Ground-shaking earthquakes might topple buildings and displace communities, but they also bear some resemblance to the scale of cyber incidents witnessed in the past year that crippled networks and exposed consumer data, according to one cyber expert.
In some parts of the world, earthquakes are routine with smaller quakes occurring frequently and the larger, more devastating earthquakes spread out over longer periods of time.
“You know that sooner or later, you will have big earthquakes so you have to plan your insurance strategy based on the fact that these really big quakes come along and you know they’re coming, but it’s very hard to predict exactly when they will occur,” said Mike Lloyd, chief technology officer for network cybersecurity analytics platform RedSeal, which works with over 200 global corporations and government agencies. “I look at [2018’s] breaches very much on that scale, that it does seem like every year we have a breach somewhere in the hundred thousand to a million records lost – usually one or two of those – and then one really standout breach for the year that will have even higher numbers.”
While cyber crime generally saw a sharp uptick in 2018, there are other factors at play that have resulted in a flood of breaches coming to light this year, namely rules and regulations that are getting companies to be transparent when a breach does take place.
“In the last year, we had GDPR finally come into full force, and that has forced an awful lot more organisations to disclose an awful lot more breaches, and so the data shifts,” said Lloyd. “The first thing that makes it move are disclosure laws and not really the activities because a lot of these breaches were secret up to this point.”
For organisations and their insurance brokers who are looking to defend against both cyberattacks as well as the fallout from cyber incidents when they inevitably occur – and the number of companies and their boards who are becoming aware of the need to prepare for this eventuality is increasing, according to Lloyd – they have to determine which category of cyber criminal is after them.
“We can roughly categorise attackers into two broad camps: the nation-state, very well-funded organisations who are motivated by things like national interest or espionage,” explained Lloyd, as well as the people who are committing cyber crime for economic gain. Any insured entity has to figure out which one they’re more concerned about. A regional electricity generating company connected to a grid that runs nuclear power facilities will be more concerned about nation-state actors than actors trying to steal credit card numbers, while an online retailer has the reverse problem. The tactics, techniques, and procedures necessary to prepare for and respond to attacks from different types of criminals vary greatly, Lloyd told Insurance Business.
“How you have to defend yourself and the expectations for whether you’ll be breached vary a lot whether you’re more the target of nation-state [hackers] or the target for the thieves trying to make money the most efficient way they can,” he said, adding that awareness around the need for cybersecurity preparedness has grown. Ten years ago, companies were trying to plug every gap in their defensive walls that was springing a leak with a new product, whereas today, “most organisations have now realised you cannot expect perfect protection. You can try and harden your defences – that’s still a good idea – but ultimately you have to plan that your defences will be breached and, once you adopt that mindset, you start thinking about it differently. You start thinking about resilience, which means you care about how well you can recover from a breach, but you also care more about insurance,” explained Lloyd.
With the cyber insurance market set to double by 2020 as companies prepare to spend more than ever on their cyber insurance, according to Munich Re, the high buyer demand is clear and brokers are responding well to their clients’ needs, though the offerings still have a way to go, in part because the industry as a whole continues to be nervous about the risks in the space, for good reason, said Lloyd.
“The product that [brokers] end up giving their customer is complicated because of the tower of policy they have to buy,” he explained, adding that buyers want high levels of coverage and because no insurer is willing to take that on, brokers have to put together an often unwieldly stack of insurance products to fill that need.
“Many insurers have now entered the market with some kind of cybersecurity coverage, so it’s very common to have some kind of limited product that has a limited premium and a limited payout,” said Lloyd. “But, the limits are low so the kind of coverage that the buyers want to purchase on the market is so much larger than what any individual insurer is willing to take on. We’re seeing market forces work out very well and this is how it should evolve. We’ve gone from buyers not really sure they need the product to buyers now wanting more of the product than sellers are willing to underwrite and this is good, but where are we in this evolution? We’re at the stage where insurers can’t assess the risk.”
To take it back to the earthquake example, an insurer can balance their book of business between companies with structures in earthquake-prone regions and those in safer locations. Not so for cyber.
“In earthquakes, we know how to assess how similar buildings are to each other based on where they’re located geographically, and we know how to assess how well built they are so if they’re in an earthquake zone, we know what kind of engineering codes to follow. Neither of these is true in the cyber space, so we’ve got all these people who want to buy cyber insurance and the insurers’ problem is they don’t have the heritage of seismologists for cyber, so there’s a lack of key information and without that the insurers have to write these small products today,” said Lloyd.
Going forward, brokers should keep an eye on how the industry will assess clients’ cybersecurity postures. Today, there are various exterior assessments an insurer can do on a company via third-party services that will provide a score of how ready that organisation is for a cyber incident.
“The big change for brokers to be tracking is to watch as the insurers start to work from outside-in to inside-out perspective, so instead of using external scans, these lightweight third-party reviews of looking at the internet footprint of company X and giving you some kind of score, something that you can expect to see coming out is a lot more attempts to say, we’re going to have some people or software that will go onsite at the company and actually do an inspection on the inside of that network and look at what’s likely to happen in a serious incident,” said Lloyd, drawing a comparison to assessing fire preparedness in a physical building, where more information can be gathered from inspecting the inside of the building than simply taking photos of the structure from across the street.
“It is the next shift, it’s the important thing for brokers to be tracking into 2019 – expect the industry to move away from these external lightweight assessments, the ‘photograph from across the street’ risk assessment of someone you’re going to try to write insurance for, over into a deeper analysis that involves going onsite physically or virtually to look at an organisation.”