It hardly takes a high-tech guru to deduct that 2017 was a year when cybersecurity concerns caused businesses of all sizes to quake over losses both real and anticipated.
Related: Get ready: A cyber attack is coming
"Cybersecurity is as big an issue as there's ever been in the insurance industry," says Adam Hamm, managing director of global consultancy for Protiviti, former president of the National Association of Insurance Commissioners (NAIC) and past chairman of that group’s Cybersecurity Task Force. "At least over the last generation, I've never seen an issue that's bigger than cybersecurity, because we're talking about breach after breach after breach."
Year-end financial reports support Hamm's hypothesis. Consider that analysts behind Deloitte's "2018 Insurance Regulatory Outlook" and "2018 Insurance Outlook" determined that cyber crimes cost financial services businesses more than ever before. Despite extensive efforts to minimize cyber crime, financial services still experienced the highest average annualized cost of cyber crime by industry sector at $18.28 billion. This is 6% higher than second-ranked utilities and energy, and 26% more than aerospace and defense companies, which rank third.
Scott Stransky, assistant vice president and principal scientist at the catastrophe modeling firm AIR Worldwide, points to the many headline-grabbing cyber breaches in 2017:
"In late February, a typo at Amazon Web Services took down a portion of the cloud for a few hours. From an insurance perspective, this event served as a wake-up call that even the largest cloud vendors are vulnerable to downtimes. Due to insurance waiting periods, the insured loss was negligible from this event. Later in the year, we saw major outbreaks of ransomware, with WannaCry and Petya/NotPetya being most notable. While the loss from companies paying ransoms was minimal, the business interruption due to these events impacted major organizations such as Merck and FedEx. Toward the end of the year, we saw the major Equifax breach, which served as a reminder that while aggregation events are important to consider when managing cyber risk, it is imperative to also continue to consider individual company breaches, as well."
The number and types of cybersecurity threats multiplies with each new online endeavor. The insurance industry, meanwhile, with its focus on risk analysis and prevention, is in a unique position to battle cyber criminals and malfeasance.
But this call to action for insurance comes at a time when the industry is already challenged to reinvent itself for today's digital consumers.
The impact of widespread cybercrimes in 2017 paired with InsurTech innovations are spurring change in the way cyberinsurance is sold and packaged along with the role that insurers play in cybersecurity.
Here are a half-dozen ways that cybersecurity is changing as a result of the major breaches of 2017.
A June 2014 report from McAfee found that cyber crime costs the global economy roughly $445 billion annually. That estimate may be low as the number and types of cyber crimes continues to expand. (Photo: iStock)
No. 6: Finance and insurance regulators are taking a stand.
On the heels of the Cybersecurity Regulation adopted by the New York Department of Financial Services, the NAIC also issued its own cybersecurity model law meant to provide guidance for state insurance regulators.
"EY's 2017 Insurance Chief Risk Officer Survey reveals insurance CROs consider cyber threats a top five risk, and health CROs are particularly on alert as a serious breach would compromise sensitive customer data and personal information," says EY Principal Chris Lanzilotta. "It's been a key discussion at all levels."
Company concerns include complying with current and forthcoming cybersecurity regulations, and stepping up protections of sensitive client data.
Related: A game-changing play in cyber risk
Lanzilotta continues: "Elevated regulatory scrutiny combined with the increasing frequency and sophistication of cyber threats has carriers acknowledging the fact that cybersecurity is a key business issue, not just a technology issue, and needs to be addressed at all levels. This has our clients revisiting their strategy and investing in innovation, threat intelligence, cyber leadership and talent that is a fit for their culture and business environment, and integrating cyber risk management throughout the organization."
Juniper Research has estimated that the costs of cyber crime could be as high as $2.1 trillion by 2019. (Photo: iStock)
No. 5: Insurers are exploring more sophisticated cyber insurance and security services.
"As cyberattacks become more frequent and more complex, there are concerns that hackers could target America's industrial control systems, causing power outages and electrical grid failures," says David Gerlach, senior director of Information Security and Privacy at Applied Systems, Inc. "This goes far beyond what cyber insurance was created to cover. So it begs the question, 'Should cyber insurance cover only financial losses caused by information breaches or with these potential threats in mind, should it cover all encompassing harm due to cyber technology?'"
Related: Uncovering silent cyber risk
Gerlach predicts that the coming year will see cyber insurers expanding their products and services.
