checked. It could be all garbage. Nobody asks whether the firewall is the best or just the cheapest. Not all firewalls are created equally, and there’s no clear differentiation at the moment,” he says.
So while widespread implementation of cyber risk management plans is lacking, Delta’s Mr Pollard says they need to be because the cyber threat is only going to get worse.
“Prior to 2016, it was rare to receive a cyber claim. Since the start of this year, 10% of our cyber insured clients have filed a claim. They seem to always happen on a Friday afternoon as well, for whatever reason. No idea why.
“But I don’t think New Zealand companies are naive, just unprepared. The penny seems to be dropping that cyber threats are real and will affect most companies. The Christchurch earthquakes showed how the unthinkable can happen.”