Tag Archives: lloyds of london

Crowdsourcing 6 Themes for 2021

After the roller coaster of 2020, it’s a brave soul who’s willing to commit to what 2021 will look like. But running a global network of talented and successful people means that Robin Merttens and I have been able to dip into the collective wisdom of 20 of our friends and supporters from InsTech London.

In an hour-long Zoom call, we were able to crowdsource what is top of mind from 20 of the best people to predict the year ahead – those who are part of making it happen.

One investor, two reinsurers, three consultants, five Lloyd’s syndicates, six growing insurtechs and three others – all that was missing was the partridge and the pear tree.

You can now get the audio highlights (scrubbed and polished to perfection by the ever patient Peter Roach), and my match commentary, of the event on the InsTech London podcast episode 118. What follows are the dominant themes affecting risk and insurance that our panelists recommend you look out for — and why. We agree with Robert Lumley of Insurtech Gateway, though – the skill of making good predictions is about following the direction of travel.

Here it comes – from some of the sharpest minds at PKF, Munich Re, Swiss Re, EY, PWC, Deloitte, Brit, Talbot, Convex, Wakam, Chaucer, Concirrus, CyberCube, Blink, Riskbook, Flock, Zego, Insurtech Gateway, Voice of Insurance, Miller and FintechOS

Insurers must regain trust — consumers want more certainty

Charlie Burgess runs Munich Re international specialty business, and his responsibilities now include Munich Re Digital Partners. A major issue for Charlie is that trust in insurance has been dealt a double blow in 2020 — and resolving that must be a priority in 2021. The rejection of COVID-related claims has accelerated the need for people wanting more certainty between their loss and receiving a payout. This, according to Charlie, will drive more interest in new types of insurance such as parametric. We agree, and wrote at length on this in our October report “Parametric Insurance – 2021 outlook and the companies watch.”

The use of “price walking,” the practice by which insurers charge their existing customers more than their new customers, has also undermined confidence in the market. Look out, Charlie says, for a “short-term rush to offer great deals by insurers to win new customers before the new regulations come into place.”

Ultimately, though, the impact will go deeper, he predicts, fueling the rise of trusted brands from outside insurance stepping in to replace traditional insurance brands, particularly in personal lines insurance. 

We shouldn’t be too despondent, though. Nigel Walsh, partner at Deloitte, reminded us that the insurance industry did pay out billions of dollars in COVID-related claims in 2020. Nigel predicts (or should that be hopes?) that 2021 will be the year everyone starts to love insurance – and that the industry will finally fix its complicated wordings.

By the way, Nigel got his homework in early and has already published his predictions for 2021 – and I learned what gets Nigel going when we spoke earlier in 2020.

See also: 2021, We Can’t Wait to Get Going!

Better integration of technology, better standards and Lloyd’s Blueprint gets underway

By far the most popular prediction across our panelists was the rise of the platforms – our experts expect to see meaningful developments in the use of platforms, integration between technology and, in London, the progress and implementation of Lloyd’s Blueprint Two. John Needham, partner at PKF, and our sponsor for the night, is still hearing concerns from insurers he talks to about the lack of ability to integrate with the new tools that are available, and “frustration that they are having to choose a mainstream platform to play it safe.” Could this change in 2021?

Charlie Burgess welcomes the direction Lloyd’s is taking with its Blueprint but warned that implementation will take longer than planned. Charlie expects “a flurry of automation or digitalization among the Lloyd’s of London market players, both addressing the plumbing and digitalization in whole or some of the more complex risk products.”

Chris Payne, partner at EY, sees the development of a “more pronounced two-speed architecture model” as established companies grapple with overcoming legacy. According to Chris, people are “waking up and realizing that they want something leaner, where they can stand up new ideas or quickly test them, and then decide how they want to launch, whether through a new platform or more easily through their main platform.”

Christian Kitchen, head of technology and innovation at broker Miller, is also bullish about Lloyd’s: “It’s going to crack it this year. Blueprint Two is going to be exactly what we’ve always wanted. The core data record and the digital spine is going to be the framework that all of us build our new solutions on.”

Christian went on: “Now will be the chance for the agile organizations out there, including some of the brokers, to take what Lloyd’s is doing and build out the solutions and the end-to-end journeys that we’ve all been waiting for.” Christian is also optimistic about the opportunities this creates for what he refers to as the “real insurtech companies,” to start focusing on “groundbreaking solutions” as opposed to continuing to try to find work-arounds for legacy systems. 

Karl Lawless, sales director at FintechOS, adds: “Five months of lockdown was five years of digital transformation, and I only see that accelerating next year.” Karl believes the age of the large transformation project is over. “Rather than insurers committing to the traditional big-box solutions that cost tens of millions of pounds and take three to five years to deploy, there’s now an opportunity to deploy best-of-breed digital components, going down the Lego block approach.” Karl reckons we will start seeing components glued together with automation, giving a cutting-edge platform to those that use this approach.

Having spoken to Gary Hoberman, CEO and founder ,of Unqork earlier this year, I am sure low-code and no-code will be a big part of this. And with Unqork having attracted $365 million of funding, according to Crunchbase, clearly I’m not the only one to believe this.

Your platform will be arriving shortly…

Glynn Austen-Brown, partner at PWC, brought a global perspective to the predictions, with a reminder that we all expect technology to make things more convenient and to give us our time back. Insurance will be the next frontier for simplicity. “Look at what people are doing in China. Look at WeChat or Grab. We are going to be moving much closer toward that platform economy that is so prevalent in the Far East,” Glynn believes.

