Welcome to cyber insurance's teen years

Welcome to cyber insurance's teen years | Insurance Business

Welcome to cyber insurance

For the record, Steve Robinson loves the teenagers living in his house very, very much.

But you don’t have to be the parent of a teenager to know that sometimes they can be a little challenging to deal with while they sort out things like discovering who they are.

“They’re great kids, but sometimes with the irrational behaviors and the moodiness… it can be unpredictable,” he said.

Then there’s the issue of influencers: who the teenager might be listening to, what kind of impact are those influencers having on how the teenager behaves, things like that. Keeping on top of who those influencers are and what impact they’re going to have on your children – and, by extension, you – can be a challenge, too. 

But if there’s a silver lining to raising a teenager through good days and bad, it’s this: it’s great preparation for dealing with the rapidly changing world of cyber insurance.

“As cyber insurance reaches relative adolescence, the mood swings, the search for identity, irrational behavior, drained wallets and limit-testing mirror what parents see in their own children’s development,” said Robinson, national cyber practice leader for Risk Placement Services (RPS), one of the nation’s largest specialty insurance product distributors. “We now have a teenager in the house — get ready, the real fun is just beginning.”

How so? Take the changing nature of the threats that organizations are facing. Up until a few years ago, most of the threats that came from outside their systems were in the form of phishing attacks – attempts to steal valuable information (like, say, a company’s client database full of financial information) for the purpose of selling it to third parties.

Then, industry observers like Robinson saw a massive jump in the number of ransomware attacks, a type of attack where victims are shut out of their systems unless they agree to pay a ransom to their attackers. “They’ve moved from stealing information to restricting access to essential infrastructure,” Robinson said.

This shift in attack patterns isn’t just a change in strategy; it can have major implications beyond the organization’s immediate productivity issues.

Robinson cited the recent example of a school district in the US that was prepared to return to in-person classes after many months of online learning for its students… only to metaphorically turn the buses around at the last minute when a ransomware attack on the school district’s systems made it impossible for them to re-open schools. Aside from the financial and reputational costs to the school district as it tried to get back online, the financial and emotional costs to the students, teachers and parents involved are incalculable – especially after so much in-person instructional time had already been lost.

Adding to the challenges of combating cyber security threats is the relative lack of data about cyber attacks compared to other, more conventional sources of damages that insurers can use to help protect their clients – clients who often show widely different levels of awareness when it comes to protecting themselves against cyber attacks.

“You can have anything from a business that has no backups to a business that does backups but unfortunately those backups are in the same environments as the network that was accessed, and now they (the attackers) have access to both your network and your backups,” Robinson said.

“We’ve had incidents where people back up to the cloud and guess what, they have a folder on the desktops marked ‘Passwords.’ It’s like leaving the keys to your house on the front porch.”

If there is one way in which teenagers and the cyber insurance market differ it’s that we can be reasonably confident a child’s teenage years will someday end. The cyber insurance market makes no such promises, which is why it’s so important for the insurance industry to do its homework.  

“We’re asking more questions, and asking more informed questions,” he said. “Not just about spam filters and firewalls, but multi-factor authentication. How are organizations restricting remote access to networks? What are organizations doing to make that more difficult to do? How is the data backed up and segmented? And when attacks happen, how are organizations recovering from them?” 

 What insurers can do to help their clients right now is to put in the work as “parents” to ensure this ever-evolving cyber liability “child” we’re all raising will grow up to lead a good and productive life – but don’t expect that to happen right away.

“I think we’re going to be in this for quite some time as the market continues to figure out the best ways to do this,” he said. “There’s no silver bullet. The market will stabilize but we’re not there yet.”

Read The Evolution of the Cyber Insurance Market: Welcome to the Teenage Years here.