Tag Archives: cyber risk management

Insurance Industry Can Solve Cyber

Before explaining the basis for the strong statement in the headline, it’s necessary to redefine what “solve” means. After all, we live in a world where the myth of impenetrability was long ago debunked, where there are no silver bullet technology solutions and where continued cyber events are as certain as the sun rising tomorrow. Anybody who knows anything about cyber is likely thinking, “It’s impossible to solve cyber risk!” But what if we redefine “solve” as: “to provide security leaders and firms with an accurate picture of their cyber exposure, with the ability to effectively manage the risk and with resiliency when an event happens.”

With that as the definition, why is the insurance industry best-positioned to solve cyber? It’s a matter of insight and the scope of that insight. The insurance industry is the only industry that has the ability to correlate controls and protective actions (insight gained during the underwriting process) with losses resulting from the failure of such controls and protective actions (insight gained by paying claims), thus occupying a front-row seat to what is working and what is not. Most importantly, because the industry serves this function across all classes of risk, across all industry verticals and on a continuous basis, the insurance industry should be the primary source of actionable cyber risk management insight. No technology or network appliance can do that, and even the best assessment is merely a snapshot in time.

Let’s drill a little deeper by considering each element of the new definition individually.

First, the ability to provide firms with an accurate picture of their risk is a critical step toward managing it. An insurance-linked approach can help firms understand the context of their cyber exposure and do it in a way that is both easily comparable and lays a foundation to capture loss and claims data. We recommend starting with four categories of loss: 1st party financial, 3rd party financial, 1st party tangible and 3rd party tangible. Then drill deeper within each category, with subcategories tied to specific types of insurance coverage and areas of un-insurability — an incredibly helpful data point itself (meaningful areas of un-insurable cyber risk should see an overweight deployment of controls). Ultimately, this approach paints a complete picture of the cyber risk spectrum and then facilitates the easy utilization of claims data for exposure modeling and benchmarking.

Next, the ability to effectively manage cyber risk certainly trumps the other two elements based on what is most sought by the security community right now. I’ve often described the job of a cyber security leader as akin to putting together a puzzle in which one-third of the puzzle pieces are missing, another third don’t fit together and, to make matters worse, the board changes every 30 minutes. This characterization of cyber will probably never tire — hence the need to redefine “solve” — but this is the very challenge that the insurance industry is best positioned to attack. Why? Because the insurance industry underwrites the cyber security programs of firms of all shapes and sizes on a daily basis and pays claims resulting from the failure of those cyber security programs on a daily basis. If information on both fronts can be appropriately harnessed and correlated in something akin to real time, the underwriting process itself should serve not as an interrogation but rather as an actionable intelligence session for firms to understand how to best evolve their cyber programs. And why stop there? Security leaders should welcome the opportunity to call their insurance companies anytime for an update on the risk climate and for guidance with strategic planning.

Finally, the ability to provide resiliency. This is where insurance coverage itself comes into play — as it is the only type of control that can reduce, or even eliminate, the cost of an event. The ability to survive is the true measure of resiliency, so while a robust set of controls, policies and procedures wards off antigens and increases the likelihood of surviving, the financial resources to pay for an event will be most meaningful in determining the firm’s and security leaders’ fates.

Imagine the post-event press conference if the insurance industry solved cyber: “Ladies and gentlemen, we’ve experienced a cyber event. It will likely be large but nowhere near catastrophic. We’ve been planning accordingly; we knew what our exposure was, and we have been continually updating our defenses in accordance with best-in-class recommendations from our insurance partners. We can validate that by virtue of the fact that we have been able to maintain a comprehensive insurance program that will cover all of our costs as well any claims against us. The organization will emerge whole.”

The insurance industry has answered the challenge before. Decades ago, insurers started to correlate the causes of events like fire and boiler explosions and subsequently provided invaluable risk-engineering insight to firms. Nobody can dispute the relevance of the industry for minimizing property risk. While some characteristics of cyber are definitely unique, all of the foundational pieces are in place for the insurance industry to do the same here. If the industry succeeds, cyber can be solved.

Risk and Strategy: How to Find the Links

This is the first paper of a series of five on the topic of risk appetite. Understanding of risk appetite is very much a work in progress in many organizations. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized and comprehend the links between risk and strategy. This is achieved either through painful and expensive crises, or through the less expensive development of a risk appetite framework (RAF).

Paper 1 makes a number of general observations based on experience in working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between them and strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy.

