Cyber Security & Insurance – where do we even start?
Nigel Walsh
Living at the edge of Insurance & Technology | Head of Global Insurance at ServiceNow | #makeinsurancelovable
Due to recent and hugely public spate of cyber ‘events’, the world of Cyber security and subsequently cyber insurance is firmly in overdrive. According to the UK Department for Innovation & Skills - 81% of large businesses and 60% of small businesses suffered a cyber-security breach in the last year, and the average cost of breaches to business has nearly doubled since 2013.
We have all seen the headlines, from Sony last year, to British Airways earlier this month to the French TV Channel, TV5Monde. The severity and importance of each of these has material impacts on not only their ability to do business, but also their brand and reputation as both a customer, employee and partner.
Sony was clearly hugely public, by far one of the biggest and most public I have seen hit the news for a long time. It was all over most news channels causing outcry from customers and employees, some who threatened to sue their employer or former employer for failing to protect their data. Sony of course have had many attacks including taking down their PlayStation online platform for days on end. As for BA, the first I heard of this was an email saying – ‘someone has accessed your account'. Please come change your password! This is the brand that I trust with my personal details, my location and much more.
Finally, TV5Monde – seems to be particular worrying to me. In a scene that reminded me of the wonderfully played Elliot Carver from 007’s - Tomorrow Never Dies, the media giant was quite simply disabled, their TV taken off air, their public online presence taken over and more. An attack of this scale and power to me simply highlights what Hollywood has been portraying for years (remember Die hard where they take over the Airport by hot wiring a few cables nearby!). Interestingly, subsequent reports again points to human error here – a TV interview showing passwords stuck to Post It notes and more.
If we are under any doubt by the frequency, scale and impact of attacks, I found a great website (www.informationisbeautiful.net) recently that visualises some of the data breaches by year, industry and size, reason and more, see here for the full interactive chart.
So what is it?
Cyber threats have been defined by many, however like many other critical business issues, lots of other things are being added to the overall ‘cyber’ definition. The recent report from the UK Government on UK cyber security: the role of insurance talks through both the threat and importantly the opportunity for Insurers.
The World Economic Forum in their 10th Annual Global Risks Report have Cyber risks up with water crisis and natural catastrophe and ahead of WMD, infectious disease and Fiscal Crisis (in terms of likelihood of occurrence). Water Crisis on similar level, and ahead of fiscal crisis. Given what we have all experienced in the last recession, I don’t think we could have a stronger wake up call.
- Top Global Risks According to the World Economic Forum
For now, and certainly as I write today - there is a small correlation between Cyber-attacks and loss of human life. However, as we become ever more connected with IoT or IoE, future devices will all be connected. In the latest report, the government have said that 14bn objects are already connected to the internet, 40m of them in the UK. By 2020, it could be as many as 100bn worldwide
The upside of being able to monitor your heart pacemaker or your insulin levels from an app are already upon us, wearables is the buzzword for 2015. When these devices move from monitoring to controlling, the threat just increases. A cyber-attack at a local level, vs shutting down a hospital, airport, city traffic system, taking over a driverless car or airplane – it’s far too easy to paint a picture here.
What’s the role of the Insurer in all of this?
The Insurance provider has a huge role in this, not only to pick up the pieces when an event occurs, but also across the entire lifecycle. At the outset, we have an opportunity to better educate the market on cyber risks in general, in creating insurance capacity for the event and ultimately better prepare ourselves for the ongoing advancement and frequency of attacks.
This goes far beyond the Cyber Essentials to better prepare SME’s and large enterprises alike. This is not collecting a badge, this is time to get ready for a battle. Not just a battle against cyber threats, but a battle for your reputation and brand. A brand that says to your employees, customers and partners, you can trust me with your information – I have a plan in place that’s tried and tested! The government scheme has covered the bare minimum essentials but this is like passing your driving theory test. We need expert drivers here to navigate roads no one has previously seen.
The UK and London Market specifically is already well placed given its deep experience in insuring against speciality risks, however – capacity in the market will continue to increase as the threats and frequency of events increases, giving rise to new – more tailored products and opportunities for the entire market. How long will it be before we all have our own personal Cyber Insurance policy?
Move to prevention rather than cure
We need to better help organisations truly understand the cost of putting this right after the event? As an example, some estimate that the cost of the Target breach in the USA has cost them north of $100m to correct. In their early earnings call post the event, they cite – “The breach resulted in $17 million of net expenses in the fourth quarter, Target said, with $61 million of total expenses partially offset by the recognition of a $44 million insurance receivable.â€
Hindsight is wonderful, but perhaps a fraction of this upfront would have saved this money and importantly time to focus on the business strategy, not remedial work.
