It hardly takes a high-tech guruto deduct that 2017 was a year when cybersecurity concerns causedbusinesses of all sizes to quake over losses both real andanticipated.

“Cybersecurity is as big an issue as there's ever been in theinsurance industry,” said Adam Hamm, managing director of globalconsultancy at Protiviti, former president of the NationalAssociation of Insurance Commissioners (NAIC) and past chairman ofthat group's Cybersecurity Task Force. “At least over the lastgeneration, I've never seen an issue that's bigger thancybersecurity, because we're talking about breach after breachafter breach.”

Year-end financial reports support Hamm's hypothesis. Considerthat analysts behind Deloitte's “2018 Insurance Regulatory Outlook”and “2018 Insurance Outlook” determined that cyber crimes costfinancial services businesses more than ever before. Despiteextensive efforts to minimize cyber crime, financial services stillexperienced the highest average annualized cost of cyber crime byindustry sector at $18.28 billion. This is 6% higher thansecond-ranked utilities and energy, and 26% more than aerospace anddefense companies, which rank third.

Scott Stransky, assistant vice president and principal scientistat the catastrophe modeling firm AIR Worldwide, pointsto the many headline-grabbing cyber breaches in2017:

“In late February, a typo at Amazon Web Services took down aportion of the cloud for a few hours. From an insuranceperspective, this event served as a wake-up call that even thelargest cloud vendors are vulnerable to downtimes. Due toinsurance waiting periods, the insured loss was negligible fromthis event. Later in the year, we saw major outbreaks ofransomware, with WannaCry and Petya/NotPetya being most notable. While theloss from companies paying ransoms was minimal, the businessinterruption due to these events impacted major organizations suchas Merck and FedEx. Toward the end of the year, we saw the majorEquifax breach, which served as a reminder that while aggregationevents are important to consider when managing cyber risk, it isimperative to also continue to consider individual companybreaches, as well.”

The number and types of cybersecurity threats multiplies witheach new online endeavor. The insurance industry, meanwhile, withits focus on risk analysis and prevention, is in a unique positionto battle cyber criminals and malfeasance.

But this call to action for insurance comes at a time when theindustry is already challenged to reinvent itself for today'sdigital consumers.

The impact of widespread cybercrimes in 2017 paired withInsurTech innovations are spurring change in the way cyberinsuranceis sold and packaged along with the role that insurers play incybersecurity.

Here are a half-dozen ways that cybersecurity is changing as aresult of the major breaches of 2017:

|

6. Finance and insurance regulators are taking astand.

On the heels of the cybersecurity regulation adopted by the NewYork Department of Financial Services, the NAIC issued its owncybersecurity model law meant to provide guidance for state insurance regulators.

“EY's 2017 Insurance Chief Risk Officer Survey revealsinsurance CROs consider cyber threats a top five risk, and healthCROs are particularly on alert as a serious breach would compromisesensitive customer data and personal information,” said EYprincipal Chris Lanzilotta. “It's been a key discussion at alllevels.”

Company concerns include complying with current and forthcomingcybersecurity regulations, and stepping up protections of sensitiveclient data.

Lanzilotta continued: “Elevated regulatory scrutiny combinedwith the increasing frequency and sophistication of cyberthreatshas carriers acknowledging the fact that cybersecurity is a keybusiness issue, not just a technology issue, and needs to beaddressed at all levels. This has our clients revisiting theirstrategy and investing in innovation, threat intelligence, cyberleadership and talent that is a fit for their culture and businessenvironment, and integrating cyber risk management throughout theorganization.”

|

5. Insurers are exploring more sophisticated cyberinsurance and security services.

“As cyberattacks become more frequent and more complex, thereare concerns that hackers could target America's industrial controlsystems, causing power outages and electrical grid failures,” saidDavid Gerlach, senior director of information security and privacyat Applied Systems Inc. “This goes far beyond whatcyber insurance was created to cover. So itbegs the question, 'Should cyber insurance cover only financiallosses caused by information breaches or with these potentialthreats in mind, should it cover all encompassing harm due to cybertechnology?'”

Gerlach predicted that the coming year will see cyber insurers expanding their products andservices.

