The Changing Role Of Cyber Insurance
Across the globe, our teams have observed these new cyber trends emerging over the past year, with many emerging over the past six months. These trends represent new developments in the cyber risk and security landscape and may have significant implications for both companies and consumers. Today, many cyber risks have become systemic. Such large-scale, rapid-fire attacks spread from one country to another. The globally disruptive cyber-threats of 2017 unite businesses and individuals around the world in a common endeavor to stay secure.
From helping companies adopt some of the world’s leading best practices for cybersecurity to consulting individuals on how to help protect their identities in the aftermath of large-scale data breaches, AIG can deliver unique perspectives that stem from our longstanding experience as a global leader in cyber insurance. As cyber risks around the world become increasingly interconnected, AIG can help its clients develop global cyber risk solutions and can deliver, through collaborative partnerships, the meaningful risk insights that enable stronger and safer outcomes.
Cyber Insurance Evolves to Protect Against Unprecedented Risks
As hackers’ motivations have apparently become broader than disclosing or selling consumers’ personal data, global cyber risk insurance has moved quickly to protect against today’s new cyber threats. Cyber risk insurance, which originally protected against “data breaches and disclosure of information…has expanded” to help safeguard companies and individuals against “physical losses” such as “bodily injury and property damage” incurred from cyberattacks, says Tracie Grella, AIG’s Global Head of Cyber.
“In the early days, organizations that were looking to buy cyber coverage were focused on data loss,” explains Grella, “so [we partnered with] more financial institutions, retailers, and healthcare companies.” However, Grella notes that “as more companies have become aware of cyber risks…and as connectivity continues to grow, manufacturers, transportation companies, and oil and gas and energy companies are all concerned about the cyber risks that they face.” Since the larger risks for these companies are “business downtime and potential destructive attacks,” some insurance policies, such as AIG’s, “have evolved to be able to address those exposures.” Grella explains that physical damage may be covered “either within a cyber policy or, potentially, within a property or GL policy, providing affirmative coverage for cyber-triggered losses that would result in those types of physical losses.”
Demand for cyber insurance is permeating industries and countries, and with the rise of ‘worst-case scenario’ breaches around the world, it is likely that even more organizations and individuals will take an interest in protecting themselves. Today’s large-scale data breaches may pose security risks in fields ranging from aerospace to education. Consider the real threat of a malicious actor obtaining the data needed to access an aircraft control system. Remember that the May 2017 WannaCry ransomware attack hindered not only industries around the world, but universities from Chinai to Canadaii to Italy.iii From CEOs to students, the members of our connected, global society need greater protection from cyberattacks.
Coverage evolves to combat cyberattacks. Cyber triggered data loss coverage then. Cyber triggers business downtime, destructive attacks, bodily injury and property damage now.
Today, some cyber risk insurers are responding to the growing challenge to help secure our world by taking on a wider array of risks and by increasing policy limits. While cyber coverage limits from many cyber insurers “were just $10M three years ago, today insurance brokers are able to place $500M in programs,” says Mark Camillo, AIG’s Head of Cyber, EMEA.iv
Taking on these risks means insurers have an even greater incentive—and are working even harder than before—to analyze their data and to help build models that can analyze cyber risks to better predict clients’ cyber losses. With 20 years of data on what causes cyber risks and losses, insurers are “in a unique position to help manage cyber risk and could [play] a key part in the risk management process for organizations,” explains Grella.
Since cyber risks evolve quickly, and the tactics hackers used “in the early days may not be as relevant today,” it is true that insurers “still need more data and statistics on how companies are protecting themselves, what the impact [of cyberattacks] against certain types of organizations could be, which vendors companies use, and how they’re all tied together” in order to best “manage the systemic risk” of cyberattacks on companies and consumers.
However, Grella emphasizes that the insurance industry is well on its way to becoming a preferred partner for organizations and individuals in the challenge to protect society against cybercrime. “As we collect all of that information and develop more robust underwriting models, which the [insurance] industry is working on—and we see them coming out at this point—we will be in a position to take all of our past claims data” as well as “all the information about controls that organizations have and the impact cyberattacks could have on those organizations” and “bring all of these analytics together so that we can quantify cyber risk for our clients.” The goal for cyber insurers is “to be able to say that these controls directly impact cyber risk by X dollars. That’s where the industry and others that are helping the industry are trying to get to—and that’s what companies want to know,” says Grella.
The stress testing, scenario planning, and data analysis that the insurance industry carries out regularly in order to help protect clients may prove increasingly valuable to society as cyber incidents become more prevalent and costly for companies and individuals. While insurers and insureds continue to collaborate on post-attack services that can help reduce losses, “the emphasis” of cyber coverage “continues to shift from reactive to proactive, with pre-loss planning and services increasingly taking center stage,” says Camillo.v Insurers are already working to identify and promote the spread of best practices for cybersecurity, and these practices help in “setting the bar” for organizations, for their own interactions with companies within their supply chains, and for individuals as well.vi
Individuals and companies are reaching out to insurers for data and guidance on cyber risk and cybersecurity, and insurers are working quickly to stay a step ahead of the new cyber risk landscape. “I think the insurance industry has a lot to share,” says Grella, “and companies are definitely looking to insurance carriers, knowing that we have a lot of data in that space….There’s been an evolution in…learning more about cyber risks, and in [gathering] enough data to start developing models. But we’re at a point in time when I think you’ll start to see that from the insurance industry,” she says.
i Chen, Stephen. “Why China’s universities are so vulnerable to WannaCry global cyber attack.” South China Morning Post, 16 May 2017. http://www.scmp.com/news/china/policies-politics/article/2094514/why-chinas-universities-are-so-vulnerable-wannacry. Accessed 25 Oct. 2017.
ii The Canadian Press. “Some University of Montreal computers hit with WannaCry virus.” The Globe and Mail, 16 May 2017. https://beta.theglobeandmail.com/news/national/universite-de-montreal-computers-hit-with-wannacry-virus/article35004991/?ref=http://www.theglobeandmail.com& . Accessed 25 Oct. 2017.
iii Melendez, Stephen. “’It Was Chaos’: Here’s How Ransomware Victims Were Affected By The Massive Hack.” Fast Company, 15 May 2017. Accessed 25 Oct. 2017.
iv Camillo, Mark. “Cyber risk and the changing role of insurance.” Journal of Cyber Policy, 27 Mar. 2017, http://www.tandfonline.com/doi/full/10.1080/23738871.2017.1296878. Accessed 19 Sept. 2017.