Tag Archives: Stroz Friedberg

Cyber: Black Hole or Huge Opportunity?

You own a house. It burns down. Your insurer only pays out 15% of the loss.

That’s a serious case of under-insurance. You’d wonder why you bothered with insurance in the first place. In reality, massive under-insurance is very rare for conventional property fire losses. But what about cyber insurance? In 2017, the total global economic loss from cyber attacks was $1.5 trillion, according to Cambridge University Centre for Risk Studies. But only 15% of that was insured.

I chaired a panel on cyber at the Insurtech Rising conference in September. Sarah Stephens from JLT and Eelco Ouwerkerk from Aon represented the brokers. Andrew Martin from Dyanrisk and Sidd Gavirneni from Zeguro, the two cyber startups. I asked them why we are seeing such a shortfall. Are companies not interested in buying or is the insurance market failing to deliver the necessary protection for cyber today? And is this an opportunity for insurtech start-ups to step in?

High demand, but not the highest priority

We’ll hit $4 billion in cyber insurance premium by the end of this year. Allianz has predicted $20 billion by 2025. And most industry commentators believe 30% to 40% annual growth will continue for the next few years.

A line of business growing at more than 30% per year, with combined ratios around 60%, at a time when insurers are struggling to find new sources of income is not to be sniffed at.

But the risks are getting bigger. My panelists had no problem in rattling off new threats to be concerned with as we look ahead to 2019. Crypto currency hacks, increasing use of cloud, ransomware, GDPR, greater connectivity through sensors, driverless cars, even blockchain itself could be vulnerable. Each technical innovation represents a new threat vector. Cyber insurance is growing, but so is the gap between the economic and insured loss.

The demand is there, but there are a lot of competing priorities. Today’s premiums represent less than 0.1% of the $4.8 trillion global property/casualty market. Let’s try to put that in context. If the ratio of premium between cyber and all other insurance was the same as the ratio of time spent thinking about cyber and other types of risk, how long would a risk manager allocate to cyber risk? Even someone thinking about insurance all day, every day for a full working year would spend less than seven minutes a month on cyber.

It’s not because we are unaware of the risks. Cyber is one of the few classes of insurance that can affect everyone. The NotPetya virus attack, launched in June 2017, caused $2.7 billion of insured loss by May 2018, according to PCS, and losses continues to rise. That makes it the sixth largest catastrophe loss in 2017, a year with major hurricanes and wildfires. Yet the NotPetya event is rarely mentioned as an insurance catastrophe and appears to have had no impact on availability of cover or terms. Rates are even reported to be declining significantly this year.

See also: How Insurtech Boosts Cyber Risk  

Large corporates are motivated buyers. They have an appetite for far greater coverage than limits that cap out at $500 million. Less than 40% of SMEs in the U.S. and U.K. had cyber insurance at the end of 2017, but that is far greater penetration than five years ago. The insurance market has an excess of capital to deploy. As the tools evolve, insurance limits will increase. Greater limits mean more premium, which in turn create more revenue to justify higher fees for licensing new cyber tools. Everyone wins.

Maybe.

Growing cyber insurance coverage is core to the strategy of many of the largest insurers.

Cyber risk has been available since at least 2004. Some of the major insurers have had an appetite for providing cyber cover for a decade or more. AIG is the largest writer, with more than 20% of the market. Chubb, Axis, XL Catlin and Lloyd’s insurer Beazley entered the market early and continue to increase their exposure to cyber insurance. Munich Re has declared that it wants to write 10% of the cyber insurance market by 2020 (when it estimates premium will be $8 billion to $10 billion). All of these companies are partnering with established experts in cyber risk, and start-ups, buying third party analytics and data. Some, such as Munich Re, also offer underwriting capacity to MGAs specializing in cyber.

