Much of the narrative which has surrounded cyber insurance during the COVID-19 pandemic has emphasised how the surge in remote working will inevitably lead to a significant increase in claims. For Graeme Newman (pictured), chief innovation officer at CFC Underwriting Ltd, however, the core takeaway of the pandemic is more nuanced than this as he believes the greatest change that lockdown has brought is an increased awareness that the real critical dependencies people possess are their technology, not their physical premises.
“[It is estimated] that over 90% of the world’s insurance spend is spent on protecting physical, tangible assets,” he said. “That’s always been strange to me, since the world has changed beyond recognition in the last 20 years, with the technology revolution. And, in that timeframe, the value of the world’s intangible assets has grown to far outstrip the value of the world’s tangible assets. And yet, we spend most of our insurance money on protecting the physical.
“So I think business’s perceptions have changed, their perceptions now mirror more what the reality is, which is that we’re 100% reliant upon our data, and our systems. And if we don’t have access to those, we simply can’t work - whereas our physical buildings and premises have become slightly redundant.”
Looking at CFC’s cyber claims, Newman noted that the big change has not been increased claims frequency, which is always ticking up when it comes to cyber, but rather the changing nature of criminal activity. Around 18 months ago, the focus was on business email compromised scams such as wire transfer fraud and social engineering, and now the focus is on ransomware. There is an interesting juxtaposition between the real-word virus that everyone is so focused on right now and the behind-the-scenes epidemic taking place in the digital world.
The problem with ransomware, he said, is not just that rogue-nation states and criminals are stealing billions of dollars from businesses, but also that the economic damage they create by doing so is an order of magnitude bigger. For every billion they steal, they are creating perhaps 10 billion or more in economic damage through the disruption this causes to the profitability of businesses, to their systems and to their data. This is the real problem and thus it is the number one focus for CFC.
As recently as three years ago the value of a typical extortion demand would number in the mid-hundreds to low thousands, he said, but now there are routinely million-dollar extortion demands. This shift underlines the necessity of proactive cyber insurance solutions. The question has always been how can an insurer write a policy today that lasts 12 months when the threat landscape evolves so quickly, and proactive measures are the only feasible solution.
When it comes to the need for proactive navigation of cyber risk, he said, the cyber insurance sector is quite similar to the property insurance sector. There is a dynamic risk control environment within a home that changes daily depending on the precautionary measures that the insured individual has undertaken, whether that’s through locking the front door or setting the alarm. Similarly, when it comes to cyber, a business could be secure one day and the next open up an RDP port to allow remote connections into the network.
“The difference is that there’s no good technology right now capable of remote working the dynamic risk of a whether I’m leaving doors or windows open, and frankly I wouldn’t want it anyway,” he said. “But the great thing about cyber as a class of business is that we have the capability to see that at scale and to keep an eye on every single one of our businesses and to see when they open windows or don’t lock things.
“The real difficulty is that criminals can do the same thing. And that’s exactly what they are doing. So, whereas with physical crime the threat environment is pretty constant… when you connect online, you are now available to the world’s criminals and they are using tools and techniques to scan and find you at scale. It’s essentially the virtual equivalent of knocking on windows and doors to see whether they’re open. So that’s the bottom line, I think - that businesses in the cyber world are not targeted because they’re valuable, they’re targeted because they’re vulnerable. And that is what a lot of small businesses miss.”
Given the substantial changes impacting the market and given that a price was fixed 12 months ago for a risk that looks completely different today, if proactive risk management techniques are not employed then claims will get out of control. Having operated in the cyber market for the best part of 16 years and seen the world of IT security from a range of perspectives, Newman said, he has seen a softening market, with rates coming down and coverage getting broader. We’ve always known that had to change one day, he said, and it looks like that day might be here.
Read more: CFC boosts cyber incident response
“The market has changed in a very short space of time,” he said. “The cyber market is definitely hardening and we’ve seen some mainstream carriers pull out of the class. A lot of people are very nervous about ransomware, [especially] if they don’t have that capability to scan customers at scale and do something about it – it’s one thing scaling, it’s another thing getting them to close that virtual door or window.
“And that’s why we bought an incident response company, we acquired Solis Security last year, and we acquired ThreatInformer early this year to give us a real step up in scanning capability. I honestly don’t know how insurers can compete in this market if they don’t have that capability.”