The next shift in cyber insurance that brokers need to track in 2019…It’s time for insurance companies to realize the opportunities in blockchain

The next shift in cyber insurance that brokers need to track in 2019

Ground-shaking earthquakes might topple buildings and displace communities, but they also bear some resemblance to the scale of cyber incidents witnessed in the past year that crippled networks and exposed consumer data, according to one cyber expert.

In some parts of the world, earthquakes are routine with smaller quakes occurring frequently and the larger, more devastating earthquakes spread out over longer periods of time.

“You know that sooner or later, you will have big earthquakes so you have to plan your insurance strategy based on the fact that these really big quakes come along and you know they’re coming, but it’s very hard to predict exactly when they will occur,” said Mike Lloyd, chief technology officer for network cybersecurity analytics platform RedSeal, which works with over 200 global corporations and government agencies. “I look at [2018’s] breaches very much on that scale, that it does seem like every year we have a breach somewhere in the hundred thousand to a million records lost – usually one or two of those – and then one really standout breach for the year that will have even higher numbers.”

While cyber crime generally saw a sharp uptick in 2018, there are other factors at play that have resulted in a flood of breaches coming to light this year, namely rules and regulations that are getting companies to be transparent when a breach does take place.

“In the last year, we had GDPR finally come into full force, and that has forced an awful lot more organizations to disclose an awful lot more breaches, and so the data shifts,” said Lloyd. “The first thing that makes it move are disclosure laws and not really the activities because a lot of these breaches were secret up to this point.”

For organizations and their insurance brokers who are looking to defend against both cyberattacks as well as the fallout from cyber incidents when they inevitably occur – and the number of companies and their boards who are becoming aware of the need to prepare for this eventuality is increasing, according to Lloyd – they have to determine which category of cyber criminal is after them.

“We can roughly categorize attackers into two broad camps: the nation-state, very well-funded organizations who are motivated by things like national interest or espionage,” explained Lloyd, as well as the people who are committing cyber crime for economic gain. Any insured entity has to figure out which one they’re more concerned about. A regional electricity generating company connected to a grid that runs nuclear power facilities will be more concerned about nation-state actors than actors trying to steal credit card numbers, while an online retailer has the reverse problem. The tactics, techniques, and procedures necessary to prepare for and respond to attacks from different types of criminals vary greatly, Lloyd told Insurance Business.

“How you have to defend yourself and the expectations for whether you’ll be breached vary a lot whether you’re more the target of nation-state [hackers] or the target for the thieves trying to make money the most efficient way they can,” he said, adding that awareness around the need for cybersecurity preparedness has grown. Ten years ago, companies were trying to plug every gap in their defensive walls that was springing a leak with a new product, whereas today, “most organizations have now realized you cannot expect perfect protection. You can try and harden your defenses – that’s still a good idea – but ultimately you have to plan that your defenses will be breached and once you adopt that mindset, you start thinking about it differently. You start thinking about resilience, which means you care about how well you can recover from a breach, but you also care more about insurance,” explained Lloyd.

With the cyber insurance market set to double by 2020 as companies prepare to spend more than ever on their cyber insurance, according to Munich Re, the high buyer demand is clear and brokers are responding well to their clients’ needs, though the offerings still have a way to go, in part because the industry as a whole continues to be nervous about the risks in the space, for good reason, said Lloyd.

“The product that [brokers] end up giving their customer is complicated because of the tower of policy they have to buy,” he explained, adding that buyers want high levels of coverage and because no insurer is willing to take that on, brokers have to put together an often unwieldly stack of insurance products to fill that need.

“Many insurers have now entered the market with some kind of cybersecurity coverage, so it’s very common to have some kind of limited product that has a limited premium and a limited payout,” said Lloyd. “But, the limits are low so the kind of coverage that the buyers want to purchase on the market is so much larger than what any individual insurer is willing to take on. We’re seeing market forces work out very well and this is how it should evolve. We’ve gone from buyers not really sure they need the product to buyers now wanting more of the product than sellers are willing to underwrite and this is good, but where are we in this evolution? We’re at the stage where insurers can’t assess the risk.”

To take it back to the earthquake example, an insurer can balance their book of business between companies with structures in earthquake-prone regions and those in safer locations. Not so for cyber.

“In earthquakes, we know how to assess how similar buildings are to each other based on where they’re located geographically, and we know how to assess how well built they are so if they’re in an earthquake zone, we know what kind of engineering codes to follow. Neither of these is true in the cyber space, so we’ve got all these people who want to buy cyber insurance and the insurers’ problem is they don’t have the heritage of seismologists for cyber, so there’s a lack of key information and without that the insurers have to write these small products today,” said Lloyd.

Going forward, brokers should keep an eye on how the industry will assess clients’ cybersecurity postures. Today, there are various exterior assessments an insurer can do on a company via third-party services that will provide a score of how ready that organization is for a cyber incident.

Read more: Brokers hit the books to boost cyber understanding

“The big change for brokers to be tracking is to watch as the insurers start to work from outside-in to inside-out perspective, so instead of using external scans, these lightweight third-party reviews of looking at the internet footprint of company X and giving you some kind of score, something that you can expect to see coming out is a lot more attempts to say, we’re going to have some people or software that will go onsite at the company and actually do an inspection on the inside of that network and look at what’s likely to happen in a serious incident,” said Lloyd, drawing a comparison to assessing fire preparedness in a physical building, where more information can be gathered from inspecting the inside of the building than simply taking photos of the structure from across the street.

“It is the next shift, it’s the important thing for brokers to be tracking into 2019 – expect the industry to move away from these external lightweight assessments, the ‘photograph from across the street’ risk assessment of someone you’re going to try to write insurance for, over into a deeper analysis that involves going onsite physically or virtually to look at an organization.”



It’s time for insurance companies to realize the opportunities in blockchain

Understandings about data and the risks of ownership are changing, thanks to the growing popularity of technologies like blockchain and the Internet of Things (IoT). While the insurance industry’s interest in data collection and privacy is piquing, with some organizations participating in partnerships focused on exploring blockchain’s use cases, such as the RiskBlock Alliance, there’s still plenty of room to realize the opportunities found in new technology focused on data.

“In the insurance industry, we’re just beginning to understand how a technology like blockchain could offer greater security protection for data,” said Robin Westcott, vice president of government affairs, legal and compliance of the American Association of Insurance Services (AAIS), and a moderator at the upcoming Emerging Risks & Innovation Summit in New York. “We are very siloed organizations inside of insurance – even inside of companies, there are siloes of data – which creates an environment [where] it’s very taxing and tolling on a company to understand and to secure their data, but to also understand who’s using their data.”

Many insurance companies use outsourced third-party vendors who receive and manage their data, and oftentimes, it’s not the insurance organization’s security controls that are the most vulnerable, but those of the third-party vendors.

“Things like blockchain, which would allow us to have more security around our own data and be able to only allow access for certain transactions under smart contracts, could really move us towards being able to break this cycle of really not understanding and being able to control the access and availability of our data,” said Westcott.

The industry won’t just struggle with the emerging risk of how the mass of data coming from an increased use of IoT devices will be secured. Insurance companies operate in a highly regulated environment, which can make it doubly difficult to implement new ways of handling and securing data collected from, for instance, wearable technology devices, into underwriting activities, while making it transparent to regulators whether this new technology didn’t lead to an unfair advantage or discriminatory practice.

“It’s a double-edged sword for insurance companies because not only do they have to worry about the security of this new data, but how are we even going to use this?” said Westcott, explaining that blockchain could give insurance companies a greater ability to control and secure that data. “Under a blockchain environment, it’s not necessarily raw data that you’re sharing or that you are exposing – it is some of the insights into your raw data that you’re exposing, and that’s a big difference.

“It’s different than sending a file that contains all of this data to a third party, to a regulator, to be able to examine. It’s a great deal different to allow through smart contracts some information to be exchanged without necessarily exposing the raw data in the process. We really have to examine – and now is a great time for us, it’s the perfect opportunity – to start looking at how we actually can be collaborative and more transparent to give us greater security.”

During a panel on data, privacy and cyber underwriting at the Emerging Risks & Innovation Summit, experts will in part explore the developing regulatory environment around consumer protection and how companies can be responsive in their technology solutions to address this issue when managing data.

“Instead of looking at this as a problem, look at it as an opportunity,” said Westcott, adding that it’s not just about filling another insurance policy, “but actually looking at data in our industry, the usefulness of it and the way we use it, and the way we are able to connect it. I think that having that dialogue is very important.” InsuranceBusinessAmerica