The major brokers are building up their own skills, too. Aon acquired Stroz Friedberg in 2016. Both Guy Carpenter and JLT announced relationships earlier this year with cyber modeling company and Symantec spin off CyberCube. Not every major insurer is a cyber enthusiast. Swiss Re CEO Christian Mumenthaler declared that the company would stay underweight in its cyber coverage. But most insurers are realizing they need to be active in this market. According to Fitch, 75 insurers wrote more than $1 million each of annual cyber premiums last year.

But are the analytics keeping up?

Despite the existence of cyber analytic tools, part of the problem is that demand for insurance is constrained by the extent to which even the most credible tools can measure and manage the risk. Insurers are rightly cautious, and some skeptical, as to the extent to which data and analytics can be used to price cyber insurance. The inherent uncertainties of any model are compounded by a risk that is rapidly evolving, driven by motivated “threat actors” continually probing for weaknesses.

The biggest barrier to growth is the ability to confidently diversify cyber insurance exposures. Most insurers, and all reinsurers, can offer conventional insurance at scale because they expect losses to come from only a small part of their portfolio. Notwithstanding the occasional wildfire, fire risks tend to be spread out in time and geography, and losses are largely predicable year to year. Natural catastrophes such as hurricanes or floods can create unpredictable and large local concentrations of loss but are limited to well-known regions. Major losses can be offset with reinsurance.

Cyber crosses all boundaries. In today’s highly connected world, corporate and country boundaries offer few barriers to a determined and malicious assailant. The largest cyber writers understand the risk for potential contagion across their books. They are among the biggest supporters of the new tools and analytics that help understand and manage their cyber risk accumulation.

What about insurtech?

Insurer, investor or startup – everyone today is looking for the products that have the potential to achieve breakout growth. Established insurers want new solutions to new problems; investment funds are under pressure to deploy their capital. A handful of new companies are emerging, either to offer insurers cyber analytics or to sell cyber insurance themselves. Some want to do both. But is this sufficient?

The SME sector is becoming fertile ground for MGAs and brokers starting up or refocusing their offerings. But with such a huge, untapped market (85% of loss not insured), why aren’t cyber startups dominating the insurtech scene by now? The number of insurtech companies offering credible analytics for cyber seems disproportionately small relative to the opportunity and growth potential. Do we really need another startup offering insurance for flight cancellation, bicycle insurance or mobile phone damage?

While the opportunity for insurtech startups is clear, this is a tough area to succeed in. Building an industrial-strength cyber model is hard. Convincing an insurer to make multimillion-dollar bets on the basis of what the model says is even more difficult. Not everyone is going to be a winner. Some of the companies emerging in this space are already struggling to make sustainable commercial progress. Cyber risk modeler Cyence roared out from stealth mode fueled by $40 million of VC funding in September 2016 and was acquired by Guidewire a year later for $265 million. Today, the company appears to be struggling to deliver on its early promises, with rumors of clients returning the product and changes in key personnel.

The silent threat

The market for cyber is not just growing vertically. There is the potential for major horizontal growth, too. Cyber risks affect the mainstream insurance markets, and this gives another source of threat, but also opportunity.

Most of the focus on cyber insurance has been on the affirmative cover – situations where cyber is explicitly written, often as a result of being excluded from conventional contracts. Losses can also come from ” silent cyber,” the damage to physical assets triggered by an attack that would be covered under a conventional policy where cyber exclusions are not explicit. Silent cyber losses could be massive. In 2015, the Cambridge Risk Centre worked with Lloyd’s to model a power shutdown of the U.S. Northeast caused by an attack on power generators. The center estimated a minimum of $243 billion economic loss and $24 billion in insured loss.

In the current market conditions, cyber can be difficult to exclude from more traditional coverage such as property fire policies, or may just be overlooked. So far, there have been only a handful of small reported losses attributed to silent cyber. But now regulators are starting to ask companies to account for how they manage their silent cyber exposures. It’s on the future list of product features for some of the existing models. Helping companies address regulatory demands is an area worth exploring for startups in any industry.