He continued: “Cybersecurity is becoming much more thanprotecting information—it's become about protecting a client'swell-being. There are many other questions insurers will have toanswer, however. Will this kind of cyber insurance be available toeveryday consumers? Businesses? The government even? What we doknow is the cyber insurance landscape will continue to changedrastically as new technologies and new hackers become known.”

Deloitte's cybersecurity analysts also deducted that there isnow: “increasing pressure from insurance company officers anddirectors to enhance cyber security, vigilance, and resilience.”

|

4. Cybersecurity now demands a more sophisticatedinsurance workforce.

Gone are the days when information security was the function ofan isolated, insulator department with a larger operation.

“It's not just that the cybersecurity and information security areaneeds to own that. It needs to be owned across theorganization,” said Tracey Malcolm, the global future of workleader at Willis Towers Watson.

In light of findings in the “2017 Willis Towers Watson CyberRisk Survey,” Malcolm said organizations are moving from thedefensive to the offensive when it comes to cybersecurity, and thatmeans training staff at all levels on best practices that serveboth a security function and the business as a whole.

“It's the orientation that cybersecurity can no longer be partof a support function,” she said. New positions within insurancenow tend to be hybrid roles filled by people with both atraditional business acumen and the ability to advance theorganization's cybersecurity protocols.

|

3. Ransomware grows up.

Heretofore, most cyber crimes focused on stealing money orpersonal records with hopes that victims will pay to keep thoserecords secure. Now, cyber criminals are learning to go afterentire information security systems, the impact of which can becatastrophic, says Rotem Iram, CEO and co-founder of the new cyber insurance company At-Bay, whoseproducts include a detailed cyberthreat analysis.

In June, for instance, the Danish shipping company Maersk wastargeted with the Petya ransomware virus. Attackers demanded amodest amount of money to remove the virus. But the process ofrecovering from the event disrupted the company's internationalshipping operation, with a loss of business income reported tobe around $300 million dollars.

“This is a huge exposure that isn't covered anywhere, becausethe traditional P&C policy that Maersk has now has a cyberexclusion, and the cyber policy that Maersk has has a very strongsublimit on business interruption,” Iram said. “Basically, this iswhere the core construct of the insurance product becomes visible,because as companies become more and more dependent on technology,risks to technology become risks to the business.”

|

2. Cyber risk modeling is evolving for thechanging threat.

Scott Stransky with AIR Worldwide said that despite the manyeye-opening cybersecurity events during 2017, the insuranceindustry did not suffer significant cyberlosses.

“Insurers have taken a conservative approach with cyber andwhile this is effective at protecting their balance sheets, thereare some negative tradeoffs to that strategy such as missed growthopportunities or lack of innovation,” Stransky said. “To overcomethese drawbacks, insurers have been increasingly been relying onflexible and transparent catastrophe models to test how theirportfolios would respond to new and unforeseen cyber threats orevaluate the impact of introducing different policy terms andconditions to their book of business.”

|

1. Insurers stepped up cyber insurance sales andmarketing.

Cyber insurance is no longer solely the concern of thecommercial insurance world, according to GlobalData, a leadingdata and analytics company. Going forward, in light of the Equifaxhack as well as the scope of the WannaCry and Petya events,individuals may have no choice but to seek personal insuranceprotection from cybercrime.

GlobalData financial analyst Daniel Pearce said insurers such asAIG, Hiscox and Hartford Steam Boiler Inspection and Insurance Co.,and Oak Underwriting already offer personal cyber insurance, andthe field is expected to rapidly expand, particularly for thehigh-net-worth (HNW) market.

“The cover will aim to provide HNW customers with support byinvestigating and rectifying any damage caused to their device,locating and removing viruses, as well as providing professionalconsultation in order to prevent future cyberattacks,” Pearcesaid.

Although such products may initially be offered as add-ons, thepotential to offer cyber insurance as a standalone policy is likelyto emerge over time, he said, once the market develops and uptakeincreases.

See also:

• 10 ways small businesses can fight cybercrime
• Cyber insurance must be a priority for small andmidsize businesses
• Ransomware and the perils of shoddyattribution

From: PropertyCasualty360