Broking the cyber sell

Vol: 43 Issue: 3 | Oct 2020

In June 2020, Australasian beverage and food company Lion announced it had been the subject of a cyber attack. Hackers used REvil ransomware to infiltrate the company’s network and demanded US$800,000 (A$1.16 million) to decrypt the company’s files.

The attack forced the company to shut down its IT systems, leading to significant interruptions to production and product delivery to customers across Australia
and New Zealand.

Within a week, news of cyber attacks on New Zealand-based appliance manufacturer Fisher & Paykel and Japanese car maker Honda had also made headlines, with hackers stealing sensitive information and forcing temporary operational shutdowns.

With companies big and small looking at potentially million-dollar ransoms and multimillion-dollar business interruption costs, cyber coverage should be an easy sell. In Allied Market Research’s recent forecast report, the global cyber insurance market is projected to be valued at more than US$28.6 billion by 2026.

NEW THREATS, NEW CUSTOMERS

Financial institutions and tech companies were the first adopters of cyber coverage, but much of the future growth is expected to come from a new wave of industries and companies further down the supply chains — including small to medium-sized enterprises.

‘I have found interest from logistics businesses, conference organisers and not-for-profits, and also from specialised businesses like drone security,’ says Meena Wahi, director of Melbourne-based Cyber Data-Risk Managers. 

‘Traditional businesses are seeing a paradigm shift with digital technology — which used to be only a small part of their business previously — become more central to their business. 

Meanwhile, cost-averse not-for-profits are now accepting that cyber insurance is a necessary expense to safeguard against financial loss.’

CHANGE IN THE MARKET

In Indonesia, Wiena Shakuntala, head of Financial Services & Professions Group at Aon, has also seen a change in the market. ‘While financial institutions, IT

start-ups and the health industry are the common purchasers of cyber insurance, the manufacturing industry is starting to open,’ she says.

‘A lot of this has to do with the adoption of cloud services and Internet of Things technology, in addition to concerns about protecting intellectual property.’

For other businesses, regulations and contractual obligations are driving the demand.

‘This started in the US market, and we’re now seeing it trickle down to businesses in New Zealand and Australia,’ says John Moore, senior underwriter at Delta Insurance.

‘For example, a bank or financial institution might tell a supplier that if they want to do business together, the supplier must prove they have cyber coverage in place — especially because of stricter privacy regulations and increased exposure to fines for severe harm caused by a data breach.’

RISK AND OPPORTUNITY FOR BROKERS

Moore says that for brokers, selling cyber coverage doesn’t start with insurance. 

It starts with businesses understanding how technology, processes and people underpin their operation and what risks they are exposed to if things go wrong.

‘Does the business know what the impact of a cyber incident would be? Are they aware of the risks? Do they have an incident response plan, a business continuity plan, a disaster recovery plan, and have they tested them through simulated events? says Moore. 

‘Cyber insurance then dovetails into the risk management discussion about transferring some of that risk.’

IDENTIFYING GAPS

In order to start cyber risk management conversations, cybersecurity assessments, risk questionnaires and diagnostic tools can help brokers and customers identify gaps in cover, as well as cyberthreats that clients may not even be aware of.

Some multinational brokers, such as Willis and Marsh, have already developed their own proprietary software tools for their brokers, and they may even be able to benchmark a business against others in its industry. 

Tools like this can help a broker uncover the business’s risk appetite, as well as its existing strengths and weaknesses in the face of a cyber attack.

‘For example, [local] councils may not be concerned with cyber insurance responding to business interruption costs from a cyber attack, given rates income may not be affected, whereas it’s a major concern for other businesses,’ says Moore. 

‘Talking to a tech company, they may feel they have adequate internal resources to mitigate against many cyber attacks, but they might be very concerned about regulatory risk, privacy breaches and fines.’

CUSTOMER TYPES

Shakuntala says there are three main types of customer she encounters. 

The first type runs real cyber risks but is either unaware of them or misunderstands them. The second type thinks cyber risks may exist in their operating environment, but they don’t know for sure. The third type knows the risks are real, because they have already experienced them.

‘For customers in the first category, examples with details of the technical and financial impacts usually help to open their window. 

'For customers in the second group, discussing policies and alignment with their business situation and strategy usually helps the most. For customers who have already experienced a cyber incident, the discussion usually goes directly to coverage and its related claim process,’ she says.