See also: Breaking Down Silos on Cyber Risk  

Ultimately, we don’t yet care enough

We all know cyber risk exists. Intuitively, we understand an attack on our technology could be bad for us. Yet, despite the level of reported losses, few of us have personally, or professionally, experienced a disabling attack. The well-publicized attacks on large, familiar corporations, including, most recently, British Airways, have mostly affected only single companies. Data breach has been by far the most common type of loss. No one company has yet been completely locked out of its computer systems. WannaCry and NotPetya were unusual in targeting multiple organizations, with far more aggressive attacks that disabled systems, but on a very localized basis.

So, most of us underestimate both the risk (how likely), and the severity (how bad) of a cyber attack in our own lives. We are not as diligent as we should be in managing our passwords or implementing basic cyber hygiene. We, too, spend less than seven minutes a month thinking about our cyber risk.

This lack of deep fear about the cyber threat (some may call it complacency) goes further than increasing our own vulnerabilities. It also the reason we have more startups offering new ways to underwrite bicycles than we do companies with credible analytics for cyber.

Rationally, we know the risk exists and could be debilitating. Emotionally, our lack of personal experience means that cyber remains “interesting” but not “compelling” either as an investment or startup choice.

Getting involved

So, let’s not beat up the incumbents again. Insurance has a slow pulse rate. Change is geared around an annual cycle of renewals. It evolves, but slowly. Insurers want to write more cyber risk, but not blindly. The growth of the market relies on the tools to measure and manage the risk. The emergence of a new breed of technology companies, such as CyberCube, that combine deep domain knowledge in cyber analytics with an understanding of insurance and catastrophe modeling, is setting the standard for new entrants.

Managing cyber risk will become an increasingly important part of our lives. It’s not easy, and there are few shortcuts, but there are still plenty of opportunities to get involved helping to manage, measure and insure the risk. When (not if) a true cyber mega-catastrophe does happen, attitudes will change rapidly. Those already in the market, whether as investors, startups or forward thinking insurers, will be best-positioned to meet the urgent need for increased risk mitigation and insurance.

Addressing Evolving Cyber Threats

In 2015, an accountant looking at the balance sheets of a U.S. tech company noticed a $39 million hole in the figures. The accountant would have been even more dismayed to know where it had gone – a member of the financial team in an overseas subsidiary had transferred it directly to the thief. All the thief had to do was pretend to be a CEO.

It’s a kind of attack known as a CEO email attack, and just one of a broad range of hostile tactics known as social engineering attacks. These are attacks that exploit the natural weaknesses of human beings – our credulity, our naiveté, our propensity to help strangers and, sometimes, in the case of phishing attacks, just our greed – to get around security systems.

To put it in the language of 21st century cyber security: Social engineering operates on the idea that, just like any computer system, human beings can be hacked. In fact, a lot of the time they’re much easier to hack than computers. Understanding this fact, and the forms that social engineering can take, is essential to formulating a robust defense strategy. These strategies are even more important now, as the lines between the physical and digital worlds continue to blur and the assets at risk continue to multiply, thanks to the proliferation of connected technologies.

In Depth

From the serpent in the Garden of Eden, to the fake phishing emails that promise fortunes if only you’d just part with your bank details and Social Security number, social engineers have been with us for a while. But few epitomize their arcane arts quite like Frank Abagnale, whose exploits between the ages of 15 and 21 were immortalized in the Steven Spielberg film Catch Me If You Can. During those years, Abagnale posed as a doctor, a lawyer and an airline pilot and has become one of recent history’s most legendary social engineers. He now runs a consultancy, Abagnale and Associates, that aims to educate others – including government agencies such as the FBI, and numerous businesses – on how to catch people like him, as social engineering methods shift.

Abagnale asserts: “Some people used to say that I’m the father of social engineering. That’s because, when I was 16 years old, I found out everything I needed to know – I knew who to call, and I knew the right questions to ask – but I only had the use of a phone. People are doing the same things today 50 years later, only they’re using the phone, they’re using the mail system, they’re using the internet, email, cloud. There’s all this other stuff, but they’re still just doing social engineering.”

