The Two Sides of Cybersecurity
Robert Regis Hyle | April 18, 2017
Insurers have been hiring chief information security officers (CISO) for the better part of this century and in today’s world it’s uncommon to find an insurance carrier without someone manning that position. But on the product side, where insurers have been busy developing new cyber products, insurers have a skills gap, according to Adam Thomas, advisory principal in Deloitte's cyber risk services practice.
“Somebody who has been dealing with property insurance or business interruption insurance doesn't necessarily understand cyber issues,” he says. “Insurers have hired information security specialists, but it may be a lower-level individual (than a CISO). They need to get more robust and have deeper knowledge about cybersecurity on the product side of the business.”
When Deloitte surveyed insurers for their report, “Demystifying Cyber Insurance Coverage” the information showed there remains a silo between an insurer's own CISO and the product group dealing with cybersecurity coverage, according to Sam Friedman, insurance research leader, Deloitte Center for Financial Services and co-author of the report.
If an insurer is underwriting cybersecurity as a product, they don't necessarily collaborate with those on the CISO team. Insurers are looking for the latest news on the threat actors and the vectors they are taking, so the question becomes is that information being shared with the underwriting side of the house or is it in a silo.
“One question we raised is whether there a better way to operate for insurers, who are not just purveyors of cyber risk but also victims of attacks,” says Friedman. “Is there a better way to share knowledge to protect themselves and help loss control and risk assessment if they are writing cyber insurance?”
One obstacle insurers deal with is a fear of aggregation risk—the idea they are taking on more risk than they can swallow, according to Friedman. Cloud vendors that offer web hosting services are storing data offsite and if there is a breach of the cloud the question is could this be like a cascading loss where it hits thousands or even hundreds of thousands of accounts on that cloud and trigger coverage through a whole series of policies rather than the work of an individual hacker coming after an individual player.
The cloud provider or any shared-service provider should have coverage of their own, but without knowledge of how big a risk the provider assumes itself, how good is their coverage, asks Friedman. “You can't assume that because a third-party has its own policy you can hit them up for compensation,” he says.
Another complication, according to Thomas, is more often than not the security of the environment is actually the customer's responsibility. Cloud providers provide capability for customers to configure the security—the firewalls and the control lists around which cloud services can talk to other cloud services—so if an event happens in a cloud environment who is at fault.
“Many of these cloud environments have exposed configuration capability to their own customer,” says Thomas. “They provide the tools to do that for the customer.”
From the buyer's side, many companies don't have cyber insurance and one reason for this is the buyers don't understand or appreciate the breadth or depth of their exposure, according to Friedman.
“They certainly don't understand the insurance options available to them,” he says. “Cyber risk is spread out over a number of policies. Some bigger policies are comprehensive, but there also is cyber risk exposure in product liability and business interruption.”
It's not only hard for the buyers to get their heads around the subject, but Friedman points out that while large brokers may have enormous resources and expertise, independent agents likely don’t have a total grip on the issue themselves.
“It's hard for them to create an educated buyer,” he says. “It's an evolving risk that is changing every day.”
Thomas points out there is a significant shortage of talent in the cybersecurity space, particularly among insurers focused on mid-sized companies or brokers. When you look at the opportunity in front of the cybersecurity professionals, they may feel there is a more exciting way to go than working with a broker or a smaller insurance company.
How Much Coverage
Thomas believes companies need to start with a risk assessment to understand where the risk exposure lies within their company relative to cybersecurity. A merchant's primary risk exposure, for example, may be customer information around who their customers are and the payment mechanisms they use for goods and services.
“If you are a pharmaceutical manufacturer, you likely don't have a lot of credit card information, but what you do have is clinical trial information—who's trying the drugs, what their experience is, profiles of the individual lifestyle,” says Thomas. “Or you may be concerned about the industrial control factors with the companies that produce the drugs. It all starts with a comprehensive risk assessment to understand where the exposure is and then a conversation about the mix of controls and the type of insurance needed to deal with the controls.”
When Deloitte speaks with its clients about cyber risk management, Thomas explains the conversation generally focuses on three areas:
- The things you do to secure your environment. Implementing firewalls and intrusion detection that will alert people when an anomalies are happening
- Things that involve vigilance. This is a changing environment on a minute-by-minute basis—the attacker changes, the models change. What is considered good security today might not be considered good security tomorrow. Good vigilance is about understanding where changes are occurring.
- Resilience—having the right capabilities in place to deal with a cyber event to minimize brand reputation and financial loss. Practice in advance of an event happening. It has to be muscle memory to respond to it.
There are two sides to the question of expense when it comes to cybersecurity, points out Friedman. If you are talking about bigger insureds they may buy stand-alone coverage. From the small business side, one concern Deloitte is hearing from rating agencies is insurers in a soft market are frequently adding cyber coverage to small business coverage without adding any premium. The concern is whether those insurers have properly assessed the risk and are they reserving for it properly. In that case it's very inexpensive.
When discussing the dearth of data and people not having a good handle on how big this risk is, Friedman points out that goes for the buyer as well as the seller. Several questions arise, including: Is the premium reasonable for what they are offering? How much out-of-pocket expense will the buyer get stuck with? What is the deductible?
