|
|
Scott Sayce is the global head of cyber at Allianz Commercial and group head of the Cyber Centre of Competence |
Paul Carroll
To start us off: What key trends are you seeing for cybersecurity and cyber insurance in 2024?
Scott Sayce
We've seen some commonality of trends throughout the past couple of years, and some of those are continuing.
Ransomware certainly hasn't gone away. It continues to be at the forefront, not only in terms of how insurers are trying to help customers but in terms of the points they’re raising with us. It's a critical area that causes them sleepless nights. Those that take it seriously and have the right mentality and the right culture are best positioned to protect themselves, and insurance can help.
A lot of people think of ransomware just in terms of the first-party element, affecting the particular company that was hit. But more and more we're seeing data exfiltrated as a result of ransomware attacks. Those data breaches affect third parties and have different impacts across the world, depending on the geographical, legal and regulatory regimes around privacy breaches.
Paul Carroll
When hackers exfiltrate the data, what do they do with it?
Scott Sayce
The exfiltration is another way to force somebody to consider paying a ransom. It causes mass disruption, outside of the pure financial impact to an organization and third party.
Paul Carroll
In the article you did last year in ITL, you talked about ransomware as a service and about how attacks are speeding up. They used to take weeks and now may just take days. I assume you're seeing that trend continue?
Scott Sayce
Absolutely. As technology continues to advance, so does the sophistication of attack, and so does speed. You don't need to be that cyber-savvy now to mount an attack, because of ransomware as a service. You can be a moderately smart individual and be able to target small, medium and large organizations by really renting a service.
The good news is that the new technology can also be used incredibly well for defense purposes. We hear a lot about risks around quantum computing and the future of quantum computing. But quantum computing and encryption can also be an incredible strength. So we have to both embrace it and be fearful and aware of the risks that it poses all at once.
Paul Carroll
A year or so ago, I spent some time with a professor from Cal Tech, who explained how quantum computing is perfectly designed to decrypt information based on the way it's encrypted now. I've since read a lot about what I think people are calling "Hack Now, Decrypt Later." In other words, hackers are grabbing information now even though they can’t decrypt it, because they know that quantum computing will let them do so in five or 10 years. How are you encouraging clients to think about that?
Scott Sayce
That’s a great question. We’ve done a lot of research on this. We've gotten smart people from a lot of different parts of our organization involved, as well as external expertise.
When we have any new threat or any new type of technology, we do quite a bit of research because we need to understand: A. Do we want to underwrite it? B. Can we underwrite it? And C. Is there a product offering that our clients need?
This isn’t just about me and my underwriters. It's about cyber models. It's about risk management. It's about our commercial cyber risk consulting team.
Some of the views are not definitive, because there will always be unanswered questions. There's always going to be, What's next? Cybersecurity and cyber risk are never set and done, right? So we have to always challenge ourselves that we don't know everything. Our customers don't know everything. But we hope that together we're making the right, informed decisions to help our customers protect themselves with the right knowledge. We hope we come up with answers to some of the future risks and some of the potential challenges they may face for their unique company, as opposed to generic topics like quantum computing, AI, etc.
Paul Carroll
I gather there's a standard being developed so people will be able to start encrypting things now in a way that will be at least resistant to quantum decryption whenever that becomes possible, years down the road.
Scott Sayce
I wouldn't plant my flag on that yet. Once we feel we have solutions, there's always a new way for hackers. I've been involved with cyber insurance for almost 25 years, and I don't think I've ever used the phrase, "We've got it nailed."
Paul Carroll
In terms of other things going on with ransomware, I read the other day in The Economist about how some hackers are lowering the profile of the targets they go after because authorities devoted so much time and energy to investigating some high-profile attacks, such as the one that shut down the Continental Pipeline. Is this something you're seeing? And are there other changes in terms of tactics and targets?
Scott Sayce
I think there are two areas of focus. You've got the out-and-out targeted, where somebody wants to target a particular company to really infiltrate it. That takes significant time, but the reward can be much higher. You also have the scattershot approach, where you're trying to identify a common vulnerability that hasn't been dealt with by organizations, whether they’re small, medium or large companies. You're going for quantity, hoping to pick out maybe one in 10, one in 100, one in 1,000 organizations, but not just focusing on one.