Paper 1: Introduction

Since the global financial crisis (GFC), regulators, investors and boards have become determined to avoid a repetition of such a cataclysmic event and have increased demand for more effective risk management. As financial risk reporting failed to predict the GFC, there is growing recognition of the need to build organizational resilience through effective mapping of risks and to demonstrate the capability to manage low-probability, high-impact events. Concern is also growing over the increase in cybercrime and over digital risk.

Some observations:

1. Directors and senior managers need a globally accepted guide on the attributes of an effective risk appetite framework.

2. Emphasis is shifting globally from risk management to building resilience. Risk optimization is achieved when risk and strategy are aligned with corporate objectives. Achieving this requires that both the board and executives master strategic, emerging and external/global risks through robust (risk) horizon scanning, proofing and testing.

3. “Strategic risks” are those that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization. “Strategic risk management” is “the process of identifying, assessing and managing the risk in the organization’s business strategy—including taking swift action [when problems arise]. Strategic risk management is focused on those most consequential and significant risks to shareholder value, an area that requires  the time and attention of executive management and the board of directors’’1

RMI thus defines board risk assurance as assurance that strategy, objectives and execution are aligned.

4. That alignment is achieved through operationalizing the links between risk and strategy. This involves:

  • Strengthening the strategic planning process through organizational integration of the risk and strategy functions/processes, with authority derived directly from the board and CEO’s office,
  • Establishing an effective risk appetite framework,
  • Understanding, and improving, the organizational level of risk maturity,
  • Building organizational resilience,
  • Proofing and testing management’s ability to offer credible solutions when both exploiting and defending operations, the business model and reputation.

5. The risk appetite framework (RAF)2 is to the board what risk management3 is to the rest of the organization. As such, there is a direct correlation between the efficacy of the RAF and the efficacy of the risk management framework4. The audit committee of the board and the risk subcommittee must have charters that provide a risk governance framework that mandates:

  • Direct CEO oversight of an integrated risk and strategy capability,
  • Board risk subcommittee oversight of:
    • The risk appetite framework,
    • Advancing and maintaining risk maturity, which can deliver value through:
      • Access to capital at lower cost than that achieved by less mature competitors,
      • More favorable credit ratings than those achieved by less mature competitors,
      • Optimization of risk transfer through both traditional and modern self-insurance methods.
  • Risk data governance maintained to standards of rigor and consistency like those that apply for accounting data,
  • Perpetual proofing and testing of management’s readiness to offer credible solutions when both opportunity strikes and abnormal and adverse events occur.

We agree with Peter Bernstein, author of Against the Gods: The Remarkable Story of Risk, when he says, “In the absence of certainty. . . [we must] focus on excellent execution and demonstrable resilience at the same time whilst taking as much acceptable risk as is reasonably possible.” We likewise agree with Robert S. Kaplan, author of Risk Management and the Strategy Execution System, who says: “Risk management. . . is about identifying, avoiding and overcoming the hurdles that the strategy may encounter along the way. Avoiding risk does not advance the strategy; but risk management can reduce obstacles and barriers that would otherwise prevent the organization from progressing to its strategic destination.”

References

1Source: Harvard Law School Forum on Corporate Governance and Financial Regulation: Strategic Risk Management: A Primer for Directors Aug 2012

2The RAF is the ‘’overall approach including the policies, controls and systems, through which risk appetite is established, communicated and monitored.’’

3Risk management: coordinated activities to direct and control an organization with regard to risk Source: ISO Guide 73 Risk Management – Vocabulary

4Risk management framework: set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout  the organization

    • NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk.
    • NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and  activities.
    • NOTE 3 The risk management framework is embedded within the organization’s overall strategic and operational policies and practices.

(Source: ISO Guide 73 risk management vocabulary)

 

A Look At Cyber Risk Of Financial Institutions

Overview Of The Risk
There were more than 26 million new strains of malware released into circulation in 2011. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records. The Ponemon Group, whose Cost of Data Breach Study is widely followed every year, indicated a total cost per record of $214 in 2011, an increase of over 55% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent. NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability Forum” the results of their analysis of 153 data or privacy breach claims paid by insurance companies between 2006 and 2011. On average, the study said, payouts on claims made in the first five years total $3.7 million per breach, compared with an average of $2.4 million for claims made from 2005 through 2010.

