How do we assess cybersecurity insurance needs?
Cybersecurity insurance is one of the fastest growing insurance products in recent years, and research shows that it’s only going to keep growing. We find out how this affects financial institutions and businesses handling client money, and what should be done to prepare and assess needs.
With the advent of newer technologies, the opportunities for cyber-criminals grow; the internet of things (IoT), which includes smart cars, smart boilers, and will even herald ‘smart cities’ in the future, are physical objects connected by software, sensors and more, and provide increased options for hackers to take control of systems.
It is expected that there will be 28.4 billion smart devices connected over 2017, set to increase to 50.1 billion in 2020.
The capacity for financial institutions to face massive damage grows day by day.
Indeed, attacks on IoTs are not unheard of; in 2014, Germany experienced an industrial attack when hackers took control of a steel mill’s office software then tunnelled their way through the production management software and plant control systems. They prevented a blast furnace from running essential security settings and caused hefty infrastructural damage.
The German Federal Office for Information security (BSI) noted that the attacked used ‘social engineering techniques’, including targeting specific individuals to trick them into giving over passwords via email.
The capacity for financial institutions to face massive damage grows day by day, and it is expected that cyber insurance will quickly rise up in the priorities of directors and officers.
Indeed, CFC Underwriting revealed a 78% increase in claims on cyber policies in the UK in 2016.
How does cyber insurance help?
Businesses and governments are being encouraged to not only improve their cybersecurity, but also purchase cybersecurity insurance as a standard business expense.
The cyber insurance market is expected to grow exponentially, and PwC reported that it could be worth $7.5 billion by 2020, spurred by the financial and healthcare industries (data and equipment loss for hospitals, for example, could be catastrophic).
This insurance type is relatively new, and companies are now paying heed to the losses that cascade from a cyber-attack, including data loss, financial loss, trade secrets, and even loss of physical property.
When underwriting a policy, insurers must also be aware of the potential losses that are not immediately noticeable, and avoid ending up with a loss-making product.
The German case demonstrates the complicated nature of cyber insurance, in that it has vast potential to affect other insurance products; for example, a cyber-attack that leads to physical fire damage, which would normally be covered under fire policies.
It is not likely to be easy to just ‘buy’ cybersecurity insurance, in that a business must tie it to a secure IT and cybersecurity structure, as well as any regulatory controls set by authorities.
It’s also a difficult item to assess – when underwriting a policy, insurers must also be aware of the potential losses that are not immediately noticeable, and avoid ending up with a loss-making product.
The intangible nature of the connected world hides risks
In New York, cybersecurity regulations for financial organisations came into effect on 1 March 2017, requiring that 3,000 financials set up a formal cybersecurity programme, with a policy, encryption, and routine tests, as well as a Chief Information Security Officer who will report to an external board twice a year.
The new rules could raise compliance risks for financial institutions and, in turn, premiums and loss potential for D&O insurance underwriters.
A spokesperson for Fitch Ratings said: “The new rules could raise compliance risks for financial institutions and, in turn, premiums and loss potential for D&O insurance underwriters. The rules require a director or senior officer to annually certify compliance with the regulations.
“If management and directors of financial institutions that experience future cyber incidents are subsequently found to be non-compliant with the New York regulations, then they will be more exposed to litigation that would be covered under professional liability policies."
Business magazine and online community Anthill noted that financial services are supporting cyber insurance; credit-rating service FICO Enterprise Security Score gives cyber insurance providers access to infrastructure to measure risk exposure and forecast potential scenarios to devise policies and the appropriate premium level.
How do we assess the what-ifs?
It is still difficult, however, to account for the acts of individuals tied to a company, for example, a bank employee leaving an unlocked / unencrypted laptop on a train. How do we assess the what-ifs?
Increased mandatory regulation in this area will make it easier for insurance companies to offer the correct protection, as well as guarding themselves against huge losses. Banks have a harder time due to data retention laws, which results in higher premiums.
Smaller businesses also have the option to outsource their payment activities if the insurance cost of handling the data is too great, but someone will have to pick up the tab somewhere in the chain – and it could even be the insurers.