Meeting the cyber challenge
Cybersecurity used to be seen as being something that the IT department at an insurance company dealt with. Not any more, since several high profile hacks have taken up so much space in the headlines, including at Target, Yahoo, Equifax, and the US Office of Personnel Management.
According to George Thomas, senior adviser at PwC, there is a potential upside for Bermuda.
First and foremost, Thomas has been encouraged by the numerous cybersecurity initiatives announced by the newly elected Bermuda Government, including a statement in its 2018/2019 budget about building a secure data centre to protect government facilities and operations from cyber threats. The government is committed to attracting new technology-based industries to the Island, deepening the knowledge pool and giving Bermuda even more opportunities to respond to digital and other cyber threats.
Thomas highlights recent activity by the Bermuda government to get schoolchildren more digitally proficient by offering science, technology, engineering, arts and mathematics (STEAM) classes through a partnership with a local technology incubator specialising in the digital literacy, ConnecTech. In the private sector, he mentions that Hamilton Insurance Group’s Community Giving Committee has allocated the majority of its 2018 funding to ConnecTech, after it identified opportunities to align Hamilton’s philanthropy in Bermuda with the company’s mission of writing the future of risk.
Two coding programmes are to be offered during 2018. The first is a pilot programme in Bermuda’s public primary schools and will focus on teaching primary school students to code. The second is the Django Girls coding programme. This international programme will bring expert instructors to the Island to offer girls a customised opportunity to learn to code.
Thomas believes that Bermuda is well-placed to position itself as a leader in the fight to stay at the head of the re/insurance pack when it comes to cybersecurity, especially because Bermuda has done something similar in the past.
“Bermuda as an insurance market is often referred to as having been born as a result of the Island’s and the industry’s innovative response to the opportunity it saw in the liability crisis of the 1980s when other markets were not prepared to cover excess liability risks,” he says.
“With its long track record of successful innovation coupled with the breadth of its resident underwriting expertise, speed to market, risk-based regulatory approach and sophisticated legal system, Bermuda is in a prime position to play a leading role to meet the ever-growing demand for cyber coverage.”
Thomas points out that in terms of becoming a cyber insurance leader, Bermuda has a number of other key advantages that mean that many already view it positively, including the fact that insurers and reinsurers in Bermuda have a reputation for paying their claims quickly and don’t prevaricate or delay, making the Island faster and more efficient that many other jurisdictions or counterparties.
“Speed is critical in cybersecurity because when dealing with a substantial breach, time is always of the essence. Delays in cleaning up a cyber breach not only cost additional money, but can severely damage a corporate reputation,” he says.
“What we have been witnessing recently is more entrants into the market, with companies such as Validus issuing standalone cyber insurance protection, and carriers further broadening coverage, providing both first party and third party liability protection coupled with loss mitigation and incident response services,” he explains.
“On March 23 Hiscox launched the first cyber insurance loss warranty (ILW). These carriers are not going into it blind or just getting into the business for the top line as the coverage demand continues to increase, they’re investing and partnering to get to the point where they can quantify it.
“However, that is not to say that estimating potential exposure is not a significant challenge, especially against the backdrop of an ever-changing cyber threat environment.”
The growth in the cyber insurance market has been slower than some originally expected but, according to Thomas, the uptake in cyber insurance is expected to accelerate.
“The number of high profile breaches has prompted companies to recognise that it is not a matter of if but when,” says Thomas. “This realisation, coupled with the raft of new privacy regulations such as the EU’s General Data Protection Regulation and the New York Department of Financial Services cybersecurity regulation, you have to believe that more companies are going to look to standalone coverage for these risks.”
Legal matters
The more incidents take place the more complicated the legal side becomes, with an increase in class action lawsuits that have effectively forced some companies to settle with the plaintiffs and come to an agreement.
“It will be interesting to see how the Equifax lawsuits play out in the aftermath of the recent federal insider trading charges against one former Equifax IT executive,” Thomas says.
He delivered a guest lecture to a securities law class at Harvard Law School a few weeks after the Equifax breach became public in November 2017. “Based on the sequence of events, activities by the company and federal regulations in place, it is not surprising to see insider trading charges,” he said.
“The work I’ve done in the past few years was around cybersecurity from a governance perspective. If you go back five years people would have said that it was an IT problem and that they’d talked to their CIO and that they were covered.
“Now you see that things have evolved to the point where people have hired a chief information security officer, and/or a chief data privacy officer, because of the inherent liability and the need for very serious in-house expertise, because these risks cannot be delegated or pushed—you have to understand and manage it.
“Cyber risk has gone from being an IT issue to an enterprise risk management issue that’s dealt with at the board of directors level.
“This shows in the findings of PwC’s Global State of Information Security Survey 2018 as well as our 21st Global CEO Survey. In the latter, CEOs worldwide identify cyber threats as the business threat of greatest concern. US CEO respondents go further by ranking cyber threats as their greatest overall worry, ahead of over-regulation, geopolitical uncertainty and terrorism.
“In our 21st Global CEO Survey, 87 percent of global CEOs say they are investing in cybersecurity to build trust with customers.”
Thomas says business leaders should engage their boards. “Boards as a whole should continuously arm themselves with better knowledge about the C-suite’s plans to address emerging risks associated with data protection and privacy.”
