Tag Archives: symantec

Reinsurance: Dying… or in a Golden Age?

Much has been said about the challenges facing the reinsurance industry, to the point where the industry and a few of its major players have been characterized as being in a potentially terminal decline. However, to focus on recent results is to overlook fundamental changes in the nature of risk in the 21st century that could benefit the world’s major reinsurers, with opportunities unlike any seen before in the modern history of reinsurance.

A difficult financial backdrop for reinsurance in 2017

Financial results for major reinsurers in 2017 saw substantial contractions from prior years, driven by large catastrophe losses from hurricanes and California wildfires. These results have been followed by cost reduction in the reinsurance industry, which has elicited surprise in two conflicting ways. For some, the surprise was that the cost-reduction efforts could affect reinsurance, given that such exercises were more common for their cedent primary carrier clients. For others, the surprise was that it had taken so long for a focus on cost to come to the reinsurance market.

Concerns about the future financial performance of the reinsurance industry are held at the very highest levels of leadership among major reinsurers. In response to questions about the company’s 2017 performance, Swiss Re CEO Christian Mumenthaler commented on the state of the property catastrophe market that “we need to get used to a world where margins are much lower.” Given that property catastrophe profits have been one of the best-performing segments, not just in reinsurance,but in the entire insurance industry, according to McKinsey, this is an unwelcome development for the medium-term profitability of reinsurance firms.

Bearish commentators do not blame recent poor results on an unfortunate confluence of large-scale U.S. property losses, excess capital in the reinsurance industry or a temporary soft market. Rather, global advisory firm EY points to “clear signs that reinsurers face a long-term structural phenomenon rather than a short-term fluctuation of the insurance cycle.” EY goes on to warn in a report on the reinsurance industry that there is “compelling evidence that reinsurers are inexorably moving toward a ‘dead end’ with their legacy business models.”

The potential for reinsurance, with a longer-term lens

Such pronouncements about the potential for the reinsurance industry to perish are, however, overblown. Far from the rapidly changing risk environment undercutting the role of reinsurance, changes in the nature of risk have the potential to unlock a golden age of reinsurance where reinsurance institutions could play an even more important role in the future of the global economy than ever before. Two megatrends affecting society in the 21st century could bode very well for the reinsurance industry.

The shift from physical to non-physical assets on balance sheets

First, the emergence of non-physical assets fundamentally alters the nature of risk, which will require major changes in the P&C insurance industry.

According to Ocean Tomo, in 1975, more than 80% of the market capitalization of the S&P 500 was derived from physical assets and infrastructure. Property insurers, therefore, had a key role in insuring the most valuable assets of the business community. However, by 2015, property assets made up a relatively small share of the value of businesses, with 87% of that value being tied to intangible assets. For centuries, the P&C insurance industry was focused on the protection of property, but in the space of a generation the relative importance of physical property has declined precipitously. Risk to assets hasn’t gone away; there has just been a shift from physical to non-physical assets.

See also: The Dawn of Digital Reinsurance  

The shift toward digital risks as a driver of risk to a company’s income statement

Second, the emergence of digital risk is fundamentally changing the potential causes of loss for businesses. When you move beyond a balance sheet perspective, where physical property has declined in importance, and look at the income statements of contemporary businesses, you also see an increasing reliance on digital technologies with substantial potential for business interruption when these technologies are disrupted. These losses are already being witnessed today with the recent NotPetya attack illustrating that many major businesses can lose hundreds of millions of dollars from a single cyber event. It is, therefore, no surprise that cyber risk has skyrocketed in importance from the #15 item on the minds of risk managers in 2013 to the #2 item on the minds of risk managers in 2018, according to a report from Allianz.

What is remarkable is not just the meteoric rise in importance of cyber risk over the past five years but the fact that we are just scratching the surface of a megatrend that promises to have an even greater impact in the years to come. Changes in technology are fundamentally changing the nature of risk due to the digitization of the economy, the automation of entire industries and the explosion of Internet of the Things (IoT) devices. As the economy shifts from having 10 billion Internet of Things (IoT) devices to more than 200 billion IoT devices, sources of digital risk are set to skyrocket, along with the potential for cyber losses.

