Boundaries. There are none. Ransomware and the specter of major supply chain cyberattacks loom over the insurance industry today. By some accounts, a cyberattack happens every eight minutes. But it’s important to remember how quickly this situation spiraled, how we got here and what we should be thinking about for clients as we embark on the second half of 2021.
Up until now, there was a widely held assumption that with common sense and basic security controls, most middle market companies with less than $1 billion in revenue and minimal data exposure would weather the passing threats of cyberattacks that rarely targeted smaller companies. Some industries, such as manufacturing, might be immune altogether, given their relative lack of digitized operation.
It makes sense that the insurance industry took this approach, because insurance is a product purchased for what should be a chance encounter. That was the case when cyber insurance came to market 20 years ago.
Of course, in 2021, ransomware now impacts companies of all sizes, in all industries, with potentially catastrophic effects (see recent attacks on the world’s biggest meat processor; the Colonial gas pipeline; and an Oldsmar, Florida water treatment facility). Manufacturing and industrial plants, in fact, pose a unique threat, given their interface of IT and operational technology, which allows hackers to hold not just data but operations and – potentially - safety for ransom.
Without a strong security foundation, one company’s ransomware attack can create a string of catastrophic consequences. And no-one - absolutely no-one - will go untargeted.
In this climate, where the once in a lifetime is now the norm, a very different approach is warranted for cyber risk transfer and for securing organizations and individuals from these insidious threats.
This is where Resilience, a company co-founded by an NSA cybersecurity expert, a director of the National Security Council, and a managing partner of the Pentagon’s Defense Innovation Unit Experimental (DIUx) has an unparalleled ability—perhaps even a responsibility—to help businesses confront the current hostile cyber climate. Resilience was built around a core belief: insurance clients deserve the same rigorous approach to cyber security that the military uses to protect government agencies.
With that ethos in mind, we have upended some industry conventions, offering customers coverage at bind, loss mitigation services post-bind, in-house claims handling, and individualized ongoing security assessments throughout the lifecycle of the policy.
Our deep background in security informs the proprietary approach to underwriting we call Cyber Meteorology, which uses artificial intelligence to benchmark cyber threats from multiple sources, both broad and industry specific. This allows us to realistically assess the severity of these risks, pinpoint the weaknesses threat actors will exploit, and determine how our insureds can guard against them.
While larger companies are great at asking questions, assessing risks, and then connecting insureds with third-party solutions, we do it a different way. If we ask Do you have multi-factor authentication in place? or Are you segmenting your backups? and the answer is ‘no’, we can help implement those solutions.
Layers of defense, from email filters to endpoint detection and response tools, are critical for keeping out sophisticated cyber threat actors, but company culture is an equally important piece of the puzzle. We work with our insureds to get the right stakeholders at the table so the risk manager and the CISO are talking about risk management, risk transfer, and how we, as the insurance provider, can support internal cyber risk management goals.
With today’s risk landscape being what it is, larger carriers have had to make sweeping changes to underwriting practices to preserve the quality of their books while rates harden in what was once a soft market. Underwriting guidelines are becoming stricter; coverage slimmer.
As a transformative player, we’ve been able to stay nimble and take a more bespoke approach to helping clients, recognizing that no two companies will have the same needs when it comes to cyber risk. Yes, there are emergency situations when a client needs insurance as part of the response, but there are many ways we can offer “preventative care” in the meantime.
It’s simply no longer possible to buy a cyber policy, stick it under a pillow, and hope you never need it. If the current conditions hold, you’ll need it tomorrow, and likely the day after that. The goal is to find a proactive partner that can help you maintain your cyber wellness and provide ongoing service for a lifelong relationship.