And attacks simply don't target large companies. According to Symantec's 2010 SMB Protection report, small busineses:

  • Sustained an average loss of $188,000 per breach
  • Comprised 73% of total cyber-crime targets/victims
  • Lost confidential data in 42% of all breaches
  • Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report's opinion that 96% of such breaches could have been prevented with appropriate controls. Bottom line: cyber attacks are here to stay — and in many ways, they are getting worse.

A Look At The Financial Institution Sector
Willy Sutton once infamously remarked that he robs bank because “that's where the money is.” According to Professor Udo Helmbrecht, the Executive Director of the European Networking and Information Security Agency, if Willy Sutton was alive today, he would rob banks online.

Criminals today can operate miles, or even oceans, away from the target. “The number and sophistication of malicious incidents have increased dramatically over the past five years and is expected to continue to grow,” according to Gordon Snow, Assistant Director of the Cyber Division of the Federal Bureau of Investigation (testifying before the House Financial Services Committee, Subcommittee on Financials Institutions and Consumer Credit). “As businesses and financial institutions continue to adopt Internet-based commerce systems, the opportunity for cybercrime increases at the retail and consumer level.” Indeed, according to Snow, the FBI is investigating 400 reported account takeover cases from bank accounts of US businesses. These cases total $255 million in fraudulent transfers and has resulted in $85 million in actual losses.

According to the FBI, there are eight cyber threats that expose both the finances and reputation of financial institutions: account takeovers, third-party payment process breaches, securities and market trading company breaches, ATM skimming breaches, mobile banking breaches, insider access, supply chain infiltration, and telecommunications network disruption.

It was telecommunications network disruption that dominated the news in 2012.

Otherwise known as a distributed denial of service attack, US banks were attacked repeatedly throughout the year by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against this country's infrastructure.

Among the institutions hit were PNC Bank, Wells Fargo, HSBC, and Citibank, among many others. Big or small, it made no difference. At the end of the day, as many as 30 US banking firms are expected to be targeted in this wave of cyber attacks, according to the security firm RSA. And it is likely that we are not at the end of the day. On January 9, 2013, the computer hacking group that has claimed responsibility for cyber attacks on PNC Bank vowed to continue trying to shut down American banking websites for at least the next six months.

That is not to say that financial situations only had to worry about distributed denial of service attacks launched by hostile nation states in 2012.

On December 13, 2012 the Financial Services Information Sharing and Analysis Center, which shares information throughout the financial sector about terrorist threats, warned the US financial services industry that a Russian cyber-gangster is preparing to rob American banks and their customers of millions of dollars. According to the computer security firm, McAfee, the cyber criminal, who calls himself the “Thief-in-Law,” already has infected hundreds of computers of unwitting American customers in preparation to steal that bank account data.

Of course not all threats look like they come from the latest 007 flick. On October 12, 2012, the Associated Press reported TD Bank had begun notifying approximately 260,000 customers from Maine to Florida that the company may been affected by a data breach. Company spokeswoman Rebecca Acevedo confirmed to the Associated Press that unencrypted data backup tapes were “misplaced in transport” in March 2012. She said the tapes contained personal information, including account information and security numbers. It is unclear why the bank waited until October to notify customers. Over 46 states now have mandatory notification laws that dictate prompt notification to bank customers of missing or stolen “Personally Identifiable Information.” Failure to make timely notification can, and often does, prompt customer lawsuits and regulatory investigations.

The bottom line: you cannot be a financial institution operating in the 21st Century and not have a cyber risk management plan which includes the purchase of cyber insurance.

The Cyber Insurance Market
With these facts, it is not surprising that the cyber insurance market has grown tremendously from its initial beginning in 2000. Starting with what was the brainchild of AIG and Lloyds of London, the market has grown to over 40 insurance providers. A widely accepted statistic is that the market now produces over $1 billion in premium to insurance carriers on a worldwide basis.

Despite the increasing claim activity, informal discussions with the market continue to indicate that cyber risk is a profitable business. Perhaps, it is for this reason, cyber premium rates are flat to down 5% according to industry reports in the market where rates in property-casualty are generally increasing.

Carriers also see this as an area where there are many non-buyers, and statistics seem to back them up. According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about this cyber risk. A risk area with a high level of concern but little purchase of insurance is an insurance broker's dream. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy.

It is unclear why there aren't more buyers but most of the industry believes it's a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber risk is covered under their general corporate liability policy.

It is then perhaps not surprising that the Betterley 2012 market report stated “we think this market has nowhere to go but up” Although, they quickly qualified, “as long as carriers can still write at a profit.”