Tag Archives: cyber

Growing Number of Uninsurable Risks

A few weeks ago, I saw a LinkedIn post from Dr. Robert Hartwig that discussed his testimony to one of the U.S. Senate’s subcommittees about the uninsurability of business income from the COVID-19 pandemic. Seeing that LinkedIn post, and reading his testimony, triggered my continuing belief that uninsurability of certain risks has been happening more frequently over the decades.

More specifically, I believe that as we, as a society, become increasingly more dependent on web-connected devices, uninsurability will become more of an issue for both the insurance market and for corporations (and individuals, as well).

I want to thank Dr. Hartwig for giving me permission to use some of his content from his July 21, 2021 testimony to the U.S. Senate subcommittee.

His testimony is titled: “Examining Frameworks to Address Future Pandemic Risk,” and he presented it to the U.S. Senate Committee on Banking, Housing and Urban Affairs, Subcommittee on Securities, Insurance and Investment.

My three key messages

My three key messages for the readers of this blog post:

  1. There has been, and continues to be, an inexorable shift to (potentially uninsurable) severity from a small but expanding number of risks.
  2. Not all of the risks that fall into the uninsurable severity category are technology-related or technology-driven. Terrorism and global pandemics fall into the uninsurable severity category (in my opinion), as does, or will, certain ramifications of climate change. None of those three are technology-related or -driven. However, technology specifically in the form of web-enabled devices will push more risks – cyber risks – into the uninsurable category.
  3. Regardless of the insurability or uninsurability of a risk, the risk itself doesn’t disappear from a corporation’s (or individual’s) need to manage the impact of the risk in some manner. (Neither denial nor hope is a risk management strategy.)

Frequency and severity

Almost all, if not all, P&C insurance professionals would tell any person who asked that the two connected concepts of frequency and severity are critical to analyzing and pricing each risk that happens in their target markets or throughout society more generally. (Frequency and severity are also needed to perform claims analysis – before, during and after a claim event – as well as needed for target marketing, product development, setting reserves and surplus and a host of other operational and financial functions.)

These two concepts were at the forefront of my mind when I decided to write this blog post.

The “frequency of severity” is increasing

However, the continual expansion of technology applications is leading society and the insurance industry into more instances of uninsurable severity. Specifically, I believe that what I call the “frequency of severity” of risks is increasing as our society becomes more digitally dependent on the web throughout its operations, home life, transportation, entertainment, shopping, communication and collaboration, and within other personal and corporate activities.

Simultaneously, as web-connected digital capabilities become the lifeblood of society, insurance firms will find fewer opportunities to generate profitable premium because the risk costs will become too large to profitably underwrite.

From a societal and insurance industry viewpoint, we have lived in a situation of “uninsurable severity” before, following the terrorist acts of war of 9/11. Now, society and the insurance industry are living with another situation of “uninsurable severity” risk: the impact of COVID-19 on business income/interruption.

I identify both of these risk situations (terrorism and global pandemics) as sign posts on the path to a “shift to (uninsurable) severity”: a shift that effectively shrinks the market segments that are insurable.

Before discussing why I believe that cyber is yet another instance of a shift to uninsurable severity risk, I want to take a few steps back to consider the P&C insurance industry. The people who have read my blog posts or have read my analyst reports through the years know that I like to discuss context before delving into the heart of an issue. So, …

A macro insurance industry overview of risk

The societal value-added of the insurance industry is to profitably manage or mitigate risk for people, corporations, non-profit organizations and actually businesses of every flavor. One of the critically important words in this first sentence is: “profitably.” Insurance firms strive to operate profitably through their ever-changing risk appetite.

Risks emerge on their own (e.g., lightning strikes) through interaction with nature, through interaction with the actions and behaviors of members of society (alone or among members of society), through the applications of technology or through some hybrid combination of any of these elements. (See visual below.)

Insurance professionals, including risk managers, think of a risk landscape. I’ve written reports about the risk landscape (or landscape of risk) through my decades as an insurance industry analyst. But the term “land” has outlived its usefulness for many years.

True, we can, and do, think of risks beyond those occurring on a terrestrial terrain to include risks happening in (or under) the oceans or in air or space. However, with the advent of the web and web-enabled applications and their concomitant risks, “land” is too mentally limiting. The web is a bridge from our historical world of analogue risks to a hybrid world encompassing an ever-changing mixture of analogue and digital risks. The bridge is a host of cyber risks that will affect both the digital applications as well as the analogue applications infused with or connected to the web-connected digital applications.