Mark Geoghegan, formerly editor of Insurance Insider and now the “Voice of Insurance” podcast host, advises us to look and see what technology choices the recently capitalized specialty insurers such as Inigo, Vantage and others make. Unlike the previous wave of start-ups 15 years ago these companies, with large amounts of investment, can choose to go with the new solutions and not rely on legacy. (But will they, I wonder?) Meanwhile, Mark predicts that “most of the insurance market is still going to be your friend because they’re not so nimble. They decided that they wanted to digitize three or four years ago, and they’re finally starting to get around to doing it.”

Ben Rose, co-founder of new reinsurance platform RiskBook, picks up on something Christian Kitchen mentioned and says the challenger brokers will rise to prominence in 2021. With the Aon and Willis merger coming up, and the acquisition of JLT by Guy Carpenter that we’ve already seen, Ben reckons that the new breed of brokers, which he observes has been recruiting many star players in 2020, “is really good for reinsurance innovation.”

Ben’s list of challenger brokers to look out for includes TigerRisk, Beach, Capsicum, Gallagher, Hyperion, Lockton, McGill, BMS – all are small compared with the big two. As Ben points out, they can’t replicate what the two giants are doing, so they’ve got to think digitally and about how they can use innovation. “They can’t afford the traditional six-person account team to look after a single client, so they are going to have to explore automation to handle those bigger deals and perform all the analytics expected of them with a much smaller team.”

Ben and co-founder Jerad Leigh are watching closely as these brokers start to move faster and spin up partnerships with start-ups to bring a digital service that’s been missing from the reinsurance ecosystem for quite a while. This is a topic I discussed at length with Rod Fox, CEO and Co-founder of TigerRisk, and with Barnaby Rugge-Price, CEO of Hyperion. And you can learn more about RiskBook from Ben when he joined us for the London leg of the ITC global tour.

Data-powered customers and risk reduction

Jenny Williams from Convex picked up on the theme of data, and she is thinking about it from a platform perspective, too. Jenny pointed to the recent news that S&P has acquired IHS Markit, a company that provides financial services and many insurers with data, for $44 billion: “We’ll see more partnerships and acquisitions in the data ecosystem space.” She added that “lots of different companies offer different variations of data on different assets and their risk and perils.” Companies (and InsTech corporate members) such as e2value and Hazard Hub are doing well in the U.S.

The challenge, according to Jenny, is that each specific data set requires expertise to collect and curate. Jenny is looking out for “more of a one-stop shop, targeted partnerships that may help reduce the offering overlap, while expanding the breadth of useful data that’s available to us.” We go deeper into this topic in my interview with WhenFresh CEO Mark Cunningham.

Christen Smith, head of sales at Flock, a growing insurtech company, echoes a point made by many others, that “customers and brokers aren’t going to be happy with the old solutions or with the old way of doing things. UBI (usage-based insurance) won’t be good enough any more.” Christen added that “we’re going to have to take the next steps into exposure-based insurance and really move the needle to impact consumer behavior.” Flock has recently expanded beyond offering commercial drone operator insurance into broader commercial insurance, no surprise then that for them “it’s going to be a big year for stepping things up a notch in the space of connected insurance, and really delivering for consumers and brokers in a new and different way than has been done before.” Watch this space. we say.

Glynn Austen-Brown picked up on an emerging but powerful theme around customers who are “looking for more services that are aimed at risk prevention and other value-add services, for example boiler servicing, energy bill usage reduction and help with home repairs.” Glynn also sees this theme as driving more partnerships and more embedded insurance — “things like Uber and Airbnb partnerships will become much more prevalent in regards to services and products that insurers offer. Customer stickiness will be everything.”

Data-powered automated syndicates

Andy Yeoman, CEO of Concirrus, expects to see meaningful progress from companies using data and algorithms, what he refers to as “technology-fueled market entrants.” We’ve seen Brit insurance launch the Ki syndicate and gain £500 million investment this year (my discussion with James Birch and CEO Mark Allan of Ki has been one of our most popular podcasts). 

Andy expects the newcomers are “going to use those algorithms to replace the work, whether it be submissions or some of the underwriting decisions,” and their role will change: “We’re going to see their use move from follow syndicates, to lead syndicates. And in doing so, all those organizations are going to create investable asset classes because they’ll ultimately have a predictable yield.” This will make insurance attractive for more external capital, with “trillions of dollars of pension funds monies” coming into the market, maybe not in 2021, but soon after. You can learn more about Andy Yeoman and Concirrus from our discussion last year)

See also: 11 Insurtech Predictions for 2021

But we need to deal with the data-ingestion problem

Of course, all these great opportunities for using data will fail if insurers can’t get the data they need. Jenny Williams is hoping that 2021 will “see some real progress in the very difficult area — submission and ingestion of data in commercial and specialty lines.” The problem that Jenny refers to is caused by the volumes of valuable data that is locked up in email attachments in non-standard forms that are received by underwriters. While the data may now be getting to the underwriters, it’s hard or expensive to extract. Jenny explained why. “It’s not just about ingesting standard forms such as ISO or ACORD; we’re talking about the really funky messy Excel spreadsheets with merged cells, multiple tabs and complex risk details that require real expert interpretation to identify the statements of values, loss runs, engineering reports, etc.”

