Cyber is one of the most dynamic risks out there. It’s constantly evolving thanks to the digitization and globalization of business, and the reliance of humans on technology to carry out routine tasks. There’s greater connectivity than ever before due to the rapid development of the Internet of Things and the human desire for real-time service, whether that’s internet shopping at the click of a button or controlling your office thermostat from your smartphone so that it’s the perfect temperature for when you arrive at work.
There’s a whole hoard of emerging cyber risks impacting companies in the US and around the world, some of which are people-driven and others that are more dynamic in nature. Common people-driven exposures include: social engineering, where a cybercriminal impersonates another individual to trick someone into transferring money to the wrong account; and physical damage, such as intellectual property destruction and crypto jacking.
The more dynamic risks revolve around company systems, networks and their supply chains. If a company is reliant on a vendor, and that third party’s systems go down, how will that affect their supply chain, or vice versa? Furthermore, if that vendor’s systems are infected with malware, will that malware creep into your company’s systems? These issues are amplified tenfold if the vendor is a large cloud provider.
“Outage of one [of the top four cloud] providers for three to six days could cost up to $19 billion in economic damages, according to statistics provided by AIR Worldwide,” said Steve Whelan, director of management/professional liability product development at ISO, a Verisk business and provider of advanced tools and analytics for the property/casualty insurance industry.
“Another interesting statistic is the top four cloud providers account for about 61% of market share. The risk facing underwriters here is they’re unable to get complete information on cloud providers used by an organization, and oftentimes, they’re unable to find out … which cloud service providers companies are using, as a percentage, more than others. Cloud outages present a risk for an individual business, and more significantly on an aggregate basis. Imagine if one of these four large cloud providers is completely shut down, and how many organizations rely on that cloud service provider without a backup. This could have multiple impacts on an aggregated basis across multiple businesses in the insurance field.”
Two of the other most prevalent dynamic cyber risks include data breaches and ransomware. Both exposures have dominated headlines in recent years thanks to the dramatic increase in the frequency and severity of incidents. Approximately 60% of global businesses have reported at least one data breach in their history, with 30% reporting their breach in 2019, making it the worst year on record for data breaches. The trends in ransomware are no less gloomy. Ransomware attacks against US businesses in 2019 grew 41% to over 205,000 organizations, and, at the same time, payment requests have shot up from the four or five figure range to six figures and beyond.
“This leads us to talk about the challenges in underwriting cyber, facing all these emerging risks, and assessing what these risks mean,” said Whelan. “What we’re finding in speaking with the insurance community is that many underwriters are getting incomplete underwriting information, the applications that they’re getting are not being filled out, or they’re not being filled out with the correct information. There’s minimal real-time security data available to them, there’s a lack of insurance underwriting specific risk analytics, there are underwriting workflow gaps, and there are rapidly evolving threats, such as the coronavirus, that they need to adjust to in the underwriting process.
“Several weeks ago, coronavirus would have never been thought of as a cyber risk, but it is today. There are organizations that are having people work off site rather than coming into the office, so there’s a threat facing these organizations now with people using unsecured servers. [Also] there’s a lot of email phishing that’s taking place with subject lines like ‘Coronavirus update,’ where they’re trying to lure people into an email that may be infected with malicious software.”
The trick to cyber insurance underwriting is digging down as deep as possible into a prospect’s security systems and protocols, according to Whelan, using both internal and external intelligence to gather as much information about an organization, their cyber hygiene, and their cyber posture. That includes looking into an organization’s primary domain, while also analyzing their site encryption, email security, connectivity, and their geolocation.
“Real-time security data and up to date information is difficult for an underwriter to obtain, and, even if they get it, interpreting that information and what it means for underwriting a risk is extremely difficult,” Whelan remarked. “What Verisk has done, which we think is one of the innovative proprietary parts of the Verisk Cyber Underwriting Report, is that the team is scrubbing through all of our data and information to make sure that we’re matching a company to their proper domain. It sounds like an easy task, but it isn’t - the reason being that there a lot of data sets out in the marketplace by third party vendors that list a company and a domain, and it’s not necessarily the right domain for that company.
“If we can find a domain and match it to a company, then we are able to access that domain and can watch traffic through that domain to identify their service providers, their cyber posture, their patching cadence, their cloud service providers, and which cloud service providers they’re using as a percentage more than others. We can compile all this information and run that algorithm through a data set to make an analysis of that company’s risks.”