Cyber in '17: What insurance professionals should expect by Erin Ayers, Advisen
2016 may well be the year that cybersecurity truly came to the attention of the world. Hacked emails, multiple massive data breaches, the proliferation of ransomware, and the grim specter of cyber espionage made it clear that the fight against cyber crime at every level will require expertise, cooperation, and vigilance in 2017.
The insurance industry now occupies a crucial seat at the table as cybersecurity becomes not only a business concern, but a geopolitical one. The US government has time and again looked to the insurance industry for help in understanding the cyber threats faced by businesses – the recent report from the White House’s Commission on Enhancing Cybersecurity specifically cited the role insurance should have in promoting better cyber risk management.
For organizations that watched as others in their fields fell to hackers this year, industry experts expect 2017 to bring about both an increase in the takeup rate of cyber insurance as well as an expansion of the risks covered by the industry.
“2016 was the year that both the insurance industry, and indeed its clients, started to acknowledge that cyber risks go beyond liability from handling personal data,” said Ben Beeson, head of Lockton’s cyber risk practice. “As a consequence in 2017 there will be a sharp acceleration in demand by buyers for insurance solutions to address a much broader spectrum of first and third party losses, such as property damage, business interruption and bodily injury. The property market, in particular, will start to take a much more proactive stance in underwriting and pricing first party cyber risks. This will mean that attempts to drive a marketplace for single primary ‘all risks’ cyber policies will fail to gain traction and ‘difference in conditions’ products will have more relevance to address gaps that may exist across a buyer’s portfolio.”
Christian Hoffman, national practice leader with Aon Risk Solutions, told Advisen that 2016 produced increased demand for cyber coverage from both large organizations and the smaller and middle-market sector.
“This trend will continue in 2017,” said Hoffman. “There is continued focus on cyber assessment and preparedness facilitating demand for risk transfer solutions and ultimately balance sheet protection. The coverage landscape has expanded significantly in 2016 with a movement away from sublimited coverage and towards broad network business interruption, contingent/dependent business interruption and systems failure coverage.”
He added that cyber products evolved to suit not only the traditional buyers such as retail, healthcare, and financial institutions, but other industries including manufacturing, transportation, life sciences, and power/utility companies.
Aon, which introduced an enterprise solution covering cyber-related property damage, bodily injury, and product liability in September, is seeing both interest and purchase of broader products.
Paul Nikhinson of Beazley noted that business worries about network interruption now drive much of the purchasing behavior for organizations.
Hoffman of Aon predicted continued market expansion over the next year, in terms of both capacity and coverage. Most insurers recognize the growth opportunities available in cyber insurance.
“The US cyber market is strong and stable. London capacity is expanding via new syndicate participation and facilities,” said Hoffman. The Bermuda market continues to grow and gain comfort with cyber exposure. The discussion and coordination of insurance coverage across cyber, property, casualty, crime, kidnap and ransom will continue to grow and evolve. Organizations will seek to address the current lack of clarity and consistency across their insurance portfolio via collaboration across lines of coverage and/or through enterprise solutions.”
Views differ on whether the concept of offering premium discounts for exceptional cyber risk management would see any traction in 2017. Beazley’s Nikhinson noted that while the insurance industry has continued to improve its pricing, the market remains an immature one. The quick evolution of cyber threats makes insurers leery of saying, “if you have xyz, you have Good Security and deserve a discount.”
“I think the insurance industry will get there, but it’s such an immature class of business. They just don’t have the historical data,” said Nikhinson.
According to Hoffman, the market already shows premium stability and even decreases in many cases as a result of basing pricing on information security controls and preparedness.
Lockton’s Beeson predicted a continuation of the return on investment debate in 2017 – but not a resolution.
“Demands from buyers, and in particular from CISOs, for investment in controls to align with insurance outcome will grow,” he said.
According to Jacob Olcott, vice president of business development at BitSight, underwriters will develop programs intended to promote better cyber hygiene. He predicted a new focus on “what happens during the lifetime of a business relationship.”
“In the same way that health insurance providers developed no-smoking policies or provide discounts for gym memberships, cyber insurance underwriters will reward companies for taking a more proactive approach toward cybersecurity, Olcott said. This would be joined with a data analytics approach to underwriting and modeling cyber risk, he said.
