From Petya and NotPetya to WannaCry, it’s been the year of the cyberattack. Just yesterday – in a somewhat embarrassing turn of events – consulting firm Deloitte, which offers cybersecurity advice, confirmed that it had suffered a hack.
But with insurers of all kinds – including those that don’t even offer cyber coverage – facing growing ‘silent cyber’ exposure, could the industry handle a major wide-scale cyberattack?
Celebrate excellence in insurance. Join us for the Insurance Business Awards in Chicago on October 26!
In a rapidly digitising world, many insurers are unwittingly opening themselves up to cyber exposure through non-cyber policies, a Willis Re report revealed earlier this month. Both commercial and personal lines insurers are exposed to ‘silent cyber’ risks embedded into traditional, non-cyber policies, the report found – but there is no clear consensus as to what extent.
“The industry is struggling to estimate what the exposure might be because there is no clear mechanism for assessing it,” Mark Synnott, global cyber practice leader at Willis Re, told Insurance Business. “Most insurers that we know of are trying to assess their exposure by constructing scenarios of worst case outcomes, or what the Lloyd’s market terms realistic disaster scenarios,” he explained.
Following the revelation last week that the NotPetya attack in June cost FedEx £220 million ($300 million), the director of cyber risk at
ITC Secure Networking told Insurance Business that the trend for attacks looks set to continue – and the insurance industry has some work to do.
“I’ve always had an interest to see how the cyber insurance market protects itself, in terms of what due diligence it does before offering policies, and in terms of really understanding what risk they’re taking on,” Gareth Lindahl-Wise said.
As attacks increase and hackers become more sophisticated, insurers need to be clear on the difference between covering those that have acted properly but still fallen victim to an attack, and those operating below regulatory standards or industry best practice.
“They need to find the balance between insuring against unfortunate circumstances as opposed to incompetence or negligence,” Lindahl-Wise explained. “If insurers don’t get their own due diligence right, that’s going to push the premium for everyone up and possibly push it out of reach,” he said.
That’s not going to be easy though: “It’s a challenge because as a relatively young field, cyber insurers don’t have the actuarial data that other fields do to assess the risk from that point of view,” he explained.
But the cyber security industry may have the insight that insurers need, and combining the two forces could lead to a better outcome for all involved, according to Lindahl-Wise.
“If we can help get that balance right, I think you’ve got an effective use of resources and insurance becomes an additional form of risk management as opposed to a deferral,” he said.
Related stories:
Short-term ramifications for the cyber marketplace after Equifax
Why the Equifax hack was not a surprise