.jpg)
Cybercrime is on the rise, as are the financial impacts on businesses that become victims of cyberattacks, with Cybersecurity Ventures projecting that the global cost of cybercrime will grow to $6 trillion by 2021.
In this environment, cyber insurance has become a valuable risk transfer and risk mitigation tool for companies across the board. Even over the past year, there were evolutions in the cyber insurance space, from continued expansions of coverage for business interruption and system failure resulting from cyberattacks, to heightened focus on silent cyber, according to experts at CNA Canada.
“We’re seeing a lot of discussion around silent cyber, meaning where cyber exposure might exist in an insurer’s portfolio outside of actual cyber policies,” said Terri Mason-Benjamin, AVP of professional liability and cyber at CNA Canada. “You might have some non-affirmative coverage, for example, under a property policy when physical damage resulting from a cyberattack causes a fire. That’s something the insurance industry is looking at closely.”
“There is also a lot of discussion around the topic of cyber as a peril. Rather than covering all exposures related to cyber under a cyber policy, consideration needs to be given to treating cyber as a peril which needs to be addressed under multiple coverage lines.
On the claims side, CNA Canada has seen an uptick in ransomware claims, which shouldn’t surprise anyone considering the sophistication of ransomware available on the black market today, as well as the follow-on business interruption claims after a cybercriminal strikes, explained Jelena Cvetkovic, claims specialist in specialty and financial lines at CNA Canada.
Shelley Ma, associate director of cyber investigations at cybersecurity firm KIVU, echoed those findings, telling Insurance Business that ransomware is one of the key types of cyber incidents the company sees. In fact, 70% of the cases KIVU works on are related to ransomware, while the second most common threat is business email compromise.
“That typically involves some sort of phishing scam where the actor was able to gain access to an executive’s mailbox, and subsequently is utilizing their mailbox to conduct further nefarious activities, like additional scam campaigns or running social engineering from within their compromised mailbox for wire fraud or other types of social engineering attacks,” explained Ma.
While 58% of businesses undertook activities to identify cybersecurity risks and only 5% of Canadian businesses reported not having any cybersecurity measures in place, reported Statistics Canada in March 2019, there continue to be major vulnerabilities within companies’ four walls that expose them to cyberattacks. The human element, for one, plays a central role in increasing a company’s cyber risk.
“We have a saying in the cyber world that the weakest link in the chain is what’s sitting behind the keyboard,” said Ma. In fact, the impact of human error is so significant that it is reflected in the underwriting of cyber risk.
“If you look back six, seven, or eight years ago when we were underwriting cyber risk, we were focusing very much on IT security and how well networks were protected,” said Mason-Benjamin. “Fast forward to today, and we’re realizing that’s still a very important factor, but human error also accounts for a significant proportion of breaches. From an underwriting perspective, we’ve started to ask a lot more questions around awareness, training, and what the culture is internally in an organization around cyber risk – is it something that’s addressed at the board level, and who does the IT director report to?”
Creating a culture around cyber awareness does more than prevent employees from clicking on suspicious emails. It can likewise mean that when incidents do occur, they’re brought to the attention of the right stakeholders quickly, which can minimize damage.
“In a lot of organizations, people are either embarrassed or afraid that if it gets discovered they clicked on something they shouldn’t have, they may get reprimanded or it’ll be detrimental to their career,” said Imran Ahmad, a partner at Blake, Cassels & Graydon LLP with expertise in cybersecurity, IT, privacy, and technology. “More often than not, we’ll have situations where had it been reported earlier on and there were good compliance mechanisms where this would’ve been detected, the impact would’ve been mitigated significantly.”
Pre-breach planning can play a major role in rapid detection and response to a cyber incident, which can lower the costs of resolving the issue by as much as five times, added Ahmad. The more prepared a business is to handle a cyberattack, the faster it can identify the problem and get back on its feet, which means fewer resources are used and the organization sees less operational disruption.
Looking ahead, underwriters need to keep up with the pace at which cyber risk is evolving, which Mason-Benjamin identifies as one of the key hurdles that insurance professionals have to deal with in this space.
“One of the biggest challenges facing cyber underwriters today is the speed of change – not only the speed at which coverage is evolving, but also the way the world is changing,” she said, pointing to the Internet of Things and artificial intelligence, which are all creating new cyber risks. “Staying abreast of that and making sure that we continue to evolve our underwriting approach in parallel to the ways in which this risk is evolving is going to continue to be a big challenge going forward.”
