Accounting for Cyber Risks - How much does Cyber actually cost the Insurance Industry?

A presentation made to 2018 Asian Insurers’ CFO Summit held in Island Pacific Hong Kong, last 25 May 2018

Cyber 

We've been using the word Cyber in different contexts, but do we really know the definition of cyber? As a CFO, accounting requires definition and establishment of criteria and coverage of the subject.

Googling it will lead you to different words, because Cyber is commonly used as a prefix - cyber-talk, cyberspace, cyber fashion, cyber risk, cybercrime cyber security and many others.  

The closest and most authoritative definition is from Webster, where it described cyber as "relating to, or involving computers or computer networks – such as Internet. 

Quite more accurate with our perception, as we take cyber synonymously with "Internet", unless we follow the Greek etymology of that would mean "control systems"

Cyber in Insurance

Cyber was introduced to insurance when we started working with computers. And today, the insurance industry is faced with this powerful new shaping force that is moving nearly every aspect of modern business from analog to digital. 

Coming from age of manual entry, paper works and process reliance, now we are experiencing the birth of a new era in digital business – the IT enhanced insurance. 

Sooner or later, we will move to digital insurance platform and products, where insurance is more customer centric (bespoke policy for every individual); and machine dependent – activities & learning (Machine-automated reporting and assessment)

Truly, cyber can create fascinating new possibilities for insurers. But what will the effect in our financials? Believe it or not – it can lead us to higher revenues and lower costs.

Based on Bain and Google analysis, a prototypical German insurer that continously use of digitalization can expect premium receipts to rise by about 28% in five years, with most of the increase coming from gains in market share. 

By operating more efficiently, the insurer will be able to lower its costs, reduce its prices and thereby attract more customers. At the same time, the company will be able to use some of the money saved from its new technologies to invest in more digital innovation—forming a virtuous cycle.

Cyber Risks

If digitization is bringing many benefits to businesses, it also introduces a new set of concerns – cyber risk. As technology drives the transformation digital business, the opportunities for disruption increase, both from within the industry and from new and often unexpected external threats.

We, as insurers, are very much aware of that fact, reason why in almost all surveys for the industry,  cyber risk is the top business / operational risk:

·      2017 top global to Insurance banana skin survey (CSFI/PwC)

·      2018's most dangerous risks for insurers (Willis Towers Watson)

·      2018's Top operational risks (risk.net)

A relatively newcomer to the scene, cyber risks has risen sharply with concerns about both crime and underwriting risk.  This risk is seen to be exceedingly urgent due to an ever-growing volume of insurers' business coming from digital channels.

Actually, we even consider it as a bigger threat than the regulation, which regularly occupied the top position in previous years – maybe because Solvency 2, the EU's massive regulatory initiative, is now in place.

An Industry Disruptor & Force

Cyber / Technology trends, such as the rise of mobile and pervasive connectivity, data and machine learning, and the Social Network of Things, will crash traditional barriers to entry and expansion, and will accelerate the speed of change within our markets. 

Putting the trends in time horizon shows that most of the insurers are still far from of AI, augmented reality & blockchain, as we are witnessing a slow but certain evolution.  These disruptive technologies and other external market forces, will soon pose consequent impact on insurance business and operating models, once it became widely used

Industry Vulnerabilities & Compliance State

Unfortunately for us, Cybercriminals are shifting targeting strategies - from retail, online dating, banks. Insurees are becoming an attractive target for cyber criminals, because of our rapid digitization and accumulation of data

The comparatively lax regulatory landscape for insurance cyber risk further aggravated the situation, having most of the compliance initiatives observed in developed markets in US & Europe: 

·      NAIC - Principles for Effective Cybersecurity Insurance Regulatory Guidance 

·      France - L'Autorité Contr?le Prt de Résolutio(ACPR) categorizes supervision related to cyber risk under Information System (IS) control

·      European Cyber Law- NIS directive identifying operators of essential services, including Financial Industry 

·      CBI - Increasing Focus on Cyber Security Threat 

·      Germany- The supervisory examination of the management of cyber risk is usually performed through on-site inspections 

·      UK- CBEST tests and adopt individual cyber resilience action plans

·      Singapore - Industry-wide simulated cyber simulation

·      APRA - Will check of Insurance Industry preparedness to Cyber-attack in 2016 

