The following is an editorial by Alicja Grzadkowska, senior news editor at Insurance Business. To reach out to Alicja, email her at [email protected]
Amid all of the impacts that the coronavirus pandemic has had on businesses, governments, and individuals, the turn to remote work and subsequent increase in cyber risks has been one of the key issues that, in turn, has revealed the ways in which cyber insurance has yet to adequately address many insureds’ needs.
A recent report by cybersecurity vendor Netwrix found that since organisations have switched to remote work as a result of COVID-19, four of the top six types of cybersecurity incidents they experienced have been caused by internal users. Those four were accidental mistakes by admins, accidental improper sharing of data by employees, misconfiguration of cloud services, and data theft by employees. In fact, cyber challenges across the board have only grown more extreme in the context of the pandemic, as more employees work from home, potentially on a permanent basis.
As a result, commercial and personal cyber risk have grown exponentially. The latest Russian-led cyberattack on US federal agencies demonstrates the threat that state-sponsored bad actors pose, while throughout the year, data breaches and ransomware hits resulted in events like the Twitter hack involving high-profile individuals, the attack on Blackbaud that had consequences for universities, as well as the hack of Canon. Meanwhile, in Australia, the Redland City Council has encountered an “unprecedented level of ransomware attacks” during COVID-19, while in the UK, Members of Parliament (MPs) have been targeted so often by malicious actors through email, that it is estimated MPs receive nearly three million unscrupulous emails every month.
Even outside of the pandemic, businesses have been feeling the pressure of beefing up their data privacy and protection practices as they face increasingly punitive regulation should they slip up and expose Personally Identifiable Information (PPI). In fact, the Government of Canada has now proposed a revamp of Canadian privacy laws, which will strengthen user rights in today’s increasingly digital world and put private companies further under the regulatory spotlight. Regulations in many other countries have already been shored up in recent years and will likely continue to develop in light of the growing cyber and privacy threat.
The cyber-related hurdles that businesses, as well as personal insureds (who in many parts of the world face heightened ID and credit fraud), now encounter on a daily basis have, however, not been adequately addressed by the cyber insurance marketplace, according to many experts.
For instance, we’re now three years past the Petya and NotPetya cyberattacks, where almost 90% of the total industry losses were attributed to silent cyber exposures, according to Allianz Global Corporate & Specialty (AGCS), yet patching silent cyber exposure is still on the to-do list for the re/insurance industry. Specialty reinsurance broker Gallagher Re recently called for this issue to be a priority because “non-affirmative exposure causes uncertainty for clients, reputational damage for the insurance industry, and costs through delays in claims disputes and settlements,” said Jennifer Braney, consultancy lead and cyber broker at Gallagher Re – a point that has been proven many times over thanks to damaging and devastating cyberattacks.
Challenges remain in many cyber marketplaces around the world. The US cyber insurance market is not keeping up with the cyber risk needs of small businesses, and there remains a significant disconnect between insurers and the small business community, according to Cyberscout experts, while in the UK, cyber leaders have advised that insurance providers need to stop blaming brokers and start designing products that are truly fit for the modern cyber landscape. On a global basis, the Carnegie Endowment for International Peace’s new report, “War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions,” noted that although cyber insurance can act as a key tool in addressing pervasive cybersecurity vulnerabilities, “Cyber insurance is not yet mature enough to fulfill its potential, partly due to uncertainty about what kinds of cyber risks are, or can be, insured.”
Alongside providing cyber insurance that is fit for purpose and adequately addresses the cyber risks that exist today, risk management also needs to be taken more seriously by everyone – from the biggest corporations that have proven they’re not immune to cyberattacks (including social media giants like Twitter), all the way down to the one-man businesses that need to have controls in place to ensure that their already weakened bottom lines from the pandemic don’t take further hits.
In this environment, brokers and agents need to be putting cyber at the top of their discussions with clients (both personal and commercial), especially as 2021 will bring likely even more sophisticated attacks and cyber risks to the forefront. Conversations on cyber mitigation and risk transfer should be as ubiquitous as conversations about protecting a bricks-and-mortar business from a fire or finding appropriate homeowners’ coverage – and for this to happen, the insurance coverage options need to be there in the first place. Consequently, a focus on developing insurance solutions that actually reflect the scale of cyber risk should be a key priority for insurers around the world.
The pandemic has already proven the damage that can be caused when societies are not prepared for looming risks that are left unacknowledged by insurers and broader society. When it comes to cyber, however, the industry has had plenty of warning. As insurance companies figure out how to address pandemic-related exposures within coverages, they should likewise revisit cyber wordings to make sure that should a pandemic-level cyberattack occur, insureds won’t be left holding the bag.