The foundation for any financial risk transfer product – where is the financial loss?

Estimating the financial impact of cyber risk is a difficult endeavor. A recent piece of research conducted by RAND, supported by the CyberCube unit of Symantec and the Hewlett Foundation, estimated that cybercrime today costs the global economy at least $275 billion to as much as several trillion dollars. When you layer on the emergence and deployment of new technologies, this number will only increase over time.

Not only will these losses due to cyber events rise, but cyber catastrophe modeling research undertaken by CyberCube suggests that there will be a shift from attritional day-to-day losses affecting individual to firms to more and more large-scale losses affecting multiple companies simultaneously from global aggregation events. Such events were once deemed somewhat theoretical, but the last 18 months have revealed a series of cyber aggregation events that have shown that cyber events have the potential to lead to simultaneous losses from many companies, and we are just at the beginning of a major technological change.

In many cases, the absolute level of risk for the global economy will decline. For example, with the emergence of new safety features in automated cars, the incidence of property and casualty losses from automobiles will decline.

However, new sources of catastrophic risk emerge as the potential arises for mass losses from the simultaneous failure of the technology affecting thousands of companies simultaneously. CyberCube has identified more than 1,000 technology “single points of failure” that could pose sources of aggregation risk to insurers, and this number will only grow as the years go by and new cloud-connected technologies are rolled out. To draw an analogy to the property insurance market, you can expect far fewer one-off damages from one-off fires burning down a single home and far more wildfires destroying entire towns.

Implications for reinsurers

So what are the implications for reinsurers?

1. The foundation for any financial risk transfer product – where is the financial loss?

Changes in the nature of company assets, technology and the emergence of connected digital risk are reducing absolute levels of risk to the society overall but concentrating the potential for financial losses in a smaller number of catastrophic events. This is precisely the type of risk and financial transfer that the reinsurance industry can provide.

2. Emerging cyber risk is so complex that the largest and most sophisticated reinsurers stand to gain the most from this shift in the risk landscape

Given that cyber risk is not geographically constrained, the ability of smaller and less sophisticated reinsurers to participate in a large number of geographically diversified natural catastrophe treaties is diminished. The nature of cyber risk is so complex and dynamic that only reinsurers with a critical mass of expertise in connected digital risk will be able to effectively understand, monitor and model cyber risk. There will be more differentiated insight in cyber risk than in natural catastrophe risk.

3. Investment from reinsurers is needed to understand cyber risk today, in advance of catastrophe events that could create tremendous financial opportunities for reinsurers in the future

It is a cliché to say that it is just a matter of “if not when” for cyber attacks on individual companies. What is becoming increasingly apparent is that the same can be said for catastrophic cyber aggregation events that cause material damage to many companies simultaneously. When this happens, insurance history suggests that demand for coverage will increase, capital will flee the market and prices will harden. The reinsurance market for cyber as a peril might be small today, but reinsurers that have taken the time to invest in their own capabilities ahead of these events, with informed capital to deploy when market demand spikes, will benefit tremendously.

See also: Mamas, Tell Your Kids to Sell Reinsurance  

Conclusion: Terminal decline or golden age?

The nature of risk is fundamentally changing, which means the nature of financial risk transfer also must change. 2017 may have been a bad year for the financial performance of the reinsurance industry, but this is a market where time horizons need to be considered over many decades and certainly not over the results from one financial year alone.

Far from the reinsurance industry being in a potentially terminal decline, changes in the nature of risk in the 21st century, stand to benefit the most sophisticated players in the reinsurance industry if they can take advantage of digital trends and understand new risk concentrations.

