Insurers are stepping up to deal with the changing face of digital risk, says Safeonline COO Geoff Kinsella
When Safeonline was born 16 years ago there were very few underwriters or brokers interested in the cyber risk class. Wordings were basic and sub-limited and the overall capacity available low. The worldwide web was being used by a limited number of corporate devotees through dial-up connections and the dotcom boom was just beginning to take shape. The medium of social interaction was still confined to email or to the local pub. Phenomena such as e-commerce, social media and cloud technology were just fanciful concepts, unknown to but a chosen few.
Technology security was the domain (no pun intended) of the IT professional, and data security or data risk management hardly raised its head in the boardroom.
There were those, however, in the insurance market at the time, like Safeonline, that spotted the IT revolution that was looming and started to create a market in London for this nascent risk class. Wordings were devised, online platforms built and the number of carriers entering the market increased.
However, the speed of adoption was slow and there was a general lack of appetite among buyers to incept coverage. Lack of losses and a general lack of education about the potential risk areas facing their company, or indeed about the coverage that was afforded by a specialist cyber wording, contributed to the malaise.
Legislation around privacy was also evolving, but the fact that breaches did not need to be disclosed at the time meant that many losses remained below the public radar. This lack of transparency did nothing to raise the awareness of the potential dangers lurking in the cyber-risk shadows.
Similarly, the nature of hacking was very different in those early years. Many hackers were sole operators, opportunistic in their approach and looking for a quick financial reward for their efforts.
Fast-forward to 2015 and it is incredible how the digital landscape has changed and continues to do so. The difficulty of course, with any insurance product devised to respond to cyber risk, is that the risks themselves are changing almost on a daily basis.
Add to the mix the ever more sophisticated malefactors that are out to find ways of breaching the systems upon which the business world is now reliant and its clear the need for the insurance market to innovate and to be responsive to the speed of change remains paramount.
The commercial world is also fuelling the change in digital risk, with more companies collecting an ever-increasing amount of customer data as more business is conducted online. The concept of big data is a reality and if information concerning consumer preferences and orientations gets into the wrong hands the consequences are great.
The adoption of cloud-based technologies, where data, applications and software are being stored remotely on third-party servers, increases the potential for loss, especially as many of these services are browser-based.
It is interesting how many companies are willing to hand over their key business asset to third-party vendors without a clear understanding of the vendors own data security or disaster recovery plans. Often the third-party provider is a smaller company than the client, and this should raise alarm bells. Many third-party vendors also outsource part of their services to others – a fact that the initial client may not be aware of. There have been some significant losses as a result.
This is a growing issue for buyers and insurers alike and much more due diligence will be required in the future on this aspect of risk.
No industry sector seems immune to the hackers wrath with areas ranging from hospitality to healthcare, professional to retail, and manufacturers to entertainment all victims in recent times of some form of intrusion or data loss.
The motivations for and the classifications of attacks are also diverse and different from the past. Point-of-sale intrusions are the big news story at the moment as there have been some very high-profile incidents of late, with the breach of major US retailer Target being of particular significance.
These remote attacks on retail credit card transactions have impacted on many retail entities, including hospitality and food services. Card skimming through the tampering with or replacing of the card reader devices is on the rise and often instigated from faraway countries.
Interestingly, while these headline-grabbing events are the ones upon which many focus, it is clear that human error and the physical theft and/or loss of an information asset are still major causes of data breaches. Lost, discarded or stolen mobile devices, including laptops, smartphones and portable memory devices, account for more than 30 percent of the worlds digital breaches at this time.
With the advent of ever more sophisticated smartphones, (and who really knows what new risks Google Glass technology will bring), loss potential is growing. Shipments of PCs were dwarfed last year by that of smartphones, while mobile devices have become the most popular method for accessing the internet.
Norton recently reported that 49 percent of respondents to a survey it conducted said that they use their personal smart device for work and play. And 34 percent admitted using work devices for accessing their social network. The mind boggles with the potential loss scenarios that could ensue.
The various types of attack are also changing with hacktivists, government-sponsored cyber espionage and cyber extortion on the rise. Criminal groups have replaced the sole trader and these groups are well resourced and willing to play a waiting game. Unlike the smash-and-grab tactics of old, many hackers now infiltrate networks and remain inside them unnoticed for long periods, perhaps even years, before striking.
High-profile attacks of recent times are indeed grabbing the attention of buyers and insurers alike. When one considers that companies with massive IT security budgets such as Adobe, Vodafone, Sony or Apple have been victims of cyber-attacks, it gives credence to the adage often heard in the cyber market currently that it is not a case of if, but when a company is likely to become the next victim.
But generally, hackers will look to target smaller organisations where they know that the defence budgets are small and they can use these organisations as a way into larger companies. The internet security threat report by Symantec in 2013 identified the largest growth area for targeted attacks as businesses with fewer than 250 employees.
The legislative environment is also changing in Europe, but there is some debate as to how the new legislation will impact demand for cyber insurance. When the EU data protection regulation comes into effect many believe that the new fines and notification regimes will increase demand. This is likely to be the case, but the lead time will be much longer, in my opinion, than many think.
If the increasing profile and quantum of losses that are currently visible today is not motivation enough, is legislation likely to change the perception of need? Yes, the new notification legislation in the US in 2003 did fuel more cyber insurance buying, but the litigation landscape in the US is very different to Europe.
So how has the insurance market responded to the changing digital risk landscape? I am pleased to report, very well indeed. Policy wordings are continually evolving to offer more comprehensive coverage. The sub-limits that used to abound are being replaced by the offer of full policy limits for areas such as crisis management expenses, customer notification expenses, payment card industry fines and credit monitoring expenses.
Capacity has also increased, with 20 markets now active in this class. Solutions are now readily available for cyber-extortion and also for cyber-terrorism where none existed previously. Third-party vendors are also covered, with protection offered for cloud-based service providers (although the potential aggregation risks that underwriters face from cloud technology is a growing area of concern).
There are other areas of cyber risk that are beginning to cause concern – for example, the potential for cyber losses to physical assets that are reliant on old process control infrastructures. As I said previously, nothing stands still for long in this space.
The good news is that as the face of digital risk changes, the insurance community is stepping up to meet the challenges our clients face.
(This article appeared in the Insider Quarterly, part of Insurance Insider)