Recent attacks on the Colonial Pipeline and on the meat processor JCS have highlighted the ongoing threat of cyber attacks to national infrastructure and the global supply chain, and shown that there is an urgent need for the cyber market to “catch up” with the risk.
This is according to Bethany Vohlers, Senior Manager for Cyber Solutions at Verisk, who recently spoke to Reinsurance News about the challenges facing cyber re/insurers.
The volume of cyber claims and the overall cost of cyber crime has been rising steadily in recent years and is now a major global issue, which will require close collaboration between insurers, insureds, government agencies and technology vendors, Vohlers explained.
“Regulatory bodies and groups across government, enterprise IT and insurance are actively working to progress standards on cybersecurity and cyber insurance, but there is more to be done on the collaboration front,” she told Reinsurance News.
“Enhanced reporting, information sharing and standardisation agreements between insurers, insureds, cyberattack victims and other organisations are key to positively shape the cyber market and make it truly fit for purpose.”
“The fast-evolving methods used by cybercriminals and the varied impact on organisations makes it very difficult to accurately establish true figures for losses. Other insurance perils and markets already have decades of data behind them for use in better understanding exposures and informing decision-making. The cyber market will need to catch up – and fast.”
Vohlers recommended that re/insurers target a standardised format for collecting policy questionnaire responses, loss data and other key claims information.
Such a database would provide a significant asset to the insurance industry, aiding the development of cyber products, providing access to critical business intelligence and helping underwriters make better decisions around cyber risk.
But insurers need to be careful to balance their requests for cybersecurity information from applicants with ability, willingness and knowledge, Vohlers added, for example by avoiding vague, high-level questions on application questionnaires in favour of more insightful alternatives.
What’s more, information may not always be fully accurate and up-to-date, putting underwriters in a difficult position when assessing risk and issuing policies, although third-party audits and cloud vulnerability scanning agreed between both insurer and insured will go some way towards mitigating these challenges.
“The pace of change is relentless in the cyber market, with shifting exposures and varying coverage levels. The London Market is shouldering a significant proportion of global cyber risk, and market underwriters must be able to get to grips with the fast-changing situation,” Vohlers went on.
“Are existing cyber risk models up to the task? There are currently understandable differences between models. Loss estimations for various types of cyberattacks, whether for enterprise-wide ransomware attacks to large-scale data theft, all vary. Portfolios must be regularly evaluated to assess the risks posed by new tactics and threats posed by cybercriminals. The rising volume and scale of cyberattacks makes this a challenging endeavour.”
Another issue that has altered the landscape of the cyber market over the last year or so has been the move to remote and hybrid work strategies, which has in many cases has increased the vulnerability of employees and their organisations to greater phishing scams and other cybersecurity threats.
While it ultimately remains up to these organisations to manage post-pandemic working strategies and to educate their workforce on cyber threats, Vohlers says that insurers too can help firms to mitigate their risks in this new environment.
“Insurers must play their part by offering incentives to encourage organisations to use dedicated cybersecurity tools, such as offering better coverage rates and options in exchange for engaging in regular training and third-party audits and committing to following best practice,” she asserted. “Ultimately, this will never eliminate the chance of a successful cyberattack, but it can help significantly manage risk.”
“Organisations must be aware of potential vulnerabilities both internally and within their supply chain – and this becomes particularly urgent given the ongoing mass migration of IT services and operations to the cloud. Are organisations and their insurers fully aware of their vulnerabilities – and have they done everything possible to minimise them, such as vulnerability scanning? Will they be able to react quickly to newly discovered exploits or attack methods?”