Jenny is encouraged by some proof points from companies such as Eigen Technologies, Groundspeed, EY, Expert AI, that are among those she sees leading the way. There is more need for collaboration between the technology and insurance experts, but for Jenny it “feels like we’re at a tipping point, and this might be seriously commercially viable next year.”

In Age of Disruption, What Is Insurance?

“Somehow we have created a monster, and it’s time to turn it on its head for our customers and think about providing some certainty of protection.” – Inga Beale, CEO, Lloyds of London

In an early-morning plenary session at this year’s InsureTech Connect in Las Vegas, Rick Chavez, partner and head of digital strategy acceleration at Oliver Wyman, described the disruption landscape in insurance succinctly: while the first phase of disruption was about digitization, the next phase will be about people. In his words, “digitization has shifted the balance of power to people,” forcing the insurance industry to radically reorient itself away from solving its own problems toward solving the problems of its customer. It’s about time.

For the 6,000-plus attendees at InsureTech Connect 2018, disruption in insurance has long been described in terms of technology. Chavez rightly urged the audience to expand its definition of disruption and instead conceive of disruption not just as a shift in technology but as a “collision of megatrends”–technological, behavioral and societal–that is reordering the world in which we live, work and operate as businesses. In this new world order, businesses and whole industries are being refashioned in ways that look entirely unfamiliar, insurance included.

This kind of disruption requires that insurance undergo far more than modernization, but a true metamorphosis, not simply shedding its skin of bureaucracy, paper applications and legacy systems but being reborn as an entirely new animal, focused on customers and digitally enabled by continuing technological transformation.

In the new age of disruption …

1. Insurance is data

“Soon each one of us will be generating millions of data sets every day – insurance can be the biggest beneficiary of that” – Vishal Gondal, GOQUii

While Amazon disrupted the way we shop, and Netflix disrupted the way we watch movies, at the end of the day (as Andy G. Simpson pointed out in his Insurance Journal recap of the conference) movies are still movies, and the dish soap, vinyl records and dog food we buy maintain their inherent properties, whether we buy them on Amazon or elsewhere. Insurance, not simply as an industry but as a product, on the other hand is being fundamentally altered by big data.

At its core, “insurance is about using statistics to price risk, which is why data, properly collected and used, can transform the core of the product,” said Daniel Schreiber, CEO of Lemonade, during his plenary session on day 2 of the conference. As copious amounts of data about each and every one of us become ever more available, insurance at the product level– at the dish soap/dog food level–is changing.

While the auto insurance industry has been ahead of the curve in its use of IoT-generated data to underwrite auto policies, some of the most exciting change happening today is in life insurance, as life products are being reconceived by a boon of health data generated by FitBits, genetic testing data, epigenetics, health gamification and other fitness apps. In a panel discussion titled “On the Bleeding Edge: At the Intersection of Life & Health,” JJ Carroll of Swiss RE discussed the imperative of figuring out how to integrate new data sources into underwriting and how doing so will lead to a paradigm shift in how life insurance is bought and sold. “Right now, we underwrite at a single point in time and treat everyone equally going forward,” she explained. With new data sources influencing underwriting, life insurance has the potential to become a dynamic product that uses health and behavior data to adjust premiums over time, personalize products and service offerings and expand coverage to traditionally riskier populations.

Vishal Gandal of GOQuii, a “personalized wellness engine” that is partnering with Max Bupa Insurance and Swiss Re to offer health coaching and health-management tools to customers, believes that integrating data like that generated by GOQuii will “open up new risk pools and provide products to people who couldn’t be covered before.” While some express concern that access to more data, especially epigenetic and genetic data, may exclude people from coverage, Carroll remains confident that it is not insurers who will benefit the most from data sharing, but customers themselves.

See also: Is Insurance Really Ripe for Disruption?  

2. Insurance is in the background

“In the future, insurance will buy itself automatically” – Jay Bergman

Some of the most standout sessions of this year’s InsureTech Connect were not from insurance companies at all, but from businesses either partnering with insurance companies or using insurance-related data to educate their customers about or sell insurance to their customers as a means of delivering more value.

Before unveiling a new car insurance portal that allows customers to monitor their car-related records and access a quote with little to no data entry, Credit Karma CEO Ken Lin began his talk with a conversation around how Credit Karma is “more than just free credit scores,” elucidating all of the additional services they have layered on top of their core product to deliver more value to their customers. Beyond simply announcing a product launch, Lin’s talk was gospel to insurance carriers, demonstrating how a company with a fairly basic core offering (free credit scores) can build a service layer on top to deepen engagement with customers. It’s a concept that touches on what was surely one of the most profound themes of the conference–that, like free credit scores, insurance only need be a small piece of a company’s larger offering. This may mean embedding insurance into the purchase of other products or services (i.e., how travel insurance is often sold) or it may mean doing what Credit Karma has done and layering on a service offering to deepen engagement with customers and make products stickier.

Assaf Wand, CEO of the home insurance company Hippo, spoke to both of these models in his discussion with David Weschler of Comcast about how their two companies are partnering to make insurance smarter and smart homes safer. When asked about what the future of insurance looks like, Wand put it plainly when he said: “Home insurance won’t be sold as insurance. It will be an embedded feature of the smart home.” Jillian Slyfield, who heads the digital economy practice at Aon, a company that is already partnering with companies like Uber and Clutch to insure the next generation of drivers, agrees: “We are embedding insurance into these products today.”

