An evolving enemy
A cybersecurity report in the UK has found that insurance is not generally seen as relevant to cyber resilience, and revealed that half of the company leaders interviewed did not even realise that cyber risks could be insured.
“The losses are being dramatically underinsured,” says Bill Miller, head of actuarial at KPMG Bermuda. “But as more events happen, there will be a growing awareness from a capital management and risk management perspective of the need for insurance as part of the whole operational cyber risk management process.”
Miller explains that, according to the UK report, published in March by the UK government and Marsh and titled ‘UK cyber security: the role of insurance in managing and mitigating the risk’, the vast majority of premium income is coming from US domiciled companies, reflecting the fact that the US was the first market to offer standalone cyber insurance products with solutions centred around data breaches.
“This is clearly going to grow to other countries,” believes Miller. “The newsworthiness of these events and the prevalence of malware and hacking are exploding so it’s a huge area where companies and insurers need to come up with better processes, better risk management, better frameworks and governance.”
Chris Eaton, senior manager at KPMG Bermuda, cites the 2014 Sony breach as a high-profile example of where companies and their insurers are severely underprepared to deal with cyber attacks. Eaton explains that, following a prior attack on Sony in 2011 which resulted in a claim, the company’s insurer at the time elected not to renew and they were faced with a challenge to obtain coverage.
“Ironically, among the documents that were released as a result of the recent breach were details of their cyber coverage, and we can speculate that they may well be underinsured,” says Eaton. “The amount of coverage they had in place was around $60 million for Sony Pictures and Sony Corporation of America, and I expect their losses could ultimately be well in excess of that. That’s a good snapshot of how the market stands in some ways.”
Inga Beale, the chief executive of Lloyd’s, revealed in January an estimate by the market that the insurance industry took $2.5 billion in premiums on policies to protect companies from hacking-induced losses, around a quarter up on the prior year. However, she estimated that cyber attacks cost businesses up to $400 billion.
Miller explains that a large part of the problem is a serious lack of data around this exposure, and says that the more the insurance industry learns and gathers in terms of information, the more thoughtful it will be in its approach to underwriting exposures, setting policy limits, and pricing.
“We think insurance companies are moving to a world where they’re going to require companies to adhere to certain standards that are going to vary by country, by industry, and the size of companies, among others,” says Miller. While there is potential for a huge evolution around the management of cyber risk, these factors can be very expensive to implement.
Developing frameworks
Thomas Kelly, managing director at KPMG Bermuda, believes something positive gleaned from the UK cyber report is the proposition that standardisation should be achieved across the industry in order for a number of things to happen.
“Insurance companies are in a pivotal position where they can demand certain things in order to provide coverage,” Kelly explains.
“As a baseline, we need to start having discussions around standardised terminology, standardised ways of capturing data, and standardised ways of how coverage is provided.”
Kelly believes that, because insurance companies inherently collect a lot of data, cyber could be led by the insurance industry in this regard.
In April 2014 the ‘Cyber Essentials’ scheme was introduced by the UK government to encourage more small and medium-sized companies to actively manage cyber risks. This government-backed insurance industry accreditation forms part of the risk assessment process. It is a two-tier scheme focusing on five basic controls that make up the framework: Cyber Essentials is self-assessed with verification by an independent qualified assessor; Cyber Essentials Plus includes independent testing.
A number of UK insurers now require small businesses to gain the certification as a pre-requisite for coverage, and effective October 2014 all suppliers must comply with the new Cyber Essentials controls if bidding for some UK government contracts.
Eaton imagines that there is a body of data being built up as a result of these assessments, so this need for data is an evolution that insurance companies are going to need to be innovative around in order to come up with the right information to inform their risk decisions.
Eaton compares this to the Cybersecurity Fundamentals framework in the US, released in February 2014, which is, at the moment, voluntary and self-assessed. “There is a possibility at least, and I would suggest a probability, that this will evolve over time,” says Eaton. “There’s a lot of speculation around it becoming, if not mandatory, the preferred type of certification for organisations to have for many reasons. To illustrate, companies such as Intel and Bank of America have announced that they will require it of their vendors.”
These two frameworks as they stand today are very much baselines and are not enormously sophisticated guidelines for cybersecurity, as Eaton explains. “They are likely to continue to evolve into fully multi-tiered standards in the space and I’m sure that insurance companies will have an influence on that,” he says.
Kelly adds that while the US and the UK governments are already very active in this space, “we need more coming out of the EU in terms of regulation and a real global collaboration effort because it’s going to be one of the bigger risks facing enterprises over the next decade”.
From an insurance perspective, Miller envisions that insurers will start gathering information on their insureds and potential insureds on whether they are compliant with these frameworks.
Alternatively, from a capital management perspective, Miller believes a tremendous amount of work needs to be done around looking at the tail risk—the types of large cyber risk events that could translate into losses and impact on capital for insurance companies, but also for non-insurance companies from a basic survival perspective.
Eaton makes the point that these frameworks are not being invented in a vacuum because best practice has been around for a long time, and believes people need to be planning how cyber fits into their overall business recovery planning scenarios.
“It’s all interrelated and these frameworks are there to support that—they just evolve over time with specifics,” he says.
“If I was an insurer looking for data, the Cyber Essentials certification in the UK is only going to give me so much, and that’s helpful, but I would probably be looking at a broader and deeper risk assessment that was based on the Control Objectives for Information and Related Technology (COBIT) framework, which is all about IT governance and enterprise risk management.
“That’s going to give me more insight and help build up a deeper understanding that I can make informed decisions on.”
Human capital
“Insurance companies can distinguish themselves by getting a variety of resources on board from day one, being able to distinguish between clients and provide tailored offerings instead of just a blanketed approach,” Kelly explains.
Eaton adds that ISACA, the umbrella organisation that security professionals gravitate towards, estimates that there are between 410,000 and 510,000 security professionals worldwide at present. However, recent industry surveys estimate a current shortfall of at least 300,000 qualified information security staff and managers, with the gap forecast to widen significantly in the near future. ISACA estimates that more than 4.3 million jobs will be available by 2018.
It is reasonable to suggest that the human capital element is going to be critical for insurance companies considering cyber going forward, along with terms and conditions and policy limits. Kelly believes a huge learning curve is to take place over the next 18 months in terms of staying on top of this crucial human capital factor.
“True industry expects will be highly sought-after but will certainly come at a price,” he says.
Miller believes that due to the broad nature of the product, there is still confusion in the market as to what is actually being covered under a certain set of policy terms, and how the product interacts with other coverages.
“We think there’s going to be a clarification through litigation of how policy wordings are interpreted,” he says.
Bill Miller is director, Actuarial at KPMG Bermuda. He can be contacted at: billmiller@kpmg.bm
Thomas Kelly is managing director at KPMG Bermuda. He can be contacted at: thomaskelly@kpmg.bm
Chris Eaton is senior manager at KPMG Bermuda. He can be contacted at: chriseaton@kpmg.bm