Reputation, Reputation, Reputation
It’s already been widely discussed, but insuring an organisations reputation is challenging for a number of reasons. Of course almost anything can be insured, however defining what the impact is and then working out what you need to be covered for will no doubt bring additional challenge and what cover you need for something that most would describe as intangible. The Insurance Times have a good piece here on this.
More importantly, what’s the short, medium or long term impact and value on the reputational damage? Take your favourite or most used retailer, give them all your personal financial data and shopping habits. They then suffer a breach – how likely are you to use or recommend them again? Maybe you would forgive them for one breach, what if it happened again? It’s too easy to move. I read that in the UK you are more “likely to suffer a theft from your bank than be physical burglary†these days.
Does this impact your future choice? How long does it take you to re-establish trust with your customers, employees and partners?
Typically, reputation risk is ~5-20% of cyber cost. However in reality it’s the gift that can keep on giving that no one really wants.
What if you are an online only Business? What if you were the ones who disrupted your market through technology and now that has been taken away from you. You don’t have the luxury physical outlets as a backup or alternative part of your business plan. Dealing with other breaches such as shoplifting in these has been an occurrence since retail began, these were however isolated to the individual locations.
SME’s especially are not as well equipped. On one hand digital makes access open to anyone to create a new business, however on the other hand we must now factor in the cost of doing business online, of which Cyber is a now business critical.
What do you think?
- Are we prepared and doing enough across the sector?
- Is this at the forefront of your business continuity strategy?
- Have you a plan in place to protect your employees, customers & partners?
- Do you have cover or adequate cover, which is well enough defined?
- Are you investing ahead of the curve to prevent it?
Nigel Walsh | @nigelwalsh
IoT | Web3 | Manufacturing | Speaker | Author | CRO Advisory
9 年PS. Since you mentioned the movies, remember "Live Free or Die Hard"? That was the one about the hackers that took over the Fed's system after crowdsourcing the code. Crowdsourcing code is one of the best, perhaps the only way, to fight this. Write the spec, break it up into small pieces, crowdsource the pieces, and then assemble - better, faster, cheaper - the holy grail of coding. It's critically important that insurers' IT departments move away from coding and into crowdsourcing. Fight fire with fire. Otherwise, be overwhelmed and crushed. Prediction: Insurance companies of the future won’t be run by actuaries with deep backgrounds on the financial side. They will be run by techies. They won’t be insurance companies that use technology. They will be tech companies in the business of insurance.
IoT | Web3 | Manufacturing | Speaker | Author | CRO Advisory
9 年Btw, I heard a Cyberrisk expert say to small circle of attendees after a brilliant conference presentation, wrt to Sony, "One of the biggest issues is that a high-profile actress is now being blackmailed for millions. Apparently the hackers simply sold her data to a 3rd party because the data revealed she is HIV+ and is trying to keep that information private.†He went on to say that this kind of data, PHI, is a very attractive target for blackmailing.†Yikes. Great work Nigel. Gosh, I hope out of the 450 people that accessed your post, at least some of them are actually taking action…
IoT | Web3 | Manufacturing | Speaker | Author | CRO Advisory
9 å¹´Comprehensive. Thank you, sir. Especially appreciate "Hindsight is wonderful, but perhaps a fraction of this upfront would have saved this money and importantly time to focus on the business strategy, not remedial work." So true. Yes, $44 million would go a LONG way in prevention. But as you say, the reputation damage could be an extinction-level event, especially for an insurance enterprise whose entire value-prop revolves around trust. Also appreciate the astute Comment: "Very interesting to see the emergence of offerings like CyberEdge from AIG blurring the lines between insurance coverage and cyber services in a convergence of mutual interest..." Yes, if insurance and reinsurance companies don't lead in this way, I'm not sure who will. Won't it be the rare CIO that will admit massive risk today, here in 2015 a full 10 years downstream, if not pressed by the rest of the leadership team or external consultants?
Director - The Softworx Group - Head of Cyber & Compliance
9 å¹´Excellent post Nigel would be good to talk to you about this in more detail as you very definitely understand the risk. Net Defence have been working with corporations and government departments for over 10 years now to design enterprise, secure and protectively-marked networks, and also to protect smaller business from data and system loss, a risk to businesses of all sizes - let's catch up