Until this vision is fully realized, companies like Hippo are doing their part to make their insurance products fade into the background as the companies offer additional services for homeowners, “Can I bring you value that you really care about?” Wand asked, “Wintering your home, raking leaves, these are the kinds of things that matter to homeowners.”

3. Insurance is first and foremost a customer experience

“The insurance industry has to redefine our processes… go in reverse, starting with the customer and re-streamlining our processes around them” – Koichi Nagasaki, Sompo

To many outside the insurance industry, the idea of good customer experience may seem unremarkable, but for an industry that has for so long been enamored by the ever-increasing complexity of its own products, redefining processes around customers is like learning a foreign language as a middle-aged adult. It’s hard, and it takes a long time, and a lot of people aren’t up to the task.

The insurance industry has been talking about the need for customer-centricity for a while now, but many companies continue to drag their feet. But customer-centricity is and remains more than a differentiator. It’s now table stakes. How this plays out for the industry will look different for different companies. Some will turn to partnerships with insurtechs and other startups to embed their products into what are already customer-centric experiences and companies. Chavez of Oliver Wyman would rather see the industry “disrupt itself,” as he believes it’s critical that companies maintain the customer relationship. In his plenary sessions, he cited the German energy company Enercity as a company that disrupted itself. Operating in a similarly regulated industry, rather than becoming just a supplier of energy, the company invested heavily in its own digital strategy to become a thought leader in the energy space, to be a trusted adviser to its customer and to deliver an exceptional digital experience that, among other things, leverages blockchain technology to accept bitcoin payments from customers. For Chavez, insurtech is already a bubble, and, “If you want to succeed and thrive in a bubble, make yourself indispensable.” The only way to do this, he believes, is to maintain ownership over the customer experience, because, in today’s digital economy, the customer experience is the product.

But to own the customer experience and succeed will require insurance companies to completely reorient their business practices and processes – to start with the customer and the experience and work backward toward capabilities. In the words of Han Wang of Paladin Cyber, who spoke on a panel about moving from selling products to selling services, “It’s always a questions of what does the customer want? How do they define the problem? And what is the solution?”

4. Insurance is trust

“The world runs on trust. When we live in a society where we have lots of trust, everyone benefits. When this trust goes away, everyone loses.” – Dan Ariely, Lemonade

During a faceoff between incumbents and insurtechs during one conference session, Dylan Bourguignon, CEO of so-sure cinched the debate with a single comment, calling out large insurance carriers: “You want to engage with customers, yet you don’t have their trust. And it’s not like you haven’t had time to earn it.” This, Bourguignon believes, is ultimately why insurtechs will beat the incumbents.

Indeed, the insurtech Lemonade spent a fair amount of stage time preaching the gospel of trust. Dan Ariely, behavioral economist and chief behavior officer at Lemonade, delivered a plenary session entirely devoted to the topic of trust. He spoke about trust from a behavioral standpoint, explaining how trust creates equilibrium in society and how, when trust is violated, the equilibrium is thrown off. Case in point: insurance.

Insurance, he explained, has violated consumer trust and has thrown off the equilibrium–the industry doesn’t trust consumers, and consumers don’t trust the industry, a vulnerability that has left the insurance industry open to the kind of disruption a company like Lemonade poses. As an industry, insurance has incentives not to do the thing it has promised to do, which is to pay out your claims. And while trust is scarcely more important in any industry as it is in insurance, save in an industry like healthcare, the insurance industry is notoriously plagued by two-way distrust.

What makes Lemonade stand out is that it has devised a system that removes the conflict of interest germane to most insurance companies – as a company, it has no incentives to not pay out customer claims. In theory, profits are entirely derived by taking a percentage of the premium; anything left over that does not go to pay out a claim is then donated to charity. The result: If customers are cheating, they aren’t cheating a company, they are cheating a charity. Ariely described several instances where customer even tried to return their claims payments after finding misplaced items they thought had been stolen. “How often does this happen in your companies?” he asked the audience. Silence.

And it’s not just new business models that will remedy the trust issues plaguing insurance. It’s new technology, too. In a panel titled “Blockchain: Building Trust in Insurance,” executives from IBM, Salesforce, Marsh and AAIS discussed how blockchain technology has the capacity to deepen trust across the industry, among customers, carriers, solutions providers and underwriters by providing what Jeff To of Salesforce calls an “immutable source of truth that is trusted among all parties.” Being able to easily access and trust data will have a trickle down effect that will affect everyone, including customers, employees and the larger business as a whole–reducing inefficiencies, increasing application and quote-to-bind speed, eliminating all the hours and money that go into data reconciliation and ultimately making it easier for carriers to deliver a quality customer experience to their customers.

See also: Disruption of Rate-Modeling Process  

While the progress in blockchain has been incremental, the conference panel demoed some promising use cases in which blockchain is already delivering results for customers, one example being acquiring proof of insurance for small businesses or contractors through Marsh’s platform. With blockchain, a process that used to span several days has been reduced to less than a minute. Experiences like these–simple, seamless and instantaneous – are laying the groundwork for carriers to begin the long road to earning back customer trust. Blockchain will likely play an integral role this process.

5. Insurance is a social good

“We need insurance. It is one of the most important products for financial security.” – Dan Ariely, Lemonade

For all of the the naysaying regarding state of the industry that took place at InsureTech Connect, there were plenty of opportunities for the industry to remind itself that it’s not all bad, and its core insurance is something that is incredibly important to the stability of people across the globe. Lemonade’s Schreiber called it a social good, while Ariely told his audience, “We need insurance. It is one of the most important products for financial security.” Similar sentiments were expressed across stages throughout the conference.