I propose using “risk radar” instead of “risk landscape” to encompass all past, current and emerging risks regardless of where they exist or appear, including in the application of web technologies. I’ll try to use it in this and forthcoming blog posts. However, I know that I used “risk landscape” in my book, which is going through an initial edit by Wells Media. We’re targeting 2Q22 or 3Q22 for the book to be published as an ebook, audio book and paperback. (I had to put in a plug for my own book, didn’t I?)

See also: The Spectre of Uninsurable Risk?

Shift of impact of risk to an uninsurable level of severity

I am not stating that every risk that society has experienced, is experiencing or will experience will have an uninsurable level of severity. I am stating that there will be a growing number of risks, particularly those associated with web-connected digital artifacts (or analogue artifacts infused with or connected to web-connected digital artifacts), will have uninsurable levels of severity.

The table below shows a 2 X 2, but we all know there is actually a gradient from low to high frequency as well as a gradient from low to high severity. Pandemics, terrorism and, in my opinion, cyber attacks sit in the “high severity” row (or end of the severity gradient).

Most of us trust the companies we conduct commerce with, but there will be more questions like these:

  • “How did thieves break into my digitally locked car?”
  • “What do you mean I can’t get into my house because the ‘key’ has been hacked and I have to pay ransomware to get into my own home?”
  • “How could some person hack into our web-connected devices that we use in our homes to know we were gone and rob us?”
  • “Why are all of our corporate systems shut down?”
  • “What do you mean that my company’s servers have been used for a dedicated denial of service attack and my company is liable for the damages done to other companies and their clients?”
  • “Why is my EV car stopping in the middle of the highway?
  • “Why has our company stopped providing petroleum products throughout the U.S. East Coast?

In reality, the trust – between each of us and the web-connected devices we use in our homes, vehicles or corporations – should have been completely vaporized as soon as the first device (home appliance, corporate appliance, personal vehicle, company fleet vehicle,…) was connected to the web.

Web-connected devices have an impact of and level of losses that is no longer local or regional: The impact of the risk is global. To repeat what is in the red outlined box in the visual above for better readability:

I hypothesize that as society – governments, businesses, people – use increasingly more digital technologies (of which increasingly more will be connected to the web), that the scope of cyber attacks will represent a financial scale that represents a level of severity that the insurance industry is not financially able to provide sufficient coverage for.

Pogo is definitely at play here: “We have met the enemy, and he is us.”

Revisiting the CP&C broker commerce conversation

My remarks in this section are based on the areas of focus in the visual of the last section: low frequency and high severity as well as high frequency and high severity of risks.

The first visual I show below illustrates what I call the “conversation and acceptance” of commercial P&C insurance commerce. I have a question mark next to “acceptance” to indicate the changing risk appetite of carriers.

(In case there is any doubt about my use of “changing risk appetite,” I am from the insurance carrier business side of the insurance industry. I absolutely believe that carriers have the right – and responsibility – to change their risk appetites whenever they think it is best to do so for their companies.)

I’m using the curved arrows to reflect that large/jumbo CPC clients will have a hybrid stack of self-insurance, use of primary insurance and use of reinsurance. There will not necessarily be a stacked column of the three elements one after the other. Moreover, I’m showing some of the elements of the CPC carrier that “greet” the broker and the client as they look for cover for the specific risk. Please don’t overlook the “small” potential role of the federal government (depending on the risk being considered for coverage.)

I want to repeat what I wrote in the green box under the CPC client for emphasis: Regardless of the market solution the broker identifies to mitigate the client’s risk(s), the legal onus is on the client to manage the risk in some manner. This always holds (for every risk) and will hold in dramatic fashion for cyber risks. And for the cyber risks in the areas of focus, I believe the role of the federal government will have to explode in a similar dramatic fashion.

Actually, I could foresee when (and it should be when and not if) the federal government plays a major role “covering” cyber risks that are uninsurable. At that time, the federal government will take a very large stick (perhaps through laws, regulations and executive orders) to hammer corporations to better secure their cyber operations to protect their company, their clients and prospects, their subcontractors and others (people and companies) they conduct commerce with.

This will expand the market for technology firms that create and sell cyber security and privacy solutions. It will also expand the market of people with “white hat” cyber hacking skills to work for companies (or technology firms or consulting firms). The technology firms offering cyber security and privacy solutions should also find themselves under the harsh glare of the government cyber laws and regulations.

I want to make another point clear: Brokers involved in the cyber commerce conversations will have to have some minimal level of knowledge of the (changing) nature and implications of cyber security and privacy as well as the cyber solutions available to mitigate their damage to the broker’s clients (and their clients).

I believe there will be a role for CPC insurers to generate non-risk-based fees from the provision of cyber services (e.g., auditing, monitoring, remediation). The CPC insurers participating in the cyber services market would obviously have to determine the resources needed to offer the cyber services.

Not every risk is insurable

The crux of this post is the point that there are some risks (and I believe a growing number of risks) that are (and will be) uninsurable.

See also: Why Open Insurance Is the Future

Criteria for insurability

This raises the question: How can an insurance/risk management professional identify risks that are insurable? Here I introduce some of Dr. Hartwig’s July 2021 testimony. I’ll let the table below speak for itself, but I will repeat his point that “The inability of a risk to meet one or more of these criteria reduces or eliminates its insurability.”

Consideration of a pandemic through the lens of the six criteria

Here – in the table below – is how Dr. Hartwig viewed the current pandemic through the six criteria: You can see there is a relentless parade of “no,” with his logic given for the requirement of each criteria not being met.

Cyber risk will increasingly become uninsurable

Turning now to cyber risk (which encompasses various risk segments), I use the same six points of insurability (or uninsurability, depending on your point of view) to conclude that cyber risk is uninsurable.

Remember, the risk is not insurable if only one of the six criteria is not met.

By my analysis, I come up with: two criteria of insurability met, two criteria not met and two criteria assigned a “quasi” rating, meaning maybe yes or maybe no. I answer no to the criteria: 3) determinable and measurable loss and 5) calculable chance of loss.

I suggest you select a specific cyber risk and do your own analysis. I may be too skeptical. I may be looking at the cyber risks too harshly. However, whoever does the analysis should lose whatever levels of trust they have about any of their web-connected devices being safe, secure and private.

Remember, there are only two types of web-connected devices: those that have been hacked … and those that have been hacked but you don’t realize it.

Boosting Cyber Hygiene With Insurtech

Thanks to large-scale ransomware attacks on technology providers like Kaseya, everyone involved — from cybersecurity practitioners to the business leaders who hire them, and from local policymakers to the White House — is thinking about how to reduce risk across the board. As cyber attacks grow in quantity and complexity, hurting downstream customers and interrupting business continuity, organizations need to take the right steps to implement proper security controls. 

Before, in-house security teams at organizations were scarcely involved with cyber insurers (if the organization had a cyber insurance policy at all). But in the face of an intensifying threat landscape, policyholders, brokers and insurers are working together to find solutions that benefit everyone involved. This newfound collaboration is enabled by technologies and solutions developed by insurtechs, taking the form of data-driven approaches to underwriting and more efficient implementation of best practices, thanks to up-to-the-moment data on security postures gathered by insurers and shared with brokers and policyholders. 

Let’s look at a few of the ways that insurers, brokers and policyholders are working together to improve security. 

Giving Policyholders Incentives to Adopt Better Controls

Policyholders should be encouraged to implement better cyber defense. Today, cyber insurers are looking for a new baseline of controls, which commonly includes multi-factor authentication (MFA), endpoint detection and response (EDR) and acceptable backup planning and strategy.

