In this second part of our Cyber Special, we look at new cyber threats, new occupations, and how technology can help develop new insurance products.
Elliott Thompson, Principal Security Consultant at SureCloud – a cyber security and risk management firm, highlights this problem;
“One example of the increased risk relates to stolen credentials. Previously only a limited number of credentials would allow an attacker to remotely access a network, most staff didn’t need the access. Today, many staff passwords could let an attacker through the front door. This increased risk has inevitably triggered a rise in cyber insurance premiums as businesses’ security postures change in response to the pandemic. With cybersecurity insurance, the policies most providers offer largely cover the attacks we’ve seen and expect to continue seeing. However, it is important to also be aware these policies typically excluded attacks resulting from out of date software.
As attacks continue to increase, we’re likely to see a steady rise in uptake in cyber insurance and insurers themselves attempting to reduce their risk by imposing more strict cybersecurity requirements on customers.”
Not quite joining the dots on the tech side of WFH is part of the problem, as Brandon Akal from Blue Frontier notes;
“Entire workforces have been forced, either by legislation or by medical necessity, to move from office-bound to work-from-home. For the most part, this move has been far too quick, and without any qualified or validated plan or process. This has resulted in “make shift” environments that in most cases, do not have the same level of security that traditional office environments would.
Instead of having robust and “as-secure-as-can-be” VPN or software-defined perimeter remote access solutions, some organisations have implemented less secure means of remote access, usually RDP. These less-than-secure methods of remote access have not had the time to be configured correctly or had their security assessed. This makes them “low-hanging fruit” for criminal elements.
The exponential increase in email-delivered malware has been attributed to the chaotic work from home explosion. Criminal elements have sort to take advantage of the fear that is thriving in this pandemic.
By not ensuring robust IT solutions and IS policies are in place as a standard practice, we have inadvertently placed ourselves in a situation we have had to spend a lot of time and money playing catch-up. This has undoubtedly created a vastly uneven playing field and ensured that the cyber risk landscape has become more treacherous and harder to navigate than ever before.”
NEW PRODUCTS NEED TO BE WRAPS
Yes we love a wrap here at IE magazine, and the same principle applies with cyber cover – getting all those problems associated with a cyber breach wrapped up in one product makes sense.
G&M International recently launched their new cyber product and the real value of it for bigger companies is the 24/7 back-up it provides. The G&M insurance package provides cover in the event of a security breach including protection for legal and regulatory costs, IT security and forensic costs and crisis communication costs.
Most crucially the cover also includes a 24-hour incident response service in partnership with Charles Taylor Adjusting, providing companies with rapid support when an event occurs, potentially saving a company thousands in lost income and reputation. For a full description of what is included and to read our best practices for reducing cyber risk click
BROKER OPPORTUNITIES FOR SME/SOLE TRADER
Not every company is a big multi-national, and many of us now work from home, effectively as sole traders, or small limited companies. In the USA Chubb has just launched its Blink Cyber product, an easy way to address that home working gap. It’s available for customers of Chubb’s affinity and digital broker partners. For about the cost of a cup of coffee each month, consumers can purchase $10,000 in cyber protection coverage for one household. Increased coverage limits can be purchased for extended protection for up to five additional households to protect consumers’ shared digital worlds. Visit www.blinkinsured.com for more if you trade in the USA.
Lockton is one of several UK brokers to recognise that companies of every size have a fair bit of intangible capital tied up in their online reputation. Lockton noted last year that;
“To protect a company’s brand and reputation, management should regularly scan the environment to detect significant social movements outside the business early. To protect human capital, companies need to systematically and periodically articulate procedures and organise regular knowledge sharing and related data capture. This will avoid that if team members depart, the expertise is lost. To protect intellectual property, organisations are deploying a range of cyber protection measures as well as stricter employment contracts.”