In fact, in today’s society, income disparity is at one of the highest points in recent history, stagnating wages are plaguing and diminishing the middle class, more people in the U.S. are living in poverty now than at any point since the Great Depression, the social safety net is shrinking by the minute and more than 40% of Americans don’t have enough money in savings to cover a $400 emergency, so insurance is more important than ever.

For Inga Beale, CEO of Lloyds of London, insurance has a critical role to play in society, “It goes beyond insurance–it’s about giving people money and financial independence,” she said during a fireside chat. She went on to describe findings from recent research conducted by Lloyds, which determined that, by the end of their lives, men in the U.K. are six times better off financially than women. When designed as a tool to provide financial independence and equality for everyone, insurance can play an important role in addressing this disparity. While this has been a focus in emerging markets, financial stability and independence is often assumed in more developed markets, like the U.S. and Europe. In reality, it is a problem facing all markets, and increasingly so. Ace Callwood, CEO of Painless1099, a bank account for freelancers that helps them save money for taxes, agrees that insurance has an important role to play. “It’s our job to get people to a place where they can afford to buy the products we are trying to sell,” he said.

You can find the article originally published here.

Quest for Reliable Cyber Security

As we still struggle to improve physical security in the brick and mortar world, we are also greatly challenged by security issues in the cyber world. The layers of cyber protections are melting away quickly (Figure 1) as evidenced by an exponential growth in cyber crime. We are all racing rapidly away from the shores of the brick and mortar world, chasing after irresistible and addictive internet-based technology.

The Cyber War Statistics and Projections

Figure 2 shows the Lloyd’s of London estimated worldwide cyber damages in U.S. dollars for 2013 (100 Billion) and 2015 (400 Billion). The Jupiter Research projection for 2019 is $2 trillion. Cybersecurity Ventures projects $6 trillion of damage for 2021. If these projections become reality, that represents a 60-fold increase in cyber damages for the eight-year period between 2013 and 2021.

An independent Ponemon Institute study sponsored by Hewlett Packard said that, in 2016, the average U.S. firm reported cybercrime damages of $17 million. The average cyber damages were much less in non-U.S. countries, but the growth in such crimes is also increasing exponentially. The U.S. National Small Business Association study said that, on average, small businesses that had their bank accounts hacked lost an average of $32,000.

See also: 10 Cyber Security Predictions for 2017  

The Cyber War Defender Sentiment

Various IT expert surveys tell us that the majority of defenders feel that we are losing this cyber war. Here are some key disturbing sentiments:

  • An iSense Solutions survey of 250 IT professionals was conducted for Bitdefender among companies that were breached. Those that suffered cyber breaches in the last year convey the disturbing news that 74% of those that were breached don’t know how the breach happened.
  • A survey by the Ponemon Institute revealed that it took between 98 and 197 days to detect the fact that a security breach has happened.
  • An AT&T (Cybersecurity Insights) report surveyed 5,000 companies worldwide that were launching Internet of Things (IoT) devices. Only 10% of IoT developers felt that they could secure those devices against hackers. It is estimated that 10 billion devices were connected to the internet in early 2016 and that the number will grow to 30 billion devices by 2020.
  • Another Ponemon Institute survey in 2016 consisting of 643 IT experts revealed that only one-third of the IT experts surveyed consider the cloud safe from cyber attacks.
  • Cyberventures estimates that $1 trillion will be spent on cyber security products and services between 2017 and 2021.
  • Cyber experts tell us that just meeting compliance is the beginning of cyber security and not the end.
  • The World Economic Forum (WEF) stated that a “significant” amount of cybercrime and espionage still goes undetected.
  • Hacker tools are cheap, fast and becoming easier to use, providing disturbing attacker advantages.

The Cyber War Executive Summary

Let’s summarize this gloomy situation. We are in an exponential growth period of cybercrime. Anywhere from 67% to 90% of experts surveyed can relate to these comments:

  • They distrust the cloud.
  • Most do not know how or when they were hacked, if they were hacked.
  • Most do not know how to fully protect the old and new flood of internet connected devices from future hacks.
  • Just meeting compliance is insufficient against hacks and cyber attacks.
  • When hacks are noticed, they are noticed three to six months-plus after the fact.

This raises the question of how IT and security professionals will spend their security budget if they have been so unsuccessful in the past and present. This is clearly a high-risk environment and getting worse.

See also: How to Stir Dialogue on Cyber Security  

Can Cyber Strategies Rescue Us?

Classic and logical-sounding cyber strategies have been and are being rendered useless by hackers and cyber-sharks. Figure 3 depicts the sad state of worldwide cyber security. Why are most cyber strategies not working? Maybe because they focus too much on the technical and do not engage all of the enterprise resources and its culture as an additional layer of defense.

Figure 4 reminds us of the words of MIT Professor Bill Aulet, derived from the original quote by the famous management consultant Peter Drucker: “Culture eats strategy for breakfast, operational excellence for lunch and everything else for dinner.”  If our cyber strategy does not harness and engage the enterprise culture as a partner in this cyber war, we should expect only limited successes.

Can Artificial Intelligence (AI) Rescue Us?

