The ubiquity of wireless connections between objects appears to be a digital utopia in the here and now. Thermostats think, manipulate and manage a multiplicity of domestic devices, streaming real-time operational data to their makers. ‘Intelligent’, interlinked machines and heavy industrial tools render work more efficient and ‘learn’ as they operate. Vehicles automatically download the latest software iterations from their manufacturers to boost performance and pre-empt mechanical problems before they even occur – all the while registering precisely where they are.
Sounds wonderful, doesn’t it?
And yet, in this brave new world planes can now be hacked, as can oil tankers and off shore rigs. Financial institutions and entertainment companies can see their data compromised and shared beyond their customer base because every smart, connected device may be a point of network access, a target of hackers, or a launch pad for cyberattacks.
The paradox is that in such a world our machines, constructions and products are autonomous, yet connected at the same time. It is a strange concept to grasp, yet grasp it we must if we wish to maximise the opportunity and minimise the inevitable risks.
UK-based data analytics pioneer Russell Group is primarily focused on this risk aspect and how it potentially impacts on its underwriting clients – and their clients. As a business it has been at the forefront of a debate asking the question, ‘How does the connected nature of risk today cut across traditional vertical industrial structures such as aerospace, shipping, off shore energy and, increasingly, financial services?’
Woefully, modelling industry-agnostic cyber risks is at a nascent stage of development. Not one of the leading commercial risk model players currently offers a model to diagnose – let alone prognosticate – cyber risks.
Recent cyber hacks that have inflicted significant operational and reputational damage on targets such as Target and Sony are concentrating insurance minds on the security risks in this connected world.
All functions and, from an underwriting point of view, potentially all speciality insurance classes need to be reassessed for vulnerabilities heralded by the Internet of Things.
We at Russell Group see cyber as an enterprise risk and hence in the same arena as political risk, and supply chain and trade credit risk. Our risk management software and other solutions are designed to serve such risk. Typically, speciality classes operate within a ‘risk silo’, while cyber and other enterprise risks are cross-silo or cross-class.
We think cyber risk sets will be available in the future that will adequately reflect the nature of historical events and could be licensed independently of any software model needed to run them.
All companies large and small need to carefully assess their security and how it affects multiple functions, with IT continuing to play a key role in implementing best practices for data and network security. That is all very well, but it still does not address a key concern for (re)insurers, which is the supply chain risk and the wider aggregate exposure.
An organisation or individual can protect their own interests to a certain extent, but their ability to conduct a security audit on all their suppliers and partners is a different matter entirely.
This is a theme that Russell Group has been exploring with increasing regularity in conversations with speciality (re)insurers in the last 18 months. Enterprise-connected risk solutions can help address the absence of a workable standardised cyber risk model.
In a cyber environment in which
PwC estimates that annual gross written premiums are set to increase from around $2.5bn today to $7.5bn by the end of the decade, we are going to need a workable model soon.
We have become used to the idea of an earthquake or windstorm causing large financial losses and human misery, so it takes time to adjust to the idea that a human typing on a laptop or the loss of an unencrypted memory stick might cause the same level of threat.
The reality, however, is that cyber connectivity is an existential threat to insurers’ balance sheets and those of their clients. It is surely time for insurers, the government and risk managers to address the issue collectively – before it is too late.