The data we’re seeing is that organizations that don't deal with those critical vulnerabilities, and don’t act when a patch is released for a zero-day vulnerability, well, they're more than 30% more likely to be affected. Yet a lot of organizations dismiss critical vulnerabilities. They think, "It's not going to be us."
And to your point, we’re not just seeing highly publicized attacks, but also ones hitting SMEs and mid-corporates, as well. Some larger companies can operate during an attack, but some of the smaller companies could be driven out of business.
Paul Carroll
What more can companies be doing to protect themselves?
Scott Sayce
Ransomware has ravaged organizations over the last three or four years, and companies have definitely stepped up their game. A number of organizations have embraced the need to constantly check what they're doing. I'll come back to my phrase, "set and done." Even once you’ve assessed and fixed a vulnerability, you have to realize this is a continuous cycle. There will be a new vulnerability, a new attack, a new zero-day impact. There'll be an update from one of your providers that causes a problem. So my biggest recommendation is: Don't just check once; check continuously.
An ecosystem of insurers, insurtechs, customers and brokers and agents has developed, so we aren’t just writing a check at the end of the day when a customer has a claim. We’re about the services we can provide to a customer to help minimize the impact or even prevent it. If an attack does happen, how quickly can we deal with it? I remember a cybersecurity expert saying to me: "We keep them out for as long as we can. And once they get in we get them out as quickly as we can."
And that's the thing. I think the insurtechs and insurers, along with customers, brokers and agents, have been working to create that ecosystem of solutions and services, backed up with risk transfer. This is a much better solution than, Here's a policy, and if you have an issue call this number.
I'm incredibly proud of what the cyber insurance industry has built over the almost 25 years that I have been involved. I think we've innovated faster than any other line of business, on services coverage and the ability to bring in diverse talents into the industry.
Paul Carroll
How helpful are governments being?
Scott Sayce
Some countries look to the insurance industry on cyber, while others look to insurance and government in a hybrid model. The cyber insurance market, in my opinion, will be larger than some of the traditional lines over the next 10 to 15 years, so we need to continuously look at what we can insure, what we can't insure and where we need governments to help. I think having a mutual understanding is the first step, and I think we're coming to the table to do that, which is really positive.
Paul Carroll
How about industry cooperation? A few years ago, somebody wrote a piece for me saying there ought to be as much sharing as possible within the industry. Obviously, Allianz has great scale on its own that it can learn from, but is there much prospect for cooperation among the big insurers?
Scott Sayce
We're talking about critical cyber information for potential customers, and you have to be very mindful of that. We also have to be very careful of what the intended purpose is of sharing that data. There are a few businesses out there now that are not monetizing the data in any way and actually are looking at collating it to provide industry trends and provide information out there. And that's good. We tend to look at our own data.
Paul Carroll
When I first started tracking the cyber issue, years ago, insurance companies were rightly scared of the risk because they didn't know how big the liability could be, yet customers didn't want to pay much. So there was this huge gap in the middle about what pricing should be. But it feels to me like the market has matured to the point where there's more of a meeting of the minds. Does that sound right?
Scott Sayce
I think you're right. Over the last four or five years, ferocious ransomware has hit so many organizations, and cyber insurance proved its worth with the volumes of claims that were paid.
Some called cyber insurance a bit of a fad many years ago. But it's now proven to be a staple insurance purchase in many locations, and demand for this product is evident more and more in certain countries.
Some insurers may well be fearful of new capital coming into the market, but we need this capital across the insurance industry for us to be able to continue to serve the market. As long as your underwriting integrity remains, and as long as customers continue to improve and work on their cyber hygiene, we know that cyber risk management and cyber risk transfer will continue to go hand in hand. And we're here for the long term.
Paul Carroll
That's great. Any final words?
Scott Sayce
Well number one, thank you for your time. It's always good to get to engage and listen to insightful questions. But also know that for us, cyber is a consistent line of business. It's a core line of business for us, one that we're committed to across vast different countries to provide solutions and products to our customers and help them stay protected, as well.
Paul Carroll
Thanks, Scott.