Some are touting AI and machine learning as the “last hope” for cyber security, but some experts are also quick to confess that not all AI strategies are effective and that the cyber protection industry is only at the beginning of this journey to apply AI to cyber security. This confidence in AI also assumes that the “bad guys” will not use AI to become better hackers.

Can High-Reliability Organizational (HRO) Techniques Rescue Us?

Decades ago, high-risk organizations like nuclear submarines, aircraft carriers and nuclear power plants developed a highly successful culture-based management system that was later designated as high-reliability organizations (HRO). HROs have achieved zero-incident safety records even though they are considered high-risk. Now that every organization is thrust into the high-risk cyber world, it’s time to consider the HRO playbook and assess our cultures against custom HRO cyber criteria. Airlines, railroads, power plants, hospitals and other organizations are starting to customize HRO principles to meet their stretch goals for employee, customer and patient safety.

See also: Paradigm Shift on Cyber Security  

Figure 5 shows one of the first basic enterprise system and cultural assessments required to lay the foundation for HRO cyber thinking across all layers of the organization. Such assessments will require anonymous inputs from all stakeholders and levels to ensure that all skeletons in the closet and the taboo talk rules that limit cyber successes are exposed.

The pursuit of becoming a high-reliability cyber organization is not for the faint of heart, and it is not a quick fix. It is a set of highly disciplined principles that affect the behaviors, attitudes, decision making and accountability for every level of the enterprise cascade as summarized in Figure 6. If any of the cyber security elements in the cascade has a weak link, cyber security will be at risk. The last line of defense against cyber attacks needs to be organizational and cultural and not just technical or centered on compliance.

As the world moves toward the shocking new reality of annual multitrillion-dollar cyber damages, organizations will need to combine technical and non-technical best practices for reliability to counter cyber threats. Unfortunately, it might take one or more big business failures or a major worldwide cyber calamity before more organizations start to see the value of a combined high-performance culture and technical strategy. Great successes of HRO organizations should teach us that a combined culture and technical strategy is the best way to defend ourselves in this expanding cyber world war.

The Key to Survival in Wild West of Cyber

Today, the question is not will my organization experience a cyber attack, but when, and how. In our digital and connected business world, companies seeking cost efficiency, speed and better customer experience are rapidly connecting more processes, infrastructure and information to the internet. At the same time, the complexity and frequency of cyber attacks continue to rise. You only need to look at the list of recent high-profile attacks to see that companies across industries, from Wall Street banks to healthcare to entertainment, and government entities are being assailed.

This brave new cyber world exposes organizations to a different category of risks and associated liability issues, including the need to cover themselves for loss or exposure of commercially valuable intellectual property or consumer data; misappropriation of trade secrets; privacy violations; losses via third-parties; costs associated with breach notification, forensics, credit monitoring, outside incident response providers, technical remediation, PCI assessments; business interruption costs and system failure; legal proceedings and defending against regulatory actions – to name a few. On top of this, while companies suffering under the weight of a breach understandably feel like victims, it is not always seen that way by the authorities, the marketplace or the media. While dealing with the fallout of an incident, companies often face the additional challenge of defending their actions, protecting their brands and getting claims settled and paid. In this context, long before an event occurs, proper cyber risk mitigation is a best practice for all organizations.

Just like in the Wild West, organizations dealing with cyber risk are operating in a fast, continuously shifting threat landscape, governed by its own set of evolving laws and rules. Even knowing the bandits are out there, organizations continue to be caught off guard by new criminal tactics and attack vectors. Hackers continue to hone their techniques, whether that means obtaining access through the Internet of Things, masterminding more sophisticated social engineering methods or attacking information sources and manipulating data. What is more, the delay between a cyber criminal penetrating a network and being discovered can be considerable: it might take a hacker only eight days to attack a network, but it typically takes six or more months to detect the incident. Financial firms take an average of 98 days to detect a data breach, and retailers can take as much as 197 days, according to the Ponemon Institute and IBM Cost of Data Breach Study. That’s a wealth of time for attackers to inflict significant damage, and it doesn’t look good to regulators, customers and other stakeholders.

See also: Actuaries Beware: Cyber Is Treacherous  

Against this backdrop, cyber insurance is an essential component of a company’s risk management strategy. Even while companies tend to view the likelihood of a loss as higher for information assets than for property, plant and equipment (PP&E) assets, they are more adept at protecting physical assets, with approximately 51% of PP&E assets covered by insurance to only 12% of information assets covered on average, according to the Ponemon Institute’s 2015 Global Cyber Impact Report. One reason for this is that insureds and cyber insurance providers alike struggle with accurately assessing and quantifying cyber risk; despite paying significant premiums, companies remain under-insured. According to the CEO of Lloyd’s of London, cyber-related losses for businesses worldwide were valued at $400 billion in 2015, yet ABI Research estimated that global gross written premiums for cyber insurance that year only totaled around $2 billion.

The lack of data on which to quantify cyber risk means insurers feel they are often writing policies on the back of incomplete information. Unlike in other risk areas such as flood insurance – where historical data means that companies can quantify risk almost to the dollar – developing a strategy to assess and insure against cyber risk is altogether different. And for the insured, selecting a policy is taxing: all policies are not available to all companies, all policies are not equal, and, on top of this, companies are required to demonstrate the existence of sound cyber risk management policies and programs to be eligible for a policy and to claim benefits. These challenges posed by the burgeoning cyber insurance market, and the fact that companies cannot expect to transfer all their cyber risk, mean that they must take a broader, more holistic approach to assessing and reducing exposure.