·      Netherlands - Benchmarking for cyber risk management

Such are very evident in the recent cyber incidents involving the industry - where our data is most

 2 American Health Insurance Companies- Credit Card & PII Breach; 91m policy holder information

·      An American State- Data Server Compromised; Workers compensation claimants 

·      2 German Insurer Group- DD4BC – DDoS for BitCoin; Company web servers 

·      A French Insurer- Internal penetration testing; Unauthorized Access to Accounting Tools

·      French mutual insurance company- Internal data theft; Identity theft and false claims

·      Netherlands Insurer- CEO Hack; phishing cyber attack

·      London-based private healthcare group- Data Breach

But these incidents are just the tip of the ice berg, because there are unpublicized incidents from organization that want to avoid losing face and potential brand damage and due to limited regulation in mandating publication of cyber incidents

Reported incidents are comparably small to undetected breaches. Looking at the % of breaches happened within minutes but 8hes takes weeks to discover. 

Focusing the industry, according to Nef Financial Services, in 2015 the Top Cyber Techniques in Insurance Sector are as follows:

1.         Malware (58%)

2.         Phishing (33%)

3.         (33%)

4.         (25%)

5.         Others (33%) 

Resolving the top 3 concerns will cost us from $350,000 to $1.2m, according to 2017 Accenture Cost of Cybercrime Study. This is despite the 11% increase in global spending for cyber security for the past two years.

How do Insurers handle cyber incidents & losses? According to 19th Global Information Security Survey 2016-17 for Insurance Sector of global firm EY:

1.         83% of insurers will only increase budget if there is an attack

2.         71% think it cannot happen to them

3.         82% most common cause of attack careless employees

But with the incidents that is happening worldwide, it's safer to assume that we have already been breached – with over 28 Billion spent on IT security in 2014, still over 90% of organizations breached, according to Brian Krebs of on Security

Cyber Risk Insurance

Based on of specialist writers, Cyber insurance is quite profitable for the moment, having 80 percent of respondents reported lower than 80% combined ratios lower for the most recent 12-month period, considering majority are also using reinsurance to manage their exposures. 

Thus, for the $2.5B cyber insurance premiums we are , we are keeping $500m for a $150b exposure, which represents 4-8% Insurance penetration. Still a big opportunity for growth, considering the $400B global exposure the 10-20% of "reported" exposure.

How much does Cyber actually cost the Industry?

The income/ revenues we are reaping from savings; cyber insurance margins and premiums increase, offsets our expenses Cyber Investments and Cyber Security. However, the situation will change if a cyber incident will occur, where years of earnings can be wiped out just to cover for immediate costs and a part of slow-burn cost.

Cyber risk is part of our growth as an industry

As we grow and move into a digital platform, threat is becoming cyber risks have grown exponentially in the recent years that even traditional sectors such as transport and agriculture are now dependent on the continuous, secure and uninterrupted flow of reliable data. At the same time, businesses around the world are becoming more interdependent meaning that cyber risk has moved from being company specific to systemic. 

Cyber criminals are also catching up, they have become increasingly sophisticated - they are now offering fraud-as-a-service in Social Media 

For us insurers, incidents can harm the ability to conduct business, compromise the protection of commercial and personal data, and undermine confidence in the sector. 

As , we need help to understand and quantify the risk that cyber threats pose to our operations and reputation – and what we need to put in place today to meet the challenges of tomorrow. 

As CFO, we are more concerned on the financial impact to the company, whether its preventive expense (purchase of cyber security tools, insurance coverage) to build cyber resilience through comprehensive incident response plans, or post incident - immediate (forensic investigation, extortion cost, public relations) and cost to resolution (regulatory fines, third party litigation) 

Finance is also impacted by external incidents - meaning clients / intermediary being involved in cyber-attacks, as this threatens our premium and/or may compromise our payments for claim.

Insurance & Digitization

“The Insurance Industry needs to embrace digital technologies as part of its core DNA. Only then can it take full advantage of the opportunities it gives them to think smarter by sensing and predicting opportunities, act faster through true business agility, and create an approach to business to quickly take advantage of new circumstances. The rise of new competitive threats from companies born outside the rules of the traditional Insurance Industry makes this need for even more imperative.

In short, the Insurance Industry needs to become a digital business – today, to be relevant in the future.”

-NTTI3

References: Please refer to slide presentation footnotes