He continues: "Cybersecurity is becoming much more than protecting information — it's become about protecting a client's wellbeing. There are many other questions insurers will have to answer, however. Will this kind of cyber insurance be available to everyday consumers? Businesses? The government even? What we do know is the cyber insurance landscape will continue to change drastically as new technologies and new hackers become known."
Related: The 3 R's to remedy a cyber breach
Deloitte's cybersecurity analysts also deducted that there is now: "increasing pressure from insurance company officers and directors to enhance cyber security, vigilance, and resilience."
Computers in roughly 75 countries were impacted by the Spring 2017 WannaCry ransomware virus. (Photo: iStock)
No. 4: Cybersecurity now demands a more sophisticated insurance workforce.
Gone are the days when information security was the function of an isolated, insulator department with a larger operation.
"It's not just that the cybersecurity and information security area needs to own that. It needs to be owned across the organization," says Tracey Malcolm, the Global Future of Work Leader for Willis Towers Watson.
In light of findings in the "2017 Willis Towers Watson Cyber Risk Survey," Malcolm said organizations are moving from the defensive to the offensive when it comes to cybersecurity, and that means training staff at all levels on best practices that serve both a security function and the business as a whole.
"It's the orientation that cybersecurity can no longer be part of a support function," she says. New positions within insurance now tend to be hybrid roles filled by people with both a traditional business acumen and the ability to advance the organization’s cybersecurity protocols.
Equifax announced in September that an identity theft hack impacted about 145.5 million of its customers in the U.S. and many thousands more worldwide. (Photo: AP Images)
No. 3: Ransomware grows up.
Heretofore, most cyber crimes focused on stealing money or personal records with hopes that victims will pay to keep those records secure. Now, cyber criminals are learning to go after entire information security systems, the impact of which can be catastrophic, says Rotem Iram, CEO and co-Founder of the new cyber insurance company At-Bay, whose products include a detailed cyber threat analysis.
In June, for instance, the Danish shipping company Maersk was targeted with the Petya ransomware virus. Attackers demanded a modest amount of money to remove the virus. But the process of recovering from the event disrupted the company’s international shipping operation, with a loss of business income reported to be around $300 million dollars.
"This is a huge exposure that isn't covered anywhere, because the traditional P&C policy that Maersk has now has a cyber exclusion, and the cyber policy that Maersk has has a very strong sublimit on business interruption," Iram says. "Basically, this is where the core construct of the insurance product becomes visible, because as companies become more and more dependent on technology, risks to technology become risks to the business."
The Summer 2017 Petya ransomware attack targeted Microsoft Windows-based systems worldwide. During the attack, the radiation monitoring system at Ukraine's Chernobyl Nuclear Power Plant went offline, and several companies experience serious business interruptions. (Photo: AP Images)
No. 2: Cyber risk modeling is evolving for the changing threat.
Scott Stransky with AIR Worldwide says that despite the many eye-opening cybersecurity events during 2017, the insurance industry did not suffer significant cyber losses.
"Insurers have taken a conservative approach with cyber and while this is effective at protecting their balance sheets, there are some negative tradeoffs to that strategy such as missed growth opportunities or lack of innovation," Stransky says. "To overcome these drawbacks, insurers have been increasingly been relying on flexible and transparent catastrophe models to test how their portfolios would respond to new and unforeseen cyber threats or evaluate the impact of introducing different policy terms and conditions to their book of business."
As a result of 2017's global Petya attack, NATO Secretary-General Jens Stoltenberg pressed the alliance to strengthen its cyber defenses. (Photo: iStock)
No. 1: Insurers stepped up cyber insurance sales and marketing.
Cyber insurance is no longer solely the concern of the commercial insurance world, according to GlobalData, a leading data and analytics company. Going forward — in light of the Equifax hack as well as the scope of the WannaCry and Petya events — individuals may have no choice but to seek personal insurance protection from cyber crime.
GlobalData Financial Analyst Daniel Pearce says insurers such as AIG, Hiscox and Hartford Steam Boiler Inspection and Insurance Company, and Oak Underwriting already offer personal cyber insurance, and the field is expected to rapidly expand — particularly for the high-net-worth (HNW) market.
"The cover will aim to provide HNW customers with support by investigating and rectifying any damage caused to their device, locating and removing viruses, as well as providing professional consultation in order to prevent future cyber-attacks," Pearce says.
Although such products may initially be offered as add-ons, the potential to offer cyber insurance as a standalone policy is likely to emerge over time, Pearce says, once the market develops and uptake increases.