Reinsurers that invest in understanding the nature of cyber risk, and the sources of catastrophic losses, not only stand to benefit in outsized ways relative to other insurers, but they also stand to help society reap the tremendous rewards of new technology by mutualizing financial risk when technology inevitably goes wrong.

The reinsurance industry as a whole is neither in terminal decline nor at the beginning of a new golden age. It is the action of individual reinsurance companies, and their efforts to understand, quantify and model digital risk that forms the basis of whether they will thrive or falter in this emerging digital age.

3 Things on Cyber All Firms Must Know

Managed security services providers, or MSSPs, continue to rise in presence and impact—by giving companies a cost-effective alternative to having to dedicate in-house staff to network defense.

In the thick of this emerging market is Rook Security. I spoke with Tom Gorup, Rook’s director of security operations, about this at RSA 2017. A few takeaways:

Outsourced SOCs. MSSPs essentially function as a contracted Security Operations Center, or SOC. Most giant corporations, especially in the financial and tech sectors, have long maintained full-blown SOCs, manned 24/7/365. And so the top MSSP vendors, which include the likes of AT&T, Dell SecureWorks, Symantec, Trustwave and Verizon, are aggressively marketing MSSP services to midsize companies, those with 1,000 to 10,000 employees.

See also: 7 Key Changes for Insurers’ Cybersecurity  

At the other end of the spectrum—catering to very small businesses—you have consulting technicians, operating in effect as local and regional MSSPs. These service providers may have one or two employees. They make their living by assembling and integrating security products developed by others, working with suppliers such as SolarWinds MSP, which packages and white labels cloud-based security solutions for very small businesses.

So what about the companies in between, those with, say, 50 to 999 employees? Security vendors recognize this to be a vastly underserved market, one that probably has pent-up demand for MSSP services.

What MSSPs provide. For midsize and large enterprises, MSSPs deliver an added layer of expertise that can help bigger organizations actually derive actionable intelligence from multiple security systems already in place, such as firewalls, intrusion detection systems, sandboxing and SIEMs. The top MSSPs tap into all existing systems and provide deeper threat intelligence services, such as device management, breach monitoring, data loss prevention, insider threat detection and incident response.

For small businesses, local MSSPs focus on doing the basics to protect endpoints and servers. This relieves the small business operator from duties such as staying current on anti-virus updates, as well as security patches for Microsoft, Apple, Adobe and Linux operating systems and business applications that are continually probed and exploited.

 Who needs one? Every business today is starkly exposed to network breaches. So who could use an MSSP? The calculation for midsize and large organizations is straightforward. The goal is to provide more data protection at less cost, based on thoughtful, risk-based assessments. The most successful MSSPs will help company decision-makers build a strong case for their services.

See also: Quest for Reliable Cyber Security  

At smaller companies, the first question to ask is this: How mature is my security posture to begin with?

Gorup observes: “Is security even on the radar right now? In smaller organizations, you might have just one person, part-time, working IT. Security is kind of secondary. I’d recommend seeking more advisory services to help detect phishing attacks, help build some processes, help understand what technologies you should invest in. This will allow growth to occur. And then you can make a natural transition into building an SOC or seeking SOC services.”

10 Cyber Security Predictions for 2017

Each year, the cyber security industry faces new types of threats as cybercriminals evolve their approach toward accessing organizations’ data. For 2017, the security experts at Symantec have taken a close look at the trends we can expect to see this year and in the years ahead. Given the consistently changing security landscape, it’s important to take a moment and determine where the security industry needs to focus attention.

We’ll continue to see a shift toward the modern workplace as businesses allow employees to introduce new technologies such as wearables, virtual reality and IoT-connected devices onto the network while supporting a rapidly dispersed workforce made possible by cloud applications and solutions. Enterprises will need to shift their focus from safeguarding endpoint devices toward protecting users and information across all applications and services.

Here’s a list of cyber security threats in 2017 as predicted by the Symantec cyber security team.