“We are really feeling our way through the equation,” says Friedman.
If a cyber event happens and it hits the press there is not a lot you can do other than try to control the message, according to Thomas. Insurance isn't necessarily going to help with reputational risk, but part of the risk assessment means understanding the exposure and where cyber insurance fits.
Friedman points out that directors of big public companies are making sure the management team is on top of this issue. “It’s so hard to underwrite given the dearth of data and it's so unpredictable because entry points are expanding with the growth of IoT,” he says. “You have more potential entry points for hackers. So you can't underwrite because the predictive model is based on a critical amount of data that doesn't exist yet.”
Historical data doesn’t always help because it doesn't take into effect new threats and new vectors. If you provide a holistic service—not just risk transfer—and help the policyholder as their risk manager directly or in partnership, that might give an insurer the edge because it eliminates the possibility of loss, it helps the insured to have a more risk-resistant policyholder in place, and it cements the relationship to help take care of the risk. If the worst does happen, insurers may help their policyholder to recover quickly so the incident doesn't become a serious loss.
“Don't just peddle a policy,” says Thomas. “Peddle a solution.”
- Property & Casualty Insurers Raise Digital Games as COVID-19 Elevates Customer Expectations, J.D. Power Finds
- Electronic Chat with Bobbie Shrivastav
- Meet the Board: Marissa Buckley
- Big Data and Insurtech: A Carrier Perspective
- Traditional Insurers Need Open Ecosystems, Partnerships to Remain Competitive, CapGemini Report Finds
- Electronic Chat with John C. Siegman
- 4 Ways AI is Empowering Insurers During COVID-19
- 6 Big Changes to Insurance from the COVID-19 Crisis
- Electronic Chat with Christopher Ewing
- Independent Agency Staff Morale High During COVID-19, New Survey Finds
- Electronic Chat with Brad Epker
- Tapping AI to Improve Policyholder Experience
- Electronic Chat with Manisha Bhargava
- ITA Pro Magazine, March/April 2020
- COVID-19 a Game Changer for Workers’ Comp
- Electronic Chat with Steve Comer
- COVID-19 Pandemic Forces Cancellation of ITA LIVE 2020
- Leveraging Digital Resources in the Time of COVID-19
- Electronic Chat with Robert Hartwig on COVID-19 and Insurance
- Celent Study: Most Small Businesses Still Unclear on Importance of Cyber Insurance
- The January/February 2020 ITA Pro is here!
- Deloitte: New C-Suite Roles Mean More Opportunities for Women
- Electronic Chat with Pankaj Parashar
- Electronic Chat with Tara Kelly
- Electronic Chat with Chuck Wilson
- ITA, InsNerds Collaborate to Enhance ITA LIVE 2020 Content and Coverage
- How SMBs Can Compete in Digital Ecosystems in the 2020s
- 4 Ways Insurance Can Prepare for New Data Privacy Laws
- Brewer Lane Ventures Launches and Hires Insurtech Vet Martha Notaras as Managing Partner
- 2020 GIA Cohort Launches on January 14
- The November/December 2019 ITA Pro is here!
- Electronic Chat with Joshua Snead
- Electronic Chat with Wendy Aarons-Corman
- Simplifying the Move to a Third-party Print Provider
- Take a Business-Driven Approach to Continuous Improvement for Core Systems and Processes
- Electronic Chat with Ron Glozman
- Guidewire’s Data Guru Mike Byam on How Insurers are Using Internal and Third-Party Data
- Electronic Chat with Russ Bostick
- Electronic Chat with Rock Schindler
- Electronic Chat with John Siegman
- Electronic Chat with Martin Burlingame
- Insurtech Landscape 2019: Top 5 Takeaways
- Grinnell Mutual Tackles Massive Transformation -- in Stride
- A Candid Conversation with Paul Mang
- SageSure Insurance Managers Improved Competitiveness by Consolidating Payments to a Single Digital Platform
- Digital Does Matter in Insurance-- And Insurers are Missing the Mark
- The 22nd-Century Insurer: Taking a Cloud-First IT Approach
- The September/October 2019 issue of ITA PRO magazine is now available in digital format here:
- ITA Pro Magazine May/June 2019
- Spotlight on the 2019 IASA Conference
- ValueMomentum Selects Erie as Site of Regional Development Center
- Capgemini and Majesco Become Alliance Partners
- Electronic Chat with Dr. Dan Shoham
- Electronic Chat with Todd Greenbaum
- Martha Notaras: The “Outsider” with an Amazing Inside View
- Electronic Chat with Larissa Tosch
- Martha Notaras Will Join ITA LIVE 2019 as a Keynote Speaker
- Five Things to Consider When Evaluating Your Cyber Risk
- ITA Pro Magazine, January/February 2019
- Synergy Between Insurers' IT and Analytics Teams Key to Operationalizing Insights, Says Novarica
- Major Ransomware Attack Could Hit U.S. with $89B In Economic Damages
- ITA Announces 1st of Three Keynote Speakers at ITA LIVE 2019
- Electronic Chat with Jeroen Morrenhof
- Legacy Systems Are Dead. Really? Don't Count On It.
