Evolving to meet the latest threats


Evolving to meet the latest threats

sergey nivens / shutterstock

Cyber insurance continues to evolve to meet the latest threats and regulatory changes, as Noel Pearman of AXA XL explains to Bermuda:Re+ILS.

The battle against hackers and online fraud is one that never really ends. No matter what industry you work in, it is an endless electronic war.

As a result, cyber insurance needs to keep pace with the latest developments as it seeks to protect clients from becoming cyber casualties. Those developments include the latest rules and regulations, as governments add to the complexity of that war.

Noel Pearman, senior vice president and cyber product line leader in the Bermuda Insurance Operations of AXA XL, the P&C and specialty risk division of AXA Group, points out that long before 2018 there was a great deal of cyber-related regulation in place, some of which dated back to the late 1990s. There were varying types: some specific to certain industries, some for certain types of business data, some were from individual US states, while others were Federal.

“The pace of new regulation accelerated during 2018, with the most significant being the implementation of the EU General Data Protection Regulation (GDPR),” says Pearman.

“Prior to GDPR, the EU was much less regulated from both cybersecurity and privacy perspectives than the US. The new regulation has changed the situation between the EU and US quite substantially.

“GDPR has significantly increased the focus on protecting personal data, with enhanced security requirements for companies that hold individuals’ data. As a result, for the first time it created necessary transparency and mandated reporting data losses in the EU.

“There are two other things that are particularly noteworthy,” Pearman adds. “The first is that there is now an affirmed right to digital privacy for individuals, and along with that right comes the right to private actions. Having robust legal recourse for those whose privacy rights have been infringed is a major change and that’s going to have an impact.”

Fines and revenue

“The second important change with the GDPR is the possibility of very heavy fines, the worst being up to 4 percent of a company’s global revenue, for infringement. If you think of the largest data-holding companies—the Googles, Facebooks, Apples, and Amazons of the world—then we’re talking about tens and hundreds of billions of dollars in annual revenue,” Pearman explains.

“Four percent of those numbers is very significant. Indeed, 4 percent off the top line of any global company is significant, even though we don’t know how often, or indeed if ever, fines of this magnitude will be imposed by regulators. However, that potentially high penalty really woke up the market.”

He says that another big change has been the proliferation of US state cyber legislation. In 2018 alone, 22 states have enacted more than 50 cybersecurity bills. The California Consumer Privacy Act, which was passed “swiftly” last year, is the most prominent example and is very GDPR-like in its focus on individuals’ privacy rights. 

However, Pearman says: “The US market would be better served by comprehensive US federal cybersecurity and privacy regulations. State-by-state regulation in this area is confusing and insufficient.”

He also identifies what he thinks has been a very important shift in the mindset of many large organisations. Pearman says that, previously, companies have believed they own the data they collect. But nowadays, with privacy acts such as those mentioned above coming into place, the overwhelming message is that individuals are always the owners of their personal data.

As a result, customers have a right to know for what purpose a company wants their data. If they decide that that company should not have their data any more, the company must be able to delete that data, transfer it to another authorised company, or return it to the customer.

As Pearman points out, this is a big shift in terms of how companies are being asked to think about data and also, from a technological perspective, how they organise their networks, and how they compile their records. This in itself is a burden for some companies, requiring new time and money invested into rethinking old policies and processes.

Pearman adds that regulatory uncertainty has been covered by steadily evolving cyber insurance policies and that insurer willingness to provide coverage is increasing.

The evolving threat

Regulatory regime changes are certainly increasing companies’ awareness of the fact that they need cyber liability insurance, Pearman says, but there have been other important drivers behind the increased interest in cyber insurance.

“There has been an increasing number of data breaches, through more varied attack routes, all showing the heightened cyber threat. While organisations need to be aware of the privacy risks of holding personal data, they also are becoming more aware of their cybersecurity risks,” he says.

“We need a modern understanding of the threat landscape. In the minds of many people, hackers are 17-year-old boys in their parents’ basements,” he points out.

“Our concept of the hacker needs to evolve, to understanding that a hacker could be someone with access to advanced tools, of any age, and could be acting on behalf of nation states or organised crime. They are very, very sophisticated these days.

“Yes, there’s still the individual attacker but the biggest companies in the world, the ones we insure, are facing well-resourced teams of attackers with multiple tools.”

Despite this, Pearman concludes on a note of cautious optimism. “The attackers are still developing their cyber weapons, but the organisations are getting better at mitigating their risks.

“Take credit card data, for example, and the hacking of credit card terminals a few years ago. Everyone focused on the retail sector and that segment has done a very good job of dealing with those attacks but they can’t afford to fall into complacency.

“Cyber criminals are constantly working on new ransomware, malware and other forms of attack. For this reason, we in the re/insurance industry are remaining vigilant. As cyber risk escalates and evolves so does the coverage, and while insurance may not be the only line of defence, we play a significant role in cybersecurity.”


Noel Pearman is senior vice president and cyber product line leader in the Bermuda Insurance Operations of AXA XL, the P&C and specialty risk division of AXA Group.

AXA XL, cyber, hacking, Noel Pearman, threats, security, solutions

Bermuda Re