1. Connected cars will be taken for ransom

As cars start to have connected capabilities, it is only a matter of time until we see an automobile hack on a large scale. This could include cars being held for ransom, self-driving cars being hacked to obtain their location for hijacking, unauthorized surveillance and intelligence gathering, or other automobile-focused threats. This will also lead to a question of liability between the software vendor and automobile manufacturer, which will have long-term implications on the future of connected cars.

See also: Best Practices in Cyber Security  

2. IoT devices will increasingly penetrate the enterprise

Beyond looking simply at computers and mobile devices for vulnerabilities, incident response teams will need to consider thermostats and other connected devices as jumping points into the network. Similar to how printer servers were used for attacks several years ago, nearly everything in an enterprise is now connected to the internet and will need to be protected.

3. Increased IoT DDoS attacks

The Dyn attack in October demonstrated the vast number of IoT devices that don’t have security on them and are tremendously vulnerable to attacks. As more IoT devices are installed in the mass market, the risk of security breach will increase. Once insecure devices are in the market, it becomes almost impossible to fix the issue without recalling them or issuing security updates. Given that this lack of security will continue for the foreseeable future, the number of IoT attacks will only increase as well.

4. Ransomware will attack the cloud

Given the significant shift towards cloud-based storage and services, the cloud is becoming a very lucrative target for attacks. The cloud is not protected by firewalls or more traditional security measures, so there will be a shift in where enterprises need to defend their data. Cloud attacks could result in multi-million dollar damages and loss of critical data, so the need to defend it will become even more crucial.

5. Threats from AI will only continue to grow

In 2017, artificial intelligence or AI will only continue to grow – Forrester predicts investment in Artificial Intelligence will grow 300 percent next year alone. With this growth comes new, powerful insights for businesses to tap, and an increased collaboration between humans and machines. From a security standpoint, this expansion will impact organizations in more ways than one – including endpoints and mechanisms in the cloud.

6. Machine Learning to cause widespread threats

As new forms of machine learning and AI continue to enter the market, enterprises will need to invest in solutions that have the capabilities to collect and analyze data from the countless endpoints and attack sensors across different organizations, industries and geographies. These solutions will prove to be instrumental in teaching machines how to operate on the front lines of a global battle that changes every day, minute by minute.

7. Rogue nation states will finance themselves by stealing money

There is a dangerous possibility that rogue nation states could align with organized crime for their personal gain, such as what we saw in the SWIFT attacks. This could result in down time for countries’ political, military or financial systems.

8. Fileless malware will increase. Fileless infections – those written directly onto a computer’s RAM without using files of any kind – are difficult to detect and often elude intrusion prevention and antivirus programs. This type of attack increased throughout 2016 and will continue to gain prominence in 2017, most likely through PowerShell attacks.

9. SSL abuse will lead to increased phishing sites using HTTPS

The rise in popularity of free Secure Sockets Layer or SSL certifications paired with Google’s recent initiative to label HTTP-only sites as unsafe will weaken security standards, driving potential spear-phishing or malware programs due to malicious search engine optimization practices.

See also: Paradigm Shift on Cyber Security  

10. Drones will be used for espionage and explosive attacks

This could be seen in 2017, but is more likely to occur further down the road. By 2025, we can expect to see “dronejacking,” which will intercept drone signals and redirect drones for the attacker’s benefit. Given this possibility, we can also expect to see anti-drone hacking technology being developed to control these devices’ GPS and other important systems.

You can find the original article here.

3 Reasons Insurance Is Changed Forever

We are entering a new era for global insurers, one where business interruption claims are no longer confined to a limited geography but can simultaneously have an impact on seemingly disconnected insureds globally. This creates new forms of systemic risks that could threaten the solvency of major insurers if they do not understand the silent and affirmative cyber risks inherent in their portfolios.