- Now Accepting Nominations for the 2019 ITA Bridge Awards
- It's time to register for ITA LIVE!
- Registration is Now Open for ITA LIVE 2019!
- What to Expect from a Digital Experience Platform Implementation
- ITA Pro Magazine September Edition is Now Available
- It's National IT Professionals Day
- Save the Date for ITA-LIVE 2019
- OneShield Software and UrbanStat Work Together to Improve Real-Time Analytics and Risk Decision-Making
- ITA LIVE 2019 - SAVE THE DATE!
- Insurance Technology Association Announces New Editor-in-Chief
- August 2018 Edition ITA Pro Magazine is Now Available
- Enterprise Architecture in an Agile World
- Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data
- Industry Insight: 4 Global Insurance Trends in Digital, Data, Content Services and Security
- Diving Deeper into Prioritizing Your Strategic Digital investments
- Why Content Rules
- How Mass Personalization Will Open the Small Business Benefits Market
- At Year End 2017, Will Your Organization Be Protected from Cyber Risks?
- Do Insurance Bots Dream of Mitigating Risk?
- Conditioned to Respond
- Managing & Mobilizing Insurance Data in a Connected World
- Race to the Finish Line
- New Tools, New Opportunities in Claims
- ITA LIVE: Reaching Insurance Industry Crossroads
- Advice to Insurance IT Leaders: Keep Your Eye on the Ball
- New Date, Venue for ITA LIVE 2017
- Guidewire Makes Major Push to Small and Midtier Market by Acquiring ISCS
- Insurance Disruption is Happening Right Now
- Insurity Adds Strategic Investment Partner, General Atlantic
- Beyond Transformation: The Convergence of Finance, Risk, and Actuarial Functions
- The Rapid Evolution of Consumer Protection Regulation
- Talent Hunt: Finding, Attracting, Retaining Top People
- Insurers Flexing Their Distribution Models
- Technology Driving Disruption in Insurance
- Fear of ‘Next Bubble’ Challenges Life, Annuity Carriers
- Technology Allows Commercial Lines Insurers to Stand Out
- Single Sign-on Viewed as Biggest Tech Challenge for Agencies
- ISCS Observes 20th Anniversary; Scurto Predicts Major Changes Ahead
- Policyholders and Their First Impressions
- Progressive Making Progress on the UBI Front
- High and Dry: Insurers Search for Disaster Recovery Plans
- Insurers Sign The (Un)Dotted Line
- Reflections of a Retired Insurance CIO
- Mobile Device Management Just One Answer to BYOD Issue
- Lessons from GEICO and Progressive on Winning the Critical Buying Stage
- You Are a Target for a Cyber Attack
- Web-based Systems are the Next Evolution in Claims Technology
- Gaining a “Wow” Experience from Web Users
- Time to Shift from Business/IT Alignment to Business/IT Alliance
- Healthcare Insurers Changing to Consumer Model
- Organization is the Key for Selecting Software Vendors
- Analysts Expound on the Needs of the Mid-tier Insurance Market
- Finding the Cure for Obamacare’s Website
- New Software Solutions Benefit Insurers on the Inside and Outside
- Products, Market Impede Investment in Systems for Life Insurers
- Combatting Cyber Threats: Predict, Prevent, Persist
- The Future of Telematics Heads Beyond Insurance
- The Shame in Cyber Security Lapses
- Building Policy Administration Systems for the Future
- Insurers Look Into The Eyes of Their Policyholders
- It’s a New Dawn for the ITA
INSURANCE IT NEWS
- Veruna Forms Strategic Partnership with Insuritas
- BrokerTech Ventures and InsureTech Connect Announce Strategic Alliance
- MSO Promotes Megan Townley
- Investment in Risk Management Systems Booming, New Study Finds
- Origami Risk Appoints Sean Salvas Senior Marketing Strategy Lead
- Messagepoint Announces Availability of a Connector for Sefas’ Customer Communications Management Solution
- Property & Casualty Insurers Raise Digital Games as COVID-19 Elevates Customer Expectations, J.D. Power Finds
- Pie Insurance Raises $127 Million in Latest Financing
The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.
ITA LIVE 2020
ITA LIVE 2020 –SAVE THE DATE!
April 5th – 7th, 2020
The Diplomat Resort
Become a member today to receive updates – www.itapro.org/MR
BLOGS AND COLUMNS
COVID-19 has said to insurers, “It’s time to move... READ MORE
Without a very strong focus on data as a strategic and vital corporate asset, insurers will struggle to keep up with the necessary changes in the “new... READ MORE
You have surely heard it said that small businesses are the growth engine for America. Today, the phrase has a special ring to it for benefits... READ MORE
With stagnant growth and lingering low interest rates, the life insurance industry faces a challenging future... READ MORE
Finding insurance carriers willing to write commercial lines risks has always been a challenge for producers... READ MORE
As Guidewire Software prepares for the start of Connections, its 11th annual user conference that begins on Nov. 2, Brian Desmond, chief marketing... READ MORE