Beeson predicted “major steps forward” in better risk quantification via technology and “financial incentives to reward investment in mitigation” more toward 2018.
Cyber professionals expecting an uptick in activity in 2017 take as their cue the aggressive pace that has characterized 2016.
“It’s been extremely busy,” said Nikhinson, who added that Beazley’s breach response team handled close to 1,800 breaches this year. He predicted a continuation of ransomware, which increased 400 percent this year over 2015, as a top threat.
“2016 has been the year of ransomware and that’ll stretch into 2017,” Nikhinson told Advisen. “It’s the preferred modus operandi for the attackers out there and it’s only growing in scale. I think it’s just the beginning.”
Beazley attempted to the “reverse engineer” the reasons driving the spike in ransomware – it all comes down to economics. Stealing and selling credit card data on the dark web has been a reasonably effective strategy for cyber criminals – perhaps too effective.
“Those attacks have been so successful, that right now with the amount of data on the dark web, supply has outstripped demand,” said Nikhinson. “The price points for data are pretty low now. But, if you are an enterprising hacker, you don’t stop, you find a new way.”
Enter ransomware as the “better economic model of the bad guys.” Locking businesses and individuals out of their systems and data for a price means quicker money and less work for hackers, Nikhinson said.
“Even if you only have cat photos on your computer, if I encrypt those cat photos and they have value to you, you’ll pay the ransom,” he added. “The psychology of the thing really favors the bad guys.”
The anonymity of bitcoin payments enabled the rise of ransomware and the generally low ransom demands ensure quick payment, Nikhinson noted. He cited the ransom attack on San Francisco’s public transit system – with hackers demanding $70,000 – as an anomaly.
Nikhinson sounded a warning bell for smaller and middle market organizations, due to hackers’ tendency to aim for easier targets.
“So much of the middle market and down is really woefully underprepared,” said. “Cybersecurity is people, processes, and technology – you have to invest in all three.”
It’s also common for cybercriminals to talk among themselves and spread the word when a targeted organization pays the ransom. Nikhinson said repeat attacks are quite common.
“It’s not even that they don’t do the right things after the fact, it’s that hackers are going after them harder,” he said
Experts agree that as the threat landscape develops, it is likely to include the Internet of Things, continued “hacktivism,” and potentially attacks against critical infrastructure.
2016 saw the distributed-denial-of-service attack on Dyn Inc., a domain service provider. It took down many popular websites for hours and involved hackers taking over an army of Internet-connected devices.
“In 2017, we will see more cyberattacks that leverage IoT devices,” said BitSight’s Olcott. “Whether targeting smart meters, connected medical devices, or automobiles, IoT devices have proven their vulnerability, and will come under attack next year. What’s more, we are now prone to the “copycat effect,” where hackers who have witnessed the impact of the Dyn attack will try something similar, hoping to achieve the same or an even greater outcome.”
“These devices were never built with security controls and there’s no way to reverse engineer it back into them,” said Nikhinson of Beazley. “They’re extremely easy to attack and take over and zombify.”
Olcott also predicted a shift in the notion of “critical infrastructure.”
“We’re no longer just speaking about the grid or financial institutions. Critical infrastructure will include key cloud services, like AWS, which could create a huge, detrimental outage should a breach against this service take place. If the DDoS attack on Dyn was so impactful, imagine the repercussions of an outage at a larger service provider,” he said.
If 2016 has had any positive effect, cyber events like the Dyn DDoS and the Yahoo breaches have made it clear to boards of directors that cybersecurity should be a primary business concern.
Communicating such issues still proves to be a difficult task,” said Olcott. “How do security practitioners take all the information from their network and enterprise and comprise it into something meaningful that a decision-maker can quickly understand? 2017 will bring the rise of security visualizations. Those reporting on security to the board will adopt a visual approach in order to easily display and quantify the needs of their business unit.”
Aon’s Hoffman noted that cyber risk awareness has increased significantly, from the board down through all connected departments -- information security, technology, risk management, legal, finance, and human resources.
“It is no longer a discussion about benchmarking against peers, but a more robust analysis of cyber loss severity and frequency,” he said. “Organizations are developing a keen understanding of how the available cyber insurance products and solutions fit their industry class and company.”
Erin Ayers can be reached at firstname.lastname@example.org.