It is easy for organizations to lose perspective on how to best to manage cyber risk, particularly as it affects multiple stakeholders in an organization, from the CISO to the risk manager, the board, IT, the C-suite and even HR. Everyone will have their own ideas about which programs should be mandated and which technology is the latest “holy grail” in cybersecurity. However, this siloed approach is not effective. Cyber attackers are simply too well-motivated, -resourced and diverse. But it’s not time to throw in the towel. Knowing they will be attacked does not leave companies powerless; in fact, this certainty can empower a far better approach to cyber security. The key to managing risk – and avoiding chaos and significant loss in the wake of an attack – is achieving cyber resilience. Adopting a cyber resilient mindset serves the interests of all stakeholders trying to defend an organization and provides assurance to insurers that companies are prepared in the event of an attack.

So, what does it mean to be cyber resilient? Resilience is the ability to withstand or recover quickly from difficult, often unanticipated conditions. In the world of cyber, resilience strategies enable companies to rapidly detect, respond to and recover from cyber attacks. The goal is to detect incidents before they become serious, respond to them vigorously and recover from them effectively. You will be attacked, but if you are resilient you are less likely to have to wear a scarlet letter when the incident occurs.

Achieving resilience

The most urgent question companies must answer is: What are the critical assets that we are trying to protect? Some organizations will find it easy to agree on a list of assets, such as customer data or Social Security numbers. Others, perhaps more complex organizations, might find it hard to come to agreement. Alignment on defining critical assets is essential and, above all, economically prudent. Cybersecurity talent is scarce and budget is finite, so prioritizing assets helps allocate money where it matters most. Knowing what needs protection, and where it is, enables organizations to focus controls on that area, directs threat detection activity and tells first responders where to look when an attack is suspected. This has the potential to shorten the gap between attack and detection, minimizing the risk of having a predator in the network for seven, eight or more months. Identifying critical assets is also a necessary first step in choosing and benefiting from cyber insurance products. It’s true you don’t need a $100 safe to protect a $1 bill, but you do need an adequate policy to protect everything that you safeguard. Of course, while focusing on protecting critical assets is essential, companies should continue to defend the full organization, maintaining a strong overall security posture.

Once critical assets are clearly defined, cyber threats and vulnerabilities can be assessed and prioritized from three distinct perspectives: the threat to mission-critical technology, the balance sheet and corporate reputation. With vulnerabilities determined, companies can sharpen defenses and deploy programs to uncover, test and remediate them. Tactics regularly used include sophisticated penetration testing and social engineering techniques, to employing ethical hackers or red teams. In the world of resilience, however, the work does not stop at identifying vulnerabilities and shoring up defenses. Resilient organizations are ready for the “during” and “after” phases of an attack, as well as the “before.” They enhance monitoring activities, develop response plans and study and practice threat detection and response processes so that they can quickly bounce back and resume normal business operations.

See also: New Approach to Cyber Insurance  

When news of an attack occurs, it is not scheduled on the day’s calendar of events. It comes as a hit. Companies will typically learn of a breach in one of three ways: The company identifies the breach itself, finding a malicious actor has been in the network for weeks, or even months; a company receives a call from law enforcement often with limited information as part of a larger compromise that has occurred; or, the worst scenario, a third party breaks the news, for example a customer, business partner or the media. Cyber-resilient organizations can adapt to any of these scenarios, take control and respond with confidence. To be prepared, companies need response plans to manage this “during” phase of an attack. Importantly, these plans need to come alive – which means that they are continually enhanced, practiced and ingrained into the workplace culture.

This response preparation and practice equates to confidence, and the degree of practice will be clear in the wake of an attack. Some organizations call this conducting table-top exercises, or simulated cyber attack exercises. This preparation involves all key stakeholders, both internally and externally, and with a well-oiled plan, when a breach call comes, each player follows the blueprint. Public relations is not relegated to a “no comment” statement; financial teams are geared up to manage insurance; lawyers are deployed; and law enforcement is called – among other actions. Ideally, companies have already contracted with a cyber insurance carrier and cyber resilience firm, and have cultivated personal relationships with primary (and even secondary) representatives.

Companies should also take steps to have incident response and forensic investigators, as well as outside counsel, on retainer, even if they have additional internal expertise to handle these aspects of an investigation. During a breach, companies need to move quickly. Entering contract negotiations and procurement processes mid-crisis will not only waste precious time but also leave companies on the back foot in price negotiations with providers. When considering who to retain, it is key to look at the firm’s experience: the number of cases a firm has been engaged on; the diversity of skillsets; the technical tools used; the references of the subject matter experts; and vertical experience. Be careful if selecting a firm that requires its own technology be used on the investigation, as this can limit the scope of its capabilities and potentially lead to conflicting motivations. Also be aware that asserting privilege over the information shared with any firm is a slippery slope, especially through in-house counsel: the strongest way to assert privilege in an investigation is through outside counsel.

Recovering from a cyber attack

Now that the attack is contained, it’s time to recover. Enter stage right, cyber insurance. The cost of a breach can be significant, not only in intangible ways but in concrete costs, particularly if companies face risk and liability via a regulatory or legal investigation. For example, the Federal Trade Commission (FTC) can launch lawsuits against organizations if it suspects them of failing to properly safeguard customer information. Such cases have the potential to span several years and can result in companies’ drowning in millions of pages of documents in response to requests and questioning, often involving executives at the very highest level. The cost of related investigations can reach millions of dollars in legal and vendor fees, not to mention the associated damage to brand and reputation.