PROOF POINTS IN CYBER COVERAGE

Many businesses in the new wave of industries taking up cyber coverage outsource their IT operations and security. 

Moore says that they should be encouraged to keep their IT vendors honest, getting an outsider to confirm the vendor is performing the cybersecurity work it is tasked with, rather than discovering what hasn’t been done at claims time.

‘We were asked to quote cyber insurance for an international airport, which, to its credit, had just organised an independent, third-party cybersecurity assessment,’ says Moore. 

‘The independent assessment highlighted the current IT vendors were letting the airport down in a number of key areas, including cybersecurity. The end result was that they fired an IT support vendor.’

Sometimes, seeing is believing, Shakuntala says. ‘In one instance, to raise a prospect’s awareness of cyber risk, with their permission, Aon performed a mini penetration test on the prospect’s internet-facing systems.

Using publicly available internet tools, we brought in a technical specialist and gave the prospect a demonstration of how a cyber attack could be made — in real time, by anyone in the world with an internet connection.’

COLLABORATION IS KEY

Cyber insurance can be confusing for customers, especially those who aren’t particularly tech-savvy. Shakuntala says brokers can play a critical role in the customer–insurer relationship. 

‘Insurers are keen to have their survey data filled completely, with proper information. 

Meanwhile, customers need to see how the coverage details align with their business direction and needs. Brokers can play a bridging role: advising customers and providing value with insights to the insurer on client-specific situations or requirements.’

Wahi points out that there are also opportunities to collaborate with other business advisers like accountants, lawyers and cybersecurity firms, and work together as a team.

‘I also tend to seek alternate quotes from both national and international underwriters, which gives my clients more negotiating power,’ she adds. ‘Insurance is about liability and indemnity. 

'My duty to clients is to ensure they have the right coverage for both — so sometimes I have to also ask insurers to combine policies.’

A MOVING TARGET

So, what ultimately helps a customer understand cyber risk?

Says Wahi: ‘Clients like real-life examples, but they are a bit tired of hearing about the Yahoo! data breach or Equifax. They want something close to reality. They like to understand what will happen when they have a cyber attack: how and what they can claim.’

Moore says that while most individuals are aware of cyber risks like social engineering via phishing emails — ‘you see them in your inbox every week’ — some New Zealand businesses wouldn’t have been aware of targeted ransomware attacks until the recent media coverage of the Fisher & Paykel and Lion incidents.

He also points to COVID-19 as an eye-opener, in terms of work-from-home and bring-your-own-device cyber risks.

Sources like CERT NZ and the Office of the Australian Information Commissioner can help brokers stay up to date with recent incidents and best practice, and can also lead to better conversations with customers.

With cyber risk changing constantly, IT systems and jargon becoming more complex and a new swathe of customers facing different threats, cyber insurance is a challenging product for brokers.

And, as Wahi notes, cyber is only going to continue to evolve. ‘It underpins digital risk and has aspects like crime, reputational loss, personal privacy liability and intellectual property. It is a niche area that requires commitment and understanding.’

POTENTIAL CYBER COVERAGE CUSTOMERS

Allied Market Research forecasts that the traditional cyber coverage customers — tech companies, banks and financial institutions — will take up more cyber cover, and expects additional growth to come from the following industries through to 2026:

    +  IT and telecommunications

    +  Health care

    +  Government & public sector

    +  Retail and ecommerce

    +  Manufacturing

CUTTING THROUGH CYBER JARGON

Data breach: When sensitive or confidential data is stolen, transmitted or exposed. According to Risk Based Security, 8.4 billion records were exposed in the first quarter of 2020 alone.

DDoS (distributed denial of service): Flooding an online service or network with commands in order to disable it.

Hacking: Gaining unauthorised access to data in a computer or network.

Malware: A software virus or worm that infects a computer or network and disables it, or allows a computer hacker to access it remotely.

Ransomware: A type of malware that denies a user access to their own data, unless they pay a ransom. According to global communications giant Verizon, 27% of malware attacks are ransomware attacks.

Social engineering / phishing: Tricking people into revealing sensitive information or data in an attempt to get financial data. Phishing is an example of social engineering. Verizon found that 32–33% of cyber attacks relied on social engineering.