In 1957 while at his home in Richmond, Virginia, a blind seven-year old boy named Joe “Joybubbles” Engressia discovered that by whistling into the phone at a frequency of 2600 Hz he was able to mimic the dial tone used by AT&T to route calls, an exploit that allowed long-distance calls to be made free-of-charge.
The realisation that new technologies were vulnerable to manipulation germinated rapidly and, 60 years on from Engressia’s quaint telecommunications hack, the subculture had evolved to the point where a single piece of malicious code was capable of inflicting damage to the global economy totalling billions of dollars.
“The cyber insurance industry is growing at about 30% per-annum but still has a very long way to go,” explains Pascal Millaire, the Chief Executive Officer of CyberCube, an analytics firm designed to enable more comprehensive underwriting of cyber risks.
Reinsurance News sat down with Millaire, who has led CyberCube since departing Symantec earlier this year, for a wide-ranging conversation on cyber risk and the ways in which it will shape the re/insurance industry moving forward.
“At present there’s around $4 billion per-year in cyber premium, however the underlying risk to the economy exceeds $400 billion dollars per year, and is growing,” states Millaire.
CyberCube’s clients rely on its ability to model and interpret the complex scenarios in which cyber attacks develop. With such an unpredictable and potentially devastating risk capable of spreading unbound by traditional constraints such as geography (and across different lines of business) re/insurers’ ability to adequately price premiums is being pushed to its limit.
“It’s a very difficult issue for re/insurers to grapple with. What we’re seeing is cyber risk, or cyber as a peril, turning up as one of the most important D&O risks, it’s turning up in CGL policies, standalone cyber policies, in property policies from a business interruption perspective, and in E&O policies.” adds Millaire.
Commenting on the ways in which CyberCube approaches modelling cyber risk, Millaire explains, “We do it on the basis of scenarios, we’ve gone through a pretty extensive process of generating around 800 scenario that could impact single companies, that could pose aggregation risks to the economy and could therefore lead to insurance losses.”
“We whittled those down to the 23 scenario classes that we think are most relevant to the insurance industry today, and what we do here at CyberCube is we then model those scenario classes at a cost-component level and then allow our clients to decide for themselves whether a particular policy will or will not respond to a particular scenario.” he adds.
Interestingly, it’s often the habits of cyber insurance policyholders themselves that determine the kinds of risks they’re likely to fall victim to. Sub-standard cyber security culture within a company of any size can take make forms, be seen throughout all levels of the business, and is comparable to a hospital with poor hygiene practices, leaving the door wide open for an unchecked spread of infection.
“Culture is a really important line of defence when it comes to protecting against cyber attacks. Given a large portion of attacks are perpetrated through phishing, having a well trained workforce that knows how to spot such schemes is really important.” says Millaire.
“Ultimately, if you’re an underwriter trying to compare two very similar companies, one of the differentiators is whether or not the company can communicate a culture of security – and that can play a big role in terms of the pricing they receive and, in some cases, whether they get coverage at all.”
Moving forward, the industry faces perhaps its biggest adversary in the rise in frequency and scale of cyber attacks; facilitated by the rampant spread of IoT devices and massive companies rushing prematurely to exploit the newest and most promising technology available.
“You could argue that the cyber insurance market is seeing impressive growth that is unparalleled anywhere else in the insurance industry, but on the other hand that growth isn’t actually fast enough to capture the state of cyber risk today, let alone the future of cyber risk” says Millaire.
“Today, there are approximately 20 billion IoT devices on the planet and that number is shortly expected to exceed 200 billion. The internet is connecting to every part of our lives and therefore changing the nature of risk; in our home in retail environments and offices, factories, vehicles, cities and the urban infrastructure that we live in.”
“I think as we shift to an increasingly interconnected, automated, cloud-based society the very nature of risk is going to be fundamentally changed and if the insurance industry wants to remain relevant, it’s absolutely essential that it understands this.” he adds.
In the Small Medium Enterprise (SME) space, Millaire believes that cyber security is often “Far below where it needs to be” and that “some of the fundamental building blocks of good cyber security hygiene, such as up-to-date endpoint protection or multi-factor authentication, simply aren’t in place – but they absolutely must be.”
Concurrently, In the major enterprise space, you have some of the world’s largest companies spending In excess of $100 million per year on cyber security and, in those cases, “There may be incremental cyber investments that they might be able to make to improve their security posture.”
“In many cases however, incremental investment may be better spent buying risk transfer solution such as insurance rather than spending another $1-2 million on more software and services.” adds Millaire.
This power balance will continue to escalate; each side trading blows as the global re/insurance industry accelerates efforts of self-protection whilst deepening its understanding of the technology integrated within it.
The biggest concern, however, is that re/insurers will fail to act until it’s too late and learn its lesson the hard way via a wholly-avoidable loss event, or series of events, on a scale not yet experienced.