To protect from such costs, it is critical that companies quantify the intangible damages that will occur in the event of a breach and enhance board-level understanding of the financial value of these risks to deploy capital to strengthen resilience and purchase insurance policies. When looking to transfer risk, companies must seek industry-leading terms and conditions with global carriers, often across multiple lines of business. Unlike policy options for physical assets, which are relatively standardized, the insurance industry is still ascertaining what cyber coverage looks like and, while more sophisticated teams are being assembled to effectively assess risk, evaluate preparedness and write policies, the policies still vary greatly. At its base, companies want a policy that covers “first party” types of losses, including forensics, notification costs, credit monitoring and breach coach fees. Companies will also want products to cover the third-party traditional liability costs, in case they are found liable for the incident and must pay a judgment or enter into a settlement. Insurance can also cover costs to defend against any regulatory action. Once a policy is purchased, a resilient organization has processes in place to ensure that potential losses are properly tracked in the event of a breach, which will help maximize coverage and cost recuperation. A strong personal relationship with the carrier representative is invaluable at this juncture, as is the ability to quickly and fully disclose the depth of cyber preparedness planning. This will confirm that the organization has an advocate for claim submission and approval.

In terms of the risk of a public lawsuit and legal proceeding, negligence is by far the most common reason an organization is found to be liable of cyber wrongdoing. Fortunately, class action lawsuits are not common. Bryan Cave, in its Data Breach Litigation Report, reported that in 2016 about 5% of all breach cases filed led to class action litigation, a number that has remained consistent over the past four years. One case recently decided in favor of the plaintiffs was Tampa General Hospital, where it was argued that a series of insider breaches put plaintiffs at risk for identity theft, and was the result of the hospital’s inadequately safeguarding patient data. Tampa General, in an October 2016 preliminary settlement approval, agreed to pay plaintiffs $10,000 plus as much as $7,500 toward attorney and litigation costs. Larger data breach class action settlements have reached the tens of millions, for example, in which claimants are eligible for cash payment if credit or debit card data or personal information was stolen as a result of the breach. Although it is still rare to see these allegations result in settlements, this pendulum could swing. When it swings, a sound cyber insurance product will bring protection in the form of covering part, or all, of the defense costs and resulting settlement payments.

See also: Most Firms Still Lack a Cyber Strategy

Cybersecurity is firmly entrenched as one of the most consequential issues affecting organizations across industries – no one is immune. However, acceptance that an attack is likely can be the impetus for companies to work toward becoming resilient. By putting in place better policies, people, response processes and technology, companies can position themselves in a place of power when a breach does occur. Resilient companies also put themselves in better positions when negotiating cyber security insurance rates, when claiming damages following an attack and when facing regulators, lawsuits and, importantly, embittered and disappointed consumers. Ultimately, adopting a cyber-resilient mindset serves the interests of all stakeholders and allows companies to focus on doing what they do best – running their businesses.

Y2K Rears Its Head One More Time

In the late 1990s, in the run up to Jan. 1, 2000, insurers deployed Y2K or “electronic date recognition” exclusions into a multitude of insurance policies. The logic made sense: The Y2K date change was a known risk and something that firms should have worked to eliminate, and, if Armageddon did materialize, well, that’s not something that the insurance industry wanted to cover anyway.

Sixteen years later, one would expect to find Y2K exclusions only in the Lloyds of London “Policy Wording Hall of Fame.” But no so fast.

Electronic date recognition exclusions are still frequently included in a variety of insurance contracts, even though it’s doubtful that many folks have given them more than a passing glance while chuckling about the good old days. And now is the time to take a closer look.

Last month, various cybersecurity response firms discovered that a new variant of the Shamoon malware was used to attack a number of firms in the Middle East. In 2012, the original version was used to successfully attack Saudi Aramco and resulted in its needing to replace tens of thousands of desktop computers. Shamoon was used shortly thereafter to attack RasGas, and, most notoriously, the malware was used against Sony Pictures in late 2014. Shamoon has caused hundreds of millions of dollars of damages.

The new version, Shamoon v2, changes the target computer’s system clock to a random date in August 2012 — according to research from FireEye, the change may be designed to make sure that a piece of software subverted for the attack hasn’t had its license expire.

This change raises issues under existing electronic date recognition exclusions because many are not specifically limited to Jan. 1, 2000; they instead feature an “any other date” catch all. For example, one of the standard versions reads, in part:

“This Policy does not cover any loss, damage, cost, claim or expense, whether preventative, remedial or otherwise, directly or indirectly arising out of or relating to any change, alteration, or modification involving the date change to the year 2000, or any other date change, including leap year calculations, to any such computer system, hardware, program or software and/or any microchip, integrated circuit or similar device in computer equipment or non-computer equipment, whether the property of the Insured or not.”

See also: Insurance Is NOT a Commodity!  

By our estimation, this exclusion is written broadly enough to exclude any losses resulting from a Shamoon v2 attack, if indeed the malware’s success is predicated on the change in system dates to 2012.

Given that the types of losses that Sony and Saudi Aramco suffered can be insured, firms shouldn’t be caught off guard. We advise a twofold approach: Work with your insurance broker to either modify language or consider alternative solutions; and ensure that your cybersecurity leaders are monitoring your systems for indicators of compromise, including subtle measures like clock changes.