On Friday, Oct. 21, a distributed denial of service attack (DDoS) rendered a large number of the world’s most popular websites — including Twitter, Amazon, Netflix and GitHub — inaccessible to many users. The internet outage conscripted vulnerable Internet of Things (IoT) devices such as routers, DVRs and CCTV cameras to overwhelm DNS provider Dyn, effectively hampering internet users’ ability to access websites across Europe and North America. The attack was carried out using an IoT botnet called Mirai, which works by continuously scanning for IoT devices with factory default user names and passwords.

The Dyn attack highlights three fundamental developments that have changed the nature of aggregated business interruption for the commercial insurance industry:

1. The proliferation of systemically important vendors

The emergence of systemically important vendors can cause simultaneous business interruption to large portions of the global economy.

The insurance industry is aware about the potential aggregation risk in cloud computing services, such as Amazon Web Services (AWS) and Microsoft Azure. Cloud computing providers create potential for aggregation risk; however, given the layers of security, redundancy and the 38 global availability zones built into AWS, it is not necessarily the easiest target for adversaries to cause a catastrophic event for insurers.

See also: Who Will Make the IoT Safe?

There are potentially several hundred systemically important vendors that could be susceptible to concurrent and substantial business interruption. This includes at least eight DNS providers that service over 50,000 websites — and some of these vendors may not have the kind of security that exists within providers like AWS.

2. Insecurity in the Internet of Things (IoT) built into all aspects of the global economy

The emergence of IoT with applications as diverse as consumer devices, manufacturing sensors, health monitoring and connected vehicles is another key development. Estimates state that anywhere from 20 to 200 billion everyday objects will be connected to the internet by 2020. Security is often not being built into the design of these products with the rush to get them to market.

Symantec’s research on IoT security has shown the state of IoT security is poor:

  • 19% of all tested mobile apps used to control IoT devices did not use Secure Socket Layer (SSL) connections to the cloud.
  • 40% of tested devices allowed unauthorized access to back-end systems.
  • 50% of tested devices did not provide encrypted firmware updates — if updates were provided at all.
  • IoT devices usually had weak password hygiene, including factory default passwords; for example, adversaries use default credentials for the Raspberry Pi devices to compromise devices.

The Dyn attack compromised less than 1% of IoT devices. By some accounts, millions of vulnerable IoT devices were used in a market with approximately 10 billion devices. XiongMai Technologies, the Chinese electronics firm behind many of the webcams compromised in the attack, has issued a recall for many of its devices.

Outages like these are just the beginning.

Shankar Somasundaram, senior director, Internet of Things at Symantec, expects more of these attacks in the near future.

3. Catastrophic losses because of cyber risks are not independent, unlike natural catastrophes 

A core tenant of natural catastrophe modeling is that the aggregation events are largely independent. An earthquake in Japan does not increase the likelihood of an earthquake in California.

In the cyber world consisting of active adversaries, this does not hold true for two reasons (which require an understanding of threat actors).

First, an attack on an organization like Dyn will often lead to copycat attacks from disparate non-state groups. Symantec maintains a network of honeypots, which collects IoT malware samples. A distribution of attacks is below:

  • 34% from China
  • 26% from the U.S.
  • 9% from Russia
  • 6% from Germany
  • 5% from the Netherland
  • 5% from the Ukraine
  • Long tail of adversaries from Vietnam, the UK, France and South Korea

Groups such as New World Hacking often replicate attacks. Understanding where they are targeting their time and attention and whether there are attempts to replicate attacks is important for an insurer to respond to a one-off event.

See also: Why More Attacks Via IoT Are Inevitable  

A key aspect to consider in cyber modeling is intelligence about state-based threat actors. It is important to understand both the capabilities and the motivations of threat actors when assessing the frequency of catastrophic scenarios. Scenarios where we see a greater propensity for catastrophic cyber attacks are also scenarios where those state actors are likely attempting multiple attacks. Although insurers may wish to seek refuge in the act of war definitions that exist in other insurance lines, cyber attack attribution to state-based actors is difficult — and, in some cases, not possible.

What does this mean for global insurers?