We live in an overwhelmingly digital world, and the projected 50 billion Internet of Things (IoT) devices due to be hooked up to the internet by 2020 means the already broad frontier of digital risk will only continue to grow. “I taught at the FBI for decades. There is no technology today that cannot be defeated by social engineering,,”Abagnale says. Making sure the human links that sit between this expanding set of digital nodes remain secure lies at the heart of securing the whole system; one increasingly tied up with physical as well as digital assets.

New Risks

In 2010, the Stuxnet worm, a virus believed to have been developed jointly by the U.S. and Israeli military, managed to cause substantial damage to centrifuge generators being used by the Iranian nuclear program. The virus was designed to attack the computer systems that controlled the speed that components operated in industrial machinery. By alternately speeding up and slowly down the centrifuges, the virus generated vibrations that caused irreparable mechanical damage. It was a new breed of digital weapon: one designed to not only attack digital systems, but physical systems as well.

It was physical in another way. To target this system, the virus had to be physically introduced via an infected USB flash drive. Getting that flash drive into a port, or into the hands of someone who could, required human beings to intervene. In this case, anonymous USB devices were left unattended around a facility and were then accidentally inserted by unwitting technicians.

See also: It’s Time for the Cyber 101 Discussion  

The Stuxnet worm highlights the extreme end of the dangers that lie at the overlap between digital technology, physical assets and human beings, but the risks extend well beyond that. More prosaic, for instance, are email scams that work by tricking the receiver into sharing vital information – remember the notorious “Nigerian prince” emails, where a fraudster would promise a willing helper untold riches in return for money to be released from jail?

Some of these scammers have elaborate networks that crossed countries and continents and can be worth more than $60 million. Move the concept into the organization now: Imagine receiving an email from someone purporting to be your boss, asking in an official and insistent tone for a crucial keyword or a transfer of funds. Could a typical employee be relied on to deny that request? What about a phone call? This was hacker Kevin Mitnick’s strategy. In a way, a Frank Abagnale of the digital age, Mitnick managed to make a range of high-profile attacks on key digital assets by just phoning up and asking for passwords.

IoT: The Convergence of the Physical and Cyber Worlds

“Humans are the weakest link in any security program,” says Dennis Distler, director, cyber resilience, Stroz Friedberg, an Aon company. In fact, it’s us, rather than computer systems’ weaknesses or failures, that lie at the heart of around 90% of cyber breaches. Social engineering attacks can come in various forms, and the risk from them will never be fully mitigated. But while full mitigation is impossible, you can limit your exposure – that strategy begins at the individual level. Humans are the targets, so the first line of defense has to be from humans. “You certainly remind people that you have to be smarter, whether you’re a consumer or CEO. You have to think a little smarter, be proactive, not reactive,” Abagnale says.

While social engineering has a focus on financial loss, the focus of cyber risk is shifting to tangible loss with the potential for property damage or bodily injury arising out of IoT devices. Historically, cyber risk has been associated with breaches of private information, such as credit cards, healthcare and personally identifiable information (PII). More and more, however, the IoT – the web of connected devices and individuals – will pose an increased risk to physical property as breaches in network security begin to affect the physical world. Having a better understanding of vulnerabilities and entry points – both at the individual as well as device level – will be critical for organizations in 2017 and beyond.

Organizational Mitigation

While security awareness training and, to a lesser extent, technology can prevent successful attacks – whether IoT-related, human error or stemming from actual social engineering – the risk from them will never be fully mitigated. Organizations can take a number of steps to protect themselves. Distler of Stroz Friedberg, highlights a number of key steps a company can take to minimize exposure to social engineering risk:

  • Identify what and where your organization’s crown jewels are. A better understanding of your most valuable and vulnerable assets is an essential first step in their protection.
  • Create a threat model to understand the types of attacks your organization will face and the likelihood of them being exploited. From email phishing to physical breaches, the threat model can help teams prioritize and prepare how to best respond.
  • Create organization-specific security awareness training addressing what types of attacks individual employees could expect, how to detect them and what the protocols for managing and reporting them are. Consider instituting a rewards program for reporting suspected attacks to further encourage vigilance.
  • Provide longer and more detailed training for high-valued or vulnerable targets, such as members of the C-suite and their executive support staff, or members of IT, finance, HR or any other employee with access to particularly sensitive information. This training could vary from account managers to mechanical engineers working on major operational projects. These enhanced training procedures could include red-teaming exercises, which test the ability of selected staff to respond to these breaches in real time.
  • Create well-defined procedures for handling sensitive information and provide routine training on these procedures for employees who handle sensitive information.
  • Conduct routine tests (recommended quarterly at a minimum) for the most likely social engineering attacks.

Preparing for Tomorrow’s Breaches

The term “cyber threat” is becoming more and more complex. No longer is it a threat posed to digital assets by viruses and malware or a financial threat posed to individuals and financial institutions. Now, cyber risk encompasses a broad range of risks with the potential to harm assets, from property to brand and reputation.

And at the center of all of these interactions are people. Almost every breach begins with a human being. By understanding how such threats can manifest, and how to deal with them when they do, risks can be mitigated ahead of time. Bringing together various functional groups within an organization will be crucial as teams prepare for the more multifaceted risks of our increasingly connected future.

Cyber Threats to Watch This Year

2015 was a year in which cyber criminals continued to innovate and expand their activities. As 2016 commences, look for insider threats to take center stage and for leading companies to respond. Meanwhile, cybersecurity and privacy issues will continue to reverberate globally. Here are a few predictions for the coming year:

Ed note_Edward Stroz

Cyber threats and elections– Threat actors targeted the websites and emails of presidential candidates in 2008 and 2012. Campaign websites continue to be used to raise money, making them targets for hacktivists and cyber criminals alike. Expect to see U.S. primary frontrunners and eventual nominees successfully targeted and to see at least one campaign undermined by a data breach.

IoT spurs new rules– This will be the year consumers awaken to security and privacy concerns attendant to the Internet of Things. A major physical disruption — through the breach of a connected car or medical device or weak security in a connected toy — will spur regulators and consumers to demand action. Expect companies to spend untold amounts on testing and retrofitting IoT devices to meet hastily approved “privacy and security by design” rules.

Insider threats get addressed– Insider threats — current or ex-employees with knowledge of, and access to, the corporate network — will take center stage in 2016. This will push human resources leaders onto cross-functional cybersecurity teams in many organizations. Expect leading-edge companies to invest in technologies that identify and, in some cases, prevent insider threats before they cause material damage.

International data flows narrow– Uncertainty arising from the demise of the EU-U.S. Safe Harbor pact will disrupt international data flows. Expanding European nationalism, distrust of U.S. surveillance and subpoena power, the prospect of triggering huge fines for transborder transfers and political disputes over alternatives will drive some U.S. companies to avoid doing business with Europe altogether. Meanwhile, other multinationals will opt to segregate business functions geographically by building local cloud services and data centers that protect them from penalties.

Boardroom shuffle– With concern mounting over cyber risks, organizations will evaluate fresh approaches to ensure boards are well-informed and comfortable making strategic decisions. Expect the appointment of specialist, non-executive cyber directors and the formation of dedicated cyber-risk committees (similar to audit committees) with independent advisers. Regulators may also pursue the concept of “cyber competent” people as a requirement for boards.

Cyber insurance spike– Demand for cyber liability coverage will continue to rise. Expect premiums to also rise because of constantly evolving threats, immature risk models and an underdeveloped reinsurance market. This will affect retailers, healthcare providers, banks and others that are considered high risk. Uncertainty about the concentration of exposure will lead regulators to impose cyber incident “stress testing.” This is a way to model the impact of multiple, simultaneous incidents on cyber insurance carriers — and potentially stop those that fail these tests from writing new policies.