The ubiquity of wireless connections between objects appears to be a digital utopia in the here-and-now. Thermostats can think, manipulate and manage a multiplicity of domestic devices, streaming real-time operational data to their makers. ‘Intelligent,’ interlinked machines and heavy industrial tools can render work more efficient and ‘learn’ as they operate. Vehicles automatically download the latest software iterations from their manufacturers to boost performance and pre-empt mechanical problems before they even occur – all the while registering precisely where they are.
Sounds wonderful, doesn’t it?
And yet, in this brave new world, planes can now be hacked, as can oil tankers and offshore rigs. Financial institutions or entertainment companies can see their data compromised and shared beyond their customer base. Every smart, connected device may be a point of network access, a target for hackers or a launch pad for cyber attacks.
The paradox is that in such a world, our machines, our constructions and our products are autonomous yet connected at the same time. It is a strange concept to grasp, yet grasp it we must if we wish to maximize the opportunity and minimize the inevitable risks.
Woefully, modelling industry-agnostic cyber risks is at a nascent stage of development. Not one of the leading commercial risk model players currently offers a model to diagnose – let alone prognosticate – cyber risks.
Recent cyber hacks that have inflicted significant operational and reputational damage on targets such as Target and Sony
are concentrating insurance minds on the security risks in this connected world.
All functions and – from an underwriting point of view – potentially all specialty insurance classes need to be reassessed for vulnerabilities heralded by the Internet of Things.
Typically, specialty classes operate within a ‘risk silo,’ while cyber and other enterprise risks are cross-silo or cross-class.
We think that, in the future, cyber risk sets will be available that will adequately reflect the nature of historical events and could be licensed independent of any software model needed to run them.
All companies, large and small, need to carefully asses their security and how it affects multiple functions, with IT continuing to play a key role in implementing best practices for data and network security. That is all very well, but it still does not address a key concern for insurers and reinsurers, which is the supply chain risk and the wider aggregate exposure.
An organization or individual can protect their own interests to a certain extent, but their ability to conduct a security audit on all their suppliers and partners is a different matter entirely.
In a cyber environment in which PwC estimates that annual gross written premiums are set to increase from around $2.5 billion today to $7.5 billion by the end of the decade, we are going to need a workable model soon. Enterprise-connected risk solutions can help address the absence of a workable standardized cyber risk model.
We have become used to the idea of an earthquake or windstorm causing large financial losses and human misery, so it takes time to adjust to the idea that a human typing on a laptop or the loss of an unencrypted memory stick might cause the same level of threat.
The reality, however, is that cyber connectivity is an existential threat to insurers’ balance sheets and those of their clients. It is surely time to address the issue collectively – with insurers, government and risk managers all working together – before it is too late.
Suki Basi is the managing and founder director of Russell Group, a UK-based risk management software company. He’s had project experience in a number of insurance and reinsurance lines, including aviation, space and offshore energy.