How cyber risk for insurers is evolving

The world is rapidly becoming a more dangerous place as terrorist groups and rival foreign powers discover it is easier to hack into a corporate website than to orchestrate a physical attack or intrusion.

Insurers now face a major challenge in trying to provide comprehensive cyber insurance. Although an exemption clause for a policy covering, for example, buildings insurance may absolve the insurer from paying out in the event of terrorist attacks, the company insured and the insurer know that, in developed countries, an attack is unlikely occur.

However, the digital age has provided terrorists with a world in which they can operate more freely than in the physical world.  For example, a group of hackers based in Iran called Parastoo is known to be actively recruiting IT engineers with the software skills needed to bring down financial trading systems and power supplies on the other side of the world. Parastoo has already been linked to a military-style attack on a US electric power station.

Earlier this month, at the Council on Foreign Relations, the chairman of the US House Committee on Homeland Security Representative, Michael McCaul said he is concerned about Iran developing software that has the “ability to shut things down”, for example, infrastructure systems such as power grids and water distribution.”

This awareness of the vulnerability of organisations to cyber terrorism is spreading to the insurance industry. Cyber attacks and terrorism will be the most threatening emerging risks for the (re)insurance industry in 2015, according to a survey released in November by global risk and reinsurance specialist Guy Carpenter & Co. Forty percent of those surveyed said cyber attacks are the most threatening emerging risk, and 31% cited terrorism is the most threatening risk for the coming year. (The US survey was based on the responses of 111 insurance and reinsurance executives.)

But acknowledging the risk and accurately quantifying it are two different matters. In many instances, organisations are often unaware that terrorists or foreign governments have their IT systems infiltrated. Sometimes, foreign powers, terrorist hacker groups and cyber criminals, spy on companies without their knowledge, stealing sensitive and commercially valuable data such as client records, future business plans and product designs. Frequently, these cyber intruders steal sensitive data for months before they are detected or finally reveal their identities. The first step an insurer should take is to establish whether an IT system has intruders already sitting on it and the second is to ensure the organisation is instantly alerted should an intruder break in.

However, the major problem facing companies seeking insurance is that traditional cyber defences are outmoded. For example, the anti-virus software that has traditionally protected IT systems against known software bugs is now largely redundant, although it is almost universally deployed as a first line of defence.

According to Internet security adviser Kaspersky Lab, an average of 315,000 new varieties of malware are created daily. As it would be impossible for corporate software providers such as Microsoft to deliver so many patches, companies and their insurers must employ more effective cyber defences. Modern software created by developers, such as Glasswall, enables organisation to filter incoming communications, identifying “known-good”, while briefly quarantining messages from suspicious sources. Complimentary software, such as Sentinel, produced by developer Zonefox, enables companies to search the history of sensitive documents to establish if they have been compromised and, if so, determine when and how this occurred. Insurers and their clients must now develop new procedures for identifying and evaluating the threat of cyber terrorism.

“At this point, there is no market standard policy in cyber insurance generally. The key for insureds is to have open discussions with their insurance broker to identify the key areas of concern, prior to approaching the insurance market, and this should result in ensuring the correct solutions are found,” says Lyndsey Bauer, TMT practice leader at Paragon International Brokers.

Stuart Poole-Robb is chief executive of business intelligence and cyber security adviser KCS Group Europe.