The Dyn attack illustrates that insurers need to pursue new approaches to understanding and modeling cyber risk. Recommendations for insurers are below:

  1. Recognize that cyber as a peril expands far beyond cyber data and liability from a data breach and could be embedded in almost all major commercial insurance lines.
  2. Develop and hire cyber security expertise internally — especially in the group risk function — to understand the implications of cyber perils across all lines.
  3. Understand whether basic IoT security hygiene is being undertaken when underwriting companies using IoT devices.
  4. Partner with institutions that can provide a multi-disciplinary approach to modeling cyber security for insurers, including:
  • Hard data (for example, attack trends across the kill chain by industry);
  • Intelligence (such as active adversary monitoring); and
  • Expertise (in new IoT technologies and key points of failure).

Symantec is partnering globally with leading insurers to develop probabilistic, scenario-based modeling to help understand cyber risks inherent in standalone cyber policies, as well as cyber as a peril across all lines of insurance. The Internet of Things opens up tremendous new opportunities for consumers and businesses, but understanding the financial risks inherent in this development will require deep collaboration between the cyber security and cyber insurance industries.

7 Predictions for IoT Impact on Insurance

We are at an inflection point. The internet is going from controlling information to controlling physical things, which has profound implications for both the global economy and the future of insurance. In this post, I will provide seven predictions for how the Internet of Things (IoT) will change the insurance industry, although ultimately these predictions only scratch the surface as there are few lines of insurance that won’t be affected by cyber risk in the next five to 10 years.

Background on Internet of Things (IoT)

It is estimated that there will be as many as 200 billion everyday objects connected to the internet by 2020. Applications for the IoT are as diverse as consumer devices, manufacturing sensors, health monitoring, connected vehicles, office automation and all the way to fully “smart cities.” The emergence of IoT technologies is a tremendous development that spans all aspects of human existence and could unlock as much as $11 trillion per year in value to the global economy by 2025, according to the McKinsey Global Institute.

See also: Insurance and the Internet of Things  

What these numbers don’t show, however, is the tremendous physical and financial risks associated with the emergence of having everyday objects connected to the internet. According to the 2016 Symantec Internet Security Threat Report (ISTR), hundreds of millions of internet-connected TVs are vulnerable to click fraud, botnets, data theft and even ransomware, and these numbers are growing rapidly. Cyber attacks on internet-connected devices create systemic risks and the potential for hundreds of billions of dollars in losses. When physical devices can be hacked (and potentially hacked en masse), the potential for major business interruption, physical damage and even loss of life becomes very real.

This isn’t to say we should not pursue IoT technologies. In fact, in many ways, IoT will make society safer, as well as more efficient and convenient. Every year, 1.2 million people die in automobile accidents, and around 90% of those accidents are attributable to driver error, which will decline as more internet-connected vehicles incorporate advanced safety features. However, as internet-connected devices become pervasive in all aspects of our lives, the nature of risks facing consumers and businesses will be fundamentally different.

While the future is uncertain, especially as it pertains to technology, here are seven predictions on how IoT could affect insurers.

  1. Continued Growth of Affirmative Cyber Insurance Policies:
    According to Lloyd’s of London, cyber attacks cost businesses $400 billion in losses per year, and, by some estimates, cyber crime costs the global economy trillions of dollars per year. The current cyber insurance market, which is focused on data protection, is around $2.7 billion globally. The market has doubled over the past 24 to 36 months, and growth shows no signs of abating. Growth of affirmative cyber insurance data and liability policies, primarily covering costs associated with data breaches, is just a tip of the “IoT iceberg,” as cyber becomes an even more important insurable risk.
  2. Some Core Insurance Lines Will Decline: IoT will change the nature of the risks that consumers and businesses face. For example, according to AT Kearney, features such as advanced driver-assisted systems (ADAS), semi-autonomous vehicles and tracking of stolen vehicles will be deployed in half of the cars on the road by 2025. By some estimates, the global auto insurance market will shrink by 60% or more, where there is a reduction in driver error and a resulting decline in the insurance needed for this risk. As key insurable losses become preventable by IoT, core insurance lines will decline.
  3. IoT Aggregation Risk Starts Pervading a Diverse Set of Insurance Lines: IoT can turn large-scale hacks into global cyber catastrophes. Already, there have been successful hacks on industrial control systems that have led to major physical damage in heavy industries. Fortunately, these incidents have been isolated to “one-off” occurrences, but with key industrial control systems, logistics tracking systems and building automation systems crossing tens of thousands of businesses, the potential for major cross-cutting cyber events is increasing. IoT aggregation risk occurs in insurance lines where it wasn’t previously observed, accounted for or priced into the cost of an insurance policy.
  4. Cyber Peril Exclusions Grow in Commercial Policies: In the years to come, we will see highly public “forcing events” related to cyber attacks on IoT devices. Unfortunately, it is not a matter of if but when we see major IoT cyber hacks. When these events happen, insurers will likely respond by writing in more explicit exclusions for cyber perils in insurance lines such as product liability, property, E&O and other policies. In many cases, insurers are focused on the aggregation risks that exist within their affirmative cyber data and liability policies, when the reality is there is tremendous silent coverage in the rest of an insurer’s portfolio today.
  5. “Cyber Gap” Insurance Policies Emerge: There will be an expanding list of critical cyber perils that won’t be covered under a standard insurance policy. Specialty cyber insurance policies and endorsements will surface to fill in the need for IoT cyber risk coverage. McKinsey estimates that as much as $3.7 trillion in value could be unlocked in factories alone from IoT. Too much value is at stake for clients not to seek coverage from insurers, and the market demand is too large for insurers not to provide this cover, although it will take deep cyber expertise to understand these novel risks.
  6. New Cyber Risk Capital Market Offerings Emerge: Currently, the global insurance market has $4 billion to $5 billion in capacity for nuclear risks and $100 billiion for natural catastrophes. Fixing the Y2K bug alone is estimated to have cost $100 billion, and the costs associated with remediating IoT security deficiencies could be very high, particularly when IoT components do not always have a means for remote firmware updates. Given that cyber events represent hundreds of billions of dollars (or more) of potential liability, which have low correlation with other events, there is a role for capital markets providers to step in to help transfer risk. Given initial explorations already happening today, London could emerge as a major market for insurance-linked securities tied back to cyber risk.
  7. Insurers Will Help Drive IoT Security: Consumers aren’t necessarily buying technology products with IoT risk in mind; regulators are struggling to keep up; and in a race to get new products to market, technology companies are often launching products without adequate cyber security in mind. Symantec’s research has shown that 19% of mobile apps used to control IoT devices don’t use SSL connections to the cloud and more than 50% didn’t provide a mechanism for firmware updates, or, if they did, those updates were not encrypted. Given that insurers are taking on the financial risk associated with IoT going wrong, insurers have an important role to play in making sure that the basics are done right for the risks they underwrite.

The emergence of IoT is a tremendous technological development that will create wide-ranging benefits for governments, businesses and consumers. However, it will also propel cyber risk into the limelight as the most important risk of the 21st Century.

See also: Prospects for Insurers as a Global Industry  

As an industry that transfers and mutualizes risk, insurers face far-reaching implications, and there will be both winners and losers. Those that win will have a deep understanding of the evolving nature of cyber risk, leveraging cyber data, intelligence and expertise. Companies like Symantec will have an important role to play in helping to understand evolving threats, which is why we have set up a dedicated Cyber Insurance Group to support our insurer partners.

It is hard to predict the future of technology and the risks that new technology will create with any degree of certainty. What is certain is that where there is risk, there is an opportunity for insurers to provide risk-transfer solutions through insurance products. Just as there is innovation in technology, there will be innovation in insurance as both industries come together to unlock the potential of the Internet of Things.