Tom Harvey, European Head, Risk and Analytics Solutions at Guidewire commented;
“Big themes for cyber insurance this year are:
- Continued growth in ransomware attack frequency and severity is starting to hit the profitability of cyber insurers leading many to reduce limits, tighten policy wordings and even withdraw from the market all together. This coupled with strong demand from insureds for cyber insurance policies is leading to a substantial increase in rates.
- New carriers typically focused on an ‘analytics first’ policy such as coalition and At-Bay are taking substantial market share from the more established carriers. Only time will tell whether their greater use of analytics to underwrite cyber risk will pay off in terms of long-term profitability.
In terms of the other topics:
Crypto-hacking – while this makes for an interesting headline within the mainstream media it’s not something we track as the impact on businesses is negligible. I’ve also not heard of any cyber insurance claims coming as a result of this type of event – so it’s outside of what we’d typically be looking to quantify.
Claims arising from fraud can impact both individuals and corporates. With corporates, this type of event usually is categorized as social engineering whereby an individual is tricked into wiring money to a criminal group. There has been a small increase in these types of social engineering attacks, the hypothesis being that working from home makes people more susceptible to these type of attacks. Note from a cyber insurance perspective often this type of loss is covered under a crime policy and not cyber.
In terms of the impact on individuals – I have heard anecdotally that there has been a substantial rise in cyber-crimes whereby hackers are impersonating banks, governments and other organizations and successfully obtaining fraudulent payments from vulnerable people. However if I’m honest this isn’t something we’re tracking as there isn’t really a substantial market for personal lines cyber insurance. This is because in most cases the liability for fraudulent losses fall on the bank / building society / health care provider etc.. that the individual uses, and not the individual themselves.
Other notable incidents – the solarwinds attack, despite having a minimal impact for the insurance industry in terms of loss is another reminder of the systemic nature of cyber as a peril. This means insurers need to be prepared for both the one-off targeted claims as well as the potential accumulation events which can add as a significant burden on the cost of capital.”
NEW OCCUPATIONS, NEW RISKS
For brokers looking to develop cyber products, it is wise to note the Lockton insight that different niches often have differnt types of activists targeting those companies, or NGOs online. But activists also target and successfully cancel individuals online – often ending careers.
For charities, government departments or companies, the risk can managed by a team, a HR strategy and various software systems to monitor the flow of data. For an individual, it is a different process and often, one person simply does have the expertise or time, to engage in cyber audits and AVG updates.
So individuals working as brand ambassadors, vloggers, or members of the Commentariat all face the same risks. They come down to this; serious harm to brand reputation via cyber attack and financial loss, plus potential legal action. Given that an Instgram influencer may be earning £50,000 per year from company endorsements, that reputation is well worth insuring. One tweet or Instgram post could take all that sponsor revenue away, lead to an expensive libel case and more. This new, online influencer role and the cyber threats surrounding it, is something that brokers can build on.
There is even the value of physical appearance to consider, since that may be digitally altered by cyber attackers, leading to a loss of sponsorship for a celeb involved in a slimming/beauty product promotion for example.
Despite these changes, cyber insurers with scale and in-house security expertise are well placed to help their customers navigate the challenges that the heightened threat environment presents – and this will be the most marked difference between cyber providers in what is currently a proper ‘in or out’ class.
While scanning clients for weaknesses as part of the underwriting process is commonplace in the cyber market these days – with the intent of determining the security maturity of a company – only a handful of insurance providers are going one step further, and leveraging the expertise of their in-house security team to proactively work with clients on remediating those vulnerabilities. Cyber insurance remains as one of the only products in the insurance market to work in action the moment a client binds their policy.
Cyber insurers are equally better positioned than anyone else to confirm which vulnerabilities have the most catastrophic impacts and can make sure that their customers receive the highest priority threat alerts to avert the most dangerous attacks. It’s something CFC is devoting an incredible amount of energy and resource to this year, helping policyholders to stay one step ahead of the criminals, while providing businesses of all sizes with access to a full-grade security and response team.