  1. MFA is an authentication method that requires the user to provide two or more credentials to gain access to an account. Rather than just asking for a username and password, MFA requires one or more additional verification factors unique to the individual, which decreases the likelihood of a successful cyber attack. Insurers want to see MFA for access to email, remote access to the network and administrator-level access, as it will help thwart or at least slow down an attacker. While a determined threat actor may find a way around MFA, a company without MFA in use is low-hanging fruit.
  2. Assuming a skilled threat actor does find a way in, EDR tools can provide an extra layer of threat identification and protection. They have all the benefits of regular antivirus software but go beyond just looking for known indicators of compromise. EDR tools can also identify anomalous user behavior on the endpoint and flag it as suspicious. And if implemented properly, the tools can potentially prevent ransomware from deploying fully. These tools may also have important activity data that forensics investigators can use to determine what the threat actor did in the system and data recovery functions that help a company get back up and running faster. Insurers are increasingly asking about EDR as a control, given it can at least lessen the impact of ransomware incidents. 
  3. In connection with efficient data recovery, solid backup strategy and documentation of a disaster recovery or business continuity plan will help provide peace of mind to policyholders that they are prepared for the worst-case scenario. Security protocols that include immutable backups (a backup that is read-only and cannot be altered or deleted by anyone, including an administrator at the company) are often supported by top-tier cloud backup solutions, marking another important consideration for policyholder investments. Gone are the days where backing up to a separate server is sufficient. Many organizations are moving their backup solutions to the cloud or adopting a hybrid model for this very reason — but it’s how you protect those cloud backups that is key. Organizations need to invest in a solution that will prevent internal members from making changes to backups, because a threat actor that steals their credentials will attempt to access and delete backups as a way to force an organization’s hand at paying.

To fully harness the power of these protective tools, there are two main ways to encourage policyholder usage: fair pricing and education. The cost of cloud backup solutions and EDR tools has come down significantly in recent years, meaning these tools are no longer cost-prohibitive for most companies. For insurers, providing additional discounts on top of already reasonable pricing can be what pushes an organization over to compliance. The greater challenge is in prioritizing what controls to implement and identifying the right vendor (there’s a lot of noise out there!). This is where education can be key and where cyber insurers and brokers can step in to recommend solid partners and solutions.

See also: How Insurtech Boosts Cyber Risk

Enable Underwriters With Tech for Increased Visibility 

Cyber underwriters have traditionally relied on application questions, emails and underwriting calls for larger accounts to obtain cybersecurity information to underwrite an account. Insurtech in cyber insurance empowers underwriters with additional data points about a risk’s posture so they can take a data-driven approach to underwriting.

The ability to scan for threats, and identify risk levels based on existing data, enables underwriters to identify vulnerabilities and build a more meaningful analysis. While there’s no tech-enabled replacement for an experienced underwriter, being able to gain insight into an organization’s IT infrastructure to discover common risk factors (some they may not even be aware of) can streamline the process. The applicant is able to mitigate risk and improve cyber hygiene, which gives the underwriter the additional confidence to move forward. 

In the end, thanks to tech-enabled underwriting, the result is an insured organization. Given the current risk environment and hard market for cyber insurance, we can confidently say that, without the ability to pinpoint risk factors at an individual account level, far more insurers and their underwriters would have further clamped down on cyber limits, increased rates and perhaps exited the market entirely — meaning insurance would be inaccessible for most, if available at all.

Standardize a Threat Response

Cyber insurers and brokers can work with existing policyholders to identify new, active threats during the policy term and support them in their response. 

Once a policyholder is identified as at-risk, tech-enabled cyber insurance providers can consistently monitor the situation and communicate clearly, concisely and quickly about what’s happening. As more information becomes available, it is critical to not only alert the right people but provide extra context around the vulnerability, what the risk is if they don’t patch it and the steps needed to resolve it. This should be done in a way so that all types of team members (in addition to IT professionals) can understand the criticality and communicate it to the right stakeholders for resolution. 

See also: Wake-Up Call on Ransomware

Another method to support policyholders is to weave in prioritized cybersecurity recommendations. At Corvus, our “vCISO,” or virtual CISO, guidance is one way we help policyholders take a stance against threats. This starts with a short security assessment, and pairing of the responses with scan findings that provide the policyholder with a prioritized list of cybersecurity recommendations and resources to help them implement controls or remediate vulnerabilities. This type of consistent, close collaboration is core to the cybersecurity approach that modern insurtech providers are taking to make an enduring impact on risk, rather than checking off a few boxes at the point of underwriting and renewal. 

To boost digital resilience and strengthen cyber hygiene against outside threats, policyholders need to have both the context for why certain security controls are so crucial, as well as the ability to adequately implement them within their organization. Insurers and brokers play a pivotal role in guiding policyholders to make the best decisions to limit their risk, and solutions developed by insurtechs help get the process off the ground with data-backed guidance. As cyber attacks evolve, so will protection strategies — and the sooner companies adopt supporting technologies the easier it will be to get on the same playing field as cybercriminals.

Data Breaches’ Impact on Consumers

Data breaches are perhaps more harrowing an experience than many realize. In the latest, the vast majority of LinkedIn users—about 92%—have been affected. Experts say it’s not just the magnitude of this breach that’s worrying; it’s the type of information compromised that should give LinkedIn users pause. The breach was announced June 22 by the alleged hacker, offering the data of 700 million users for sale. The breach reportedly contains email addresses, full names, phone numbers, physical addresses, geolocation records, LinkedIn username and profile URL, personal and professional experience or background, genders and other social media accounts and usernames. It’s easy to imagine creating a digital profile impersonating any of the 700 million victims. 

As urgent as this sounds, most breach victims do very little, if anything, in response. Some may find slight solace in the fact that many others (and, by many, we mean millions) have also been affected in the same way. This feeling can sometimes help to dampen the blow, along with the fact that most consumers are realizing there is virtually nothing they could have done to prevent the breach from happening in the first place: Data breaches are just par for the course in today’s digital world. 

But this limited consolation offers nothing to protect victims from the uncertain, but very real risk of future identity fraud. Over time, with breach after breach, the uncertainty grows, consumer trust in businesses weakens and new anxieties take hold. There’s an oft-overlooked psychological aspect to it all that even consumers themselves may not realize is happening. 

Living in a constant state of worry about being affected by identity theft can be exhausting. And while it may not be a frequent topic of conversation—and breach notifications often aren’t triggering specific precautions to be taken—we still know it weighs heavily on consumers’ mental state. Customer trust in organizations is eroding, and it’s happening rather quickly. Customers no longer have confidence that corporations can safely house the data they’re asking of customers. 

Moreover, there’s a subconscious pleasure that comes with feeling loyal to and cared for by organizations that one chooses to spend money with; all that goes away when the company experiences a data breach. The consumer no longer feels appreciated or valued and may be left wondering, are there any organizations left that I can trust with my data? Sadly, the answer may be an unstated but emphatic “no.”

See also: How Machine Learning Halts Data Breaches

The more definable and palpable sentiments of the consumer are still telling, though. Over the last few years, we at Generali Global Assistance have been keeping our finger on the pulse of the consumer to gain a better understanding of the consumer mentality. Earlier this year, we released findings from our second market study and found that, since 2017, concerns about identity theft—and especially about cybercrime—have continued to increase.

The very large majority of consumers (90%) believe that becoming a victim of identity theft or cybercrime is something that could happen to them at any time; this is up five points from 2017. Eighty percent of consumers said that they’re often scared by the number of ways in which their identity may be compromised, which is up 6 points from 2017. And 76% of consumers agreed that companies and institutions are not doing enough to protect their personal information. A holiday survey of ours in 2017 showed that 40% of consumers believe that businesses are not doing all they can to protect their personal information. The rate at which this gap has widened is striking.

Outside of the psychological impact, we must not forget what it actually means when one’s personal data is exposed. While a leak of your email address may leave you shrugging your shoulders, the combination of your name, address and birthdate can be ample data for a fraudster to do damage. It’s the aggregation of years’ worth of mega breaches that are leaving consumers wildly exposed. We already got a sneak peak of that this past year when unemployment fraud reached frightening levels in the midst of the pandemic—in our Resolution Center alone, we saw a 5,630% increase in employment-related fraud from 2019 to last year. Unfortunately, that may have been just the beginning. 

So while a singular data breach may not have an immediate effect on the consumer, each one chips away at the security of their identity. Data point by data point, our identities will be left in such a fragile state that the resulting fraud will not only be inevitable, but difficult to come back from. 

At the risk of sounding trite, the time is now for consumers to take action. It’s true that one cannot prevent hackers from infiltrating the companies they choose to do business with, but there are certainly ways to strengthen their identity so that any potential damages are greatly reduced.

ITL FOCUS: Cyber

MAY 2021 FOCUS OF THE MONTH
Cyber


FROM THE EDITOR

When I was in high school, a friend of mine had a poster on his wall that read, “Just because you’re paranoid doesn’t mean they aren’t out to get you.”

That pretty well summarizes how the world of cybersecurity and insurance works. Companies may feel paranoid for looking over their shoulder all the time, expecting something back to happen, but we all know that there are plenty of bad guys out to find all the victims they can.

Ransomware, in particular, has become an enormous problem. A few years ago, hackers would make limited strikes and hit a few computers at a company, then demand $10,000 or maybe $20,000 to unlock them. Now, though, hackers have figured out ways to combine their specialized skills and make a much broader attack that includes finding and locking up the backup servers — which means the hackers have pretty much shut a company down and can make any ransom demand they want. Demands of $500,000 or more are common, and some reach into the many millions of dollars.


Insurance is surely part of the solution for most companies, but paranoia plays a role, too. Companies need to spend much more time focusing on how to prevent the cyber attacks in the first place, and the best insurance companies are using their expertise to help clients with that effort. New tools and techniques offer considerable hope.


Within that effort at prevention, there is room for an awful lot more cooperation. Law enforcement can work with insurers and company clients to educate them on trends and offer advice, and insurers and their clients can work together to share information on vulnerabilities and on potential solutions. As long as the bad guys are working together, the good guys need to, too.


– Paul Carroll, ITL’s Editor-in-Chief



WHAT TO WATCH

The Alarming Surge in Ransomware Attacks

Insurers can help clients protect themselves – but preventive approaches aren’t yet widely implemented, leaving the door open for unscrupulous hackers. Join Michael Palotay, Chief Underwriting Officer for Tokio Marine HCC – Cyber & Professional Lines, and Paul Carroll as they continue their discussion on ransomware, cyber attacks, and how businesses can protect themselves.


WHAT TO READ

CISOs, Risk Managers: Better Together

In most large firms, risk managers buy cyber insurance–but are rarely expert in network security and may not fully understand the risk profile.

 

Ransomware Grows More Pernicious

The emergence of the Maze variant creates a new threat, that stolen information will be released to the public on the internet.

 

How to Fight Rise in Cyber Criminals

IT security standards have sometimes been lowered or suspended for work at home in the pandemic, resulting in cyber security exposures.

 

New Enhancements for Cyber Coverage

Cyber insurance is probably the most rapidly evolving product on the market. Here are some of the newer enhancements.

 

How CAT Models Are Extending to Cyber

The approach to models used for natural catastrophes is being applied to cyber, leading to a quick maturation in understanding the risks.

 

How Machine Learning Halts Data Breaches

There are four main types of data breaches that advances in machine learning can help thwart.

 


WHO TO KNOW

Get to know this month’s FOCUS article authors:


Evan Bundschuh


Kelly Castriotta


Laurel Di Silvestro


Mark Greisiger


Charles Pruzinsky


Erica Sunarjo


Learn More about ITL Focus


Interested in sponsoring ITL Focus or learning about other promotional opportunities? Contact us


How to Combat the Surge in Ransomware

The threat of a cyber-attack is far more dangerous now than it has been in the past, yet knowledge of the threat prevention systems necessary to protect oneself remain widely unknown. 

Ransomware, in particular, has exploded as a problem. The frequency of such attacks is up almost 200% in the past two years. Severity is up, too — the average ransom demand has surged from roughly $10,000 to well north of $100,000. Combine those two issues, and ransomware is many times as big a problem for clients and insurers as it was two years ago. 

Unless companies create more sophisticated protection systems, the problem will become even worse. Hackers are more astute, increasingly have access to inexpensive tools and have greatly expanded how and what they attack. There are even ransomware developers who sell or lease their ransomware, offering Ransomware-as-a-Service (RaaS).

In the past, attacks were relatively limited. When an employee clicked on an attachment that included a virus, the attack would encrypt the computer. There was minimal ability to spread to other computers, and individual computers were oftentimes backed up. This meant ransomware was frequently seen as just an inconvenience for a company and wasn’t as significant an issue for insurers as it is today.

Now, attackers use their initial entry into a computer as the starting point to work their way into a potentially huge network. The hackers lay traps and can generally find how and where the system’s sensitive information and backup server are located. With this information, the hacker can ensure that paying the ransom is the only way for a company to recover. An attack is often so devastating that the hackers can — and will — ask for exorbitant ransoms.

Tools for hackers are now inexpensive on the dark web, and hacker groups often coordinate. Perhaps one individual finds some credentials that allow a path into a system but isn’t sure how to exploit it. The person might sell the credentials on the dark web or hire some hacker known to be especially good at exploring and exploiting that kind of system; this is RaaS.

While some industries were considered to be relatively low-risk, that’s no longer the case. For instance, a few years ago, manufacturers were considered a target class for cyber insurance carriers because they were unlikely to store personal information, like credit card records. But now, they’re getting hit the hardest: Manufacturers are typically large companies with underdeveloped cyber security capabilities. Hackers would use this to their advantage and exploit these companies, which weren’t prepared for the onslaught of ransomware attacks. 

Within the Tokio Marine HCC – Cyber & Professional Lines Group, we’ve been working with thousands of policyholders to better prepare them for attacks, and people understand the problem conceptually. Cyber is a serious consideration at the executive level and mandatory for business continuity and disaster recovery planning. The recent SolarWinds attack has reminded us all that even the best-protected government and business systems are vulnerable. 

Based on simulations of attacks, we know that approximately 30% of those who receive a phishing email will click on a link that infects their system. Thorough training of staff on awareness and best practices reduces the number who fall for a phishing attack. With proper training, we’ve seen a reduction in exposure, whereby only 10% of employees fall for the trick when a hacker attacks; but that can still be enough for a catastrophe to happen, like the SolarWinds incident.  

Training should be mandatory, but it shouldn’t be the only layer of defense for the network. Perimeter defense, secure backups and patch management are all critical. At present, Tokio Marine HCC provides a vulnerability scanning service for policyholders, which provides insights on vulnerable points of entry for hackers, including security vulnerabilities in policyholders’ perimeter and out-of-date software, to help the insured avoid becoming a victim. 

To combat weak passwords, many companies are starting to require multi-factor authentication to safeguard access to their system. A person must use an alternate means to authenticate themselves through a code texted to a smartphone, provide biometric evidence of their identity through something such as an iris scan or verify their identity via another secondary means. This dramatically reduces the risk that a compromised password leads to a devastating attack.

Companies are moving toward a “zero trust” model to protect their systems. The idea behind this emerging model is to have virtual “hall monitors” to challenge every actor in the system and force that actor to revalidate itself before going into an additional “room.” In the past, companies would use a firewall to keep hackers out, but once hackers get past the wall they virtually have access to any “hall” in the network. 

Companies should also be thinking about their outsourcing arrangements. Outsourcing can be cost-efficient, but if you have a 1,000-person company and only have three full-time people in IT, you’re likely to be using outside contractors. Issues may arise with disagreements regarding who is responsible patching systems or monitoring the network for suspicious activity. Furthermore, Managed Service Providers (MSPs) are being targeted by hackers and, if the hackers gain unauthorized access, are being used to launch ransomware attacks against their clients.

At Tokio Marine HCC – Cyber & Professional Lines Group, we apply our expertise and use our scale to make deals on behalf of clients to create a package of security services from leading providers. These packages involve, for instance, CrowdStrike, which provides endpoint detection security; Cisco’s Duo, a leading service provider of multi-factor authentication; and many others. We provide the bundling of these services at a discount off the market price, as well as with a discount on premiums, because, based on our data, we’re confident that our clients are less vulnerable with solutions such as these. 

However achieved, reducing vulnerability helps both our company and our clients. We view this as a mutual relationship. If we can keep our claims costs as low as possible, our premiums can be as low as possible. However, it is critical for our insureds to focus on cyber security, so they are not an easy target for hackers. Whether a company has insurance or not, an attack is hugely disruptive, and, although we can transfer some of the financial costs, we can’t transfer everything. For instance, companies oftentimes still have to deal with being shut down for a stretch of time, while they hopefully recover their data and ramp back up.

Minimizing exposure to an attack is possible, but a company must invest in layers of network defenses, training and maintenance to stay ahead. Having the right insurance policy can protect you from the financial burden, but the reputational harm or missed opportunities that result from a cyber-attack can be very costly.  

If you are unable to reduce your vulnerability, the problem could spiral out of control. Insurers will need to keep raising rates rapidly or will simply drop out of the market — supply is already dwindling. Clients may find rates so high that they will self-insure — at great risk.  

At Tokio Marine HCC – Cyber & Professional Lines Group, we’re committed to the market, and demand for the insurance has never been greater. Our focus is staying on top of loss trends so we can help our clients continue to reduce risks and keep the problem manageable for all.

For more information about the Cyber & Professional Lines Group, please visit www.tmhcc.com/pro