Fitch has found that 120 U.S. insurance groups reported writing $1 billion in direct written premiums in 2015. In the newly released report, ‘U.S. Cyber Insurance Market Share and Performance,’ Fitch used data from the new 2015 NAIC statutory supplement “to compile company and industry statistics on cyber insurance.” According to the report, the largest cyber insurance writers are AIG, which accounts for 22 percent of the market, Chubb Limited with 12 percent and XL Group LTD at 11 percent.
While global cyber insurance is predicted to reach $20 billion by 2020, the limited information on cyber insurance makes it a challenge to evaluate and price risk. Additionally, “Challenges in isolating cyber related premiums and exposures from other risks within a package policy create limitations in analyzing the supplemental filing as total cyber insurance premiums are likely understated,” said James Auden, managing director of Fitch Ratings.
Experts also indicate that there is plenty of capacity in the cyber insurance marketplace and most firms have found cyber insurance to be profitable. In 2015, the direct loss ratio for cyber stand-alone business was 65.2 percent. However, Gerry Glombicki, director of Fitch Ratings, explains that “the ultimate profitability of the P/C industry’s cyber insurance efforts will take some time to assess as the market matures and future cyber-related loss events emerge.”
The recent hack on the National Security Agency (NSA), which revealed previously undetected software flaws that the agency has been relying on to penetrate foreign networks, could be putting large corporations and governments around the world at risk. The release of these hacking tools, likely by hackers affiliated with the Russian government, exposes flaws in commercial firewalls that now, can be accessed by virtually anyone with an internet connection. Over the years, security experts have pushed the NSA to disclose the flaws so companies and governments can patch the vulnerabilities but instead, the agency has used them as a means to spy. The release of NSA hacking tools “demonstrates the key risk of the U.S. government stockpiling computer vulnerabilities for its own use: Someone else might get a hold of them and use them against us,” said Kevin Bankston, director of New America’s Open Technology Institