The Two Sides of Cybersecurity
Robert Regis Hyle | April 18, 2017
Insurers have been hiring chief information security officers (CISO) for the better part of this century and in today’s world it’s uncommon to find an insurance carrier without someone manning that position. But on the product side, where insurers have been busy developing new cyber products, insurers have a skills gap, according to Adam Thomas, advisory principal in Deloitte's cyber risk services practice.
“Somebody who has been dealing with property insurance or business interruption insurance doesn't necessarily understand cyber issues,” he says. “Insurers have hired information security specialists, but it may be a lower-level individual (than a CISO). They need to get more robust and have deeper knowledge about cybersecurity on the product side of the business.”
When Deloitte surveyed insurers for their report, “Demystifying Cyber Insurance Coverage” the information showed there remains a silo between an insurer's own CISO and the product group dealing with cybersecurity coverage, according to Sam Friedman, insurance research leader, Deloitte Center for Financial Services and co-author of the report.
If an insurer is underwriting cybersecurity as a product, they don't necessarily collaborate with those on the CISO team. Insurers are looking for the latest news on the threat actors and the vectors they are taking, so the question becomes is that information being shared with the underwriting side of the house or is it in a silo.
“One question we raised is whether there a better way to operate for insurers, who are not just purveyors of cyber risk but also victims of attacks,” says Friedman. “Is there a better way to share knowledge to protect themselves and help loss control and risk assessment if they are writing cyber insurance?”
One obstacle insurers deal with is a fear of aggregation risk—the idea they are taking on more risk than they can swallow, according to Friedman. Cloud vendors that offer web hosting services are storing data offsite and if there is a breach of the cloud the question is could this be like a cascading loss where it hits thousands or even hundreds of thousands of accounts on that cloud and trigger coverage through a whole series of policies rather than the work of an individual hacker coming after an individual player.
The cloud provider or any shared-service provider should have coverage of their own, but without knowledge of how big a risk the provider assumes itself, how good is their coverage, asks Friedman. “You can't assume that because a third-party has its own policy you can hit them up for compensation,” he says.
Another complication, according to Thomas, is more often than not the security of the environment is actually the customer's responsibility. Cloud providers provide capability for customers to configure the security—the firewalls and the control lists around which cloud services can talk to other cloud services—so if an event happens in a cloud environment who is at fault.
“Many of these cloud environments have exposed configuration capability to their own customer,” says Thomas. “They provide the tools to do that for the customer.”
From the buyer's side, many companies don't have cyber insurance and one reason for this is the buyers don't understand or appreciate the breadth or depth of their exposure, according to Friedman.
“They certainly don't understand the insurance options available to them,” he says. “Cyber risk is spread out over a number of policies. Some bigger policies are comprehensive, but there also is cyber risk exposure in product liability and business interruption.”
It's not only hard for the buyers to get their heads around the subject, but Friedman points out that while large brokers may have enormous resources and expertise, independent agents likely don’t have a total grip on the issue themselves.
“It's hard for them to create an educated buyer,” he says. “It's an evolving risk that is changing every day.”
Thomas points out there is a significant shortage of talent in the cybersecurity space, particularly among insurers focused on mid-sized companies or brokers. When you look at the opportunity in front of the cybersecurity professionals, they may feel there is a more exciting way to go than working with a broker or a smaller insurance company.
How Much Coverage
Thomas believes companies need to start with a risk assessment to understand where the risk exposure lies within their company relative to cybersecurity. A merchant's primary risk exposure, for example, may be customer information around who their customers are and the payment mechanisms they use for goods and services.
“If you are a pharmaceutical manufacturer, you likely don't have a lot of credit card information, but what you do have is clinical trial information—who's trying the drugs, what their experience is, profiles of the individual lifestyle,” says Thomas. “Or you may be concerned about the industrial control factors with the companies that produce the drugs. It all starts with a comprehensive risk assessment to understand where the exposure is and then a conversation about the mix of controls and the type of insurance needed to deal with the controls.”
When Deloitte speaks with its clients about cyber risk management, Thomas explains the conversation generally focuses on three areas:
- The things you do to secure your environment. Implementing firewalls and intrusion detection that will alert people when an anomalies are happening
- Things that involve vigilance. This is a changing environment on a minute-by-minute basis—the attacker changes, the models change. What is considered good security today might not be considered good security tomorrow. Good vigilance is about understanding where changes are occurring.
- Resilience—having the right capabilities in place to deal with a cyber event to minimize brand reputation and financial loss. Practice in advance of an event happening. It has to be muscle memory to respond to it.
There are two sides to the question of expense when it comes to cybersecurity, points out Friedman. If you are talking about bigger insureds they may buy stand-alone coverage. From the small business side, one concern Deloitte is hearing from rating agencies is insurers in a soft market are frequently adding cyber coverage to small business coverage without adding any premium. The concern is whether those insurers have properly assessed the risk and are they reserving for it properly. In that case it's very inexpensive.
When discussing the dearth of data and people not having a good handle on how big this risk is, Friedman points out that goes for the buyer as well as the seller. Several questions arise, including: Is the premium reasonable for what they are offering? How much out-of-pocket expense will the buyer get stuck with? What is the deductible?
“We are really feeling our way through the equation,” says Friedman.
If a cyber event happens and it hits the press there is not a lot you can do other than try to control the message, according to Thomas. Insurance isn't necessarily going to help with reputational risk, but part of the risk assessment means understanding the exposure and where cyber insurance fits.
Friedman points out that directors of big public companies are making sure the management team is on top of this issue. “It’s so hard to underwrite given the dearth of data and it's so unpredictable because entry points are expanding with the growth of IoT,” he says. “You have more potential entry points for hackers. So you can't underwrite because the predictive model is based on a critical amount of data that doesn't exist yet.”
Historical data doesn’t always help because it doesn't take into effect new threats and new vectors. If you provide a holistic service—not just risk transfer—and help the policyholder as their risk manager directly or in partnership, that might give an insurer the edge because it eliminates the possibility of loss, it helps the insured to have a more risk-resistant policyholder in place, and it cements the relationship to help take care of the risk. If the worst does happen, insurers may help their policyholder to recover quickly so the incident doesn't become a serious loss.
“Don't just peddle a policy,” says Thomas. “Peddle a solution.”
- Enterprise Architecture in an Agile World
- Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data
- Industry Insight: 4 Global Insurance Trends in Digital, Data, Content Services and Security
- Diving Deeper into Prioritizing Your Strategic Digital investments
- Why Content Rules
- How Mass Personalization Will Open the Small Business Benefits Market
- At Year End 2017, Will Your Organization Be Protected from Cyber Risks?
- Do Insurance Bots Dream of Mitigating Risk?
- Conditioned to Respond
- Managing & Mobilizing Insurance Data in a Connected World
- Race to the Finish Line
- New Tools, New Opportunities in Claims
- ITA LIVE: Reaching Insurance Industry Crossroads
- Advice to Insurance IT Leaders: Keep Your Eye on the Ball
- New Date, Venue for ITA LIVE 2017
- Guidewire Makes Major Push to Small and Midtier Market by Acquiring ISCS
- Insurance Disruption is Happening Right Now
- Insurity Adds Strategic Investment Partner, General Atlantic
- Beyond Transformation: The Convergence of Finance, Risk, and Actuarial Functions
- The Rapid Evolution of Consumer Protection Regulation
- Talent Hunt: Finding, Attracting, Retaining Top People
- Insurers Flexing Their Distribution Models
- Technology Driving Disruption in Insurance
- Fear of ‘Next Bubble’ Challenges Life, Annuity Carriers
- Technology Allows Commercial Lines Insurers to Stand Out
- Single Sign-on Viewed as Biggest Tech Challenge for Agencies
- ISCS Observes 20th Anniversary; Scurto Predicts Major Changes Ahead
- Policyholders and Their First Impressions
- Progressive Making Progress on the UBI Front
- High and Dry: Insurers Search for Disaster Recovery Plans
- Insurers Sign The (Un)Dotted Line
- Reflections of a Retired Insurance CIO
- Mobile Device Management Just One Answer to BYOD Issue
- Lessons from GEICO and Progressive on Winning the Critical Buying Stage
- You Are a Target for a Cyber Attack
- Web-based Systems are the Next Evolution in Claims Technology
- Gaining a “Wow” Experience from Web Users
- Time to Shift from Business/IT Alignment to Business/IT Alliance
- Healthcare Insurers Changing to Consumer Model
- Organization is the Key for Selecting Software Vendors
- Analysts Expound on the Needs of the Mid-tier Insurance Market
- Finding the Cure for Obamacare’s Website
- New Software Solutions Benefit Insurers on the Inside and Outside
- Products, Market Impede Investment in Systems for Life Insurers
- Combatting Cyber Threats: Predict, Prevent, Persist
- The Future of Telematics Heads Beyond Insurance
- The Shame in Cyber Security Lapses
- Building Policy Administration Systems for the Future
- Insurers Look Into The Eyes of Their Policyholders
- It’s a New Dawn for the ITA
INSURANCE IT NEWS
- Tower Selects EIS Group’s Insurance Platform to Drive Transformation
- NTUC Income Selects Majesco Distribution Management and Majesco Digital Solutions to Advance its Distribution Management Operation
- Emerson Reid Modernizes Its Business Processes With VUE Software
- Octo Telematics Powers CAA MyPace™ Pay-As-You-Go Program
- Announcing the Solartis Insure Microservice Hackathon
- DataCubes Completes Plug and Play Tech Accelerator Program
- Medical Mutual of Ohio Implements One Inc Digital Payments
- SUNZ Insurance in Production with Sapiens’ Workers’ Compensation CompSuite® Policy System
The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.
ITA is pleased to present the 2014 Webinar Series. We have many topics for you to choose from and attendance is open to all ITA members. The webinar topics are current and exciting — ranging from predictive analytics to telematics and will focus on the direction insurance carriers need to follow for the future. All webinars are presented by insurance IT professionals along with some of the leading analysts and consultants in the field. There is no cost to attend an ITA webinar. For more information and to register for the webinar, click the “title” of the webinar below.
BLOGS AND COLUMNS
It has become a common refrain over the past few years to view the practice of enterprise architecture (EA) as something that time has passed by, much... READ MORE
One important trend in society over the past decade is our increasing ability to create and consume a seemingly unlimited amount of digital content... READ MORE
You have surely heard it said that small businesses are the growth engine for America. Today, the phrase has a special ring to it for benefits... READ MORE
With stagnant growth and lingering low interest rates, the life insurance industry faces a challenging future... READ MORE
Finding insurance carriers willing to write commercial lines risks has always been a challenge for producers... READ MORE
As Guidewire Software prepares for the start of Connections, its 11th annual user conference that begins on Nov. 2, Brian Desmond, chief marketing... READ MORE
Fraud detection has always been and will continue to be a critical component of claims management. Learning the lessons from current claims Straight... READ MORE
- Vendor Views