At a recent event in Sydney, leaders examined the question of what more the industry itself should be doing in its efforts to address the growing cyber risk
Risk managers are ill-prepared to deal with the growing threat of cyberattack. While they need to get their houses in order, the insurance industry must also up its game to avoid being part of the problem.
These were the key findings when
FM Global vice president Lyndon Broad chaired a cyber insurance panel at this year’s Risk Management Society’s Forum in Sydney.
As a broker, there’s no single product that meets the cyber insurance needs of a client. So there’s an opportunity to add value by bringing together multiple products to ensure they have effective coverage.
Cyber risk has never had a higher profile, with ransomware attacks like WannaCry and Petya racking up billion-dollar losses around the world. There’s also a sense that the worst is yet to come.
Responses have been inadequate
Yet cyber risk isn’t usually part of centralised risk management. It’s still dealt with by IT departments that don’t value insurance. The insurance industry has done little to instil confidence with its wild policy variations and coverage gaps.
“We’re living in a world of digital damage,” FM Global’s Broad says. “The nature and variety of attacks is broadening, with risk managers facing real and wide-ranging implications.”
JLT Australia chairman André Louw says cyber risk is a complex problem. He’s concerned that it’s being handled in a disjointed fashion that exposes business unnecessarily.
“Executives believe the risk can be handled within the confines of systems and firewalls,” he says. “This misses the point that risk is usually manifested through human error.”
“We’re living in a world of digital damage. The nature and variety of attacks is broadening, with risk managers facing real and wide-ranging implications” - Lyndon Broad, FM Global
Mandatory disclosure will help
Finance, legal and other heads of business departments will get a better view of cyber risk when mandatory data breach legislation comes into effect early next year.
Under the legislation, Commonwealth Government agencies and private organisations must notify the Australian Privacy Commissioner, as well as individuals affected or at risk of a breach.
Penalties for non-compliance will be as much as $360,000 for individuals and $1.8m
for companies.
Legislation and the growing frequency of attacks like WannaCry, which cost organisations worldwide an estimated $4bn, is generating interest in cyber insurance.
These policies are designed to help organisations mitigate risk by offsetting the costs involved in recovering from a cybersecurity breach. Much work still needs to be done.
“The market for cyber policies is developing haphazardly,” Louw says. “There’s no other product within the insurance industry that varies so much in terms of price and coverage.”
Too many grey areas
There are simply too many gaps in coverage, especially when businesses buy off the shelf. Louw says there’s a long way to go before cyber is managed in the same way as property or workplace health and safety risk.
Christopher Wallace is CEO at the Australian Reinsurance Pool Corporation, the government body that deals with terrorism-related insurance claims and protection. He says it’s not always easy to attribute attacks, which is one of the reasons why there are coverage gaps.
“There are three types of cyberattack – acts of war, terrorism and criminal. War and terrorism are excluded from policies. Acts of criminality are potentially covered, but this is still a grey area.”
Wallace says there are also difficulties in determining what’s covered. Does a policy cover the cost of forensic investigation, software restoration or legal costs? What about crisis management, direct financial losses and business interruption? Or loss of intellectual property and reputational damage?
“There are three types of cyberattack – acts of war, terrorism and criminal. War and terrorism are excluded from policies. Acts of criminality are potentially covered, but this is still a grey area” - Christopher Wallace, Australian Reinsurance Pool Corporation
Building a plane in mid-air
Andrew Bart is regional CEO of global claims management firm Crawford & Co. He says policies need to take a broader view, accounting for loss of market share and other factors beyond the period of interruption.
“The plane is being built as we fly it,” he says. “There are significant gaps in coverage and scenarios that haven’t even been contemplated yet.”
FM Global has included cyber risk in its commercial property insurance policies for 15 years. Yet half of the claims it’s received have been filed during the past two years. Broad says businesses must include cyber within an enterprise-wide risk management strategy.
“Well-run organisations should apply the risk standards of fire, flood and worker safety to cybersecurity,” he says. “This means paying attention to small details, like preventing visitors from connecting to your internal network, but also considering big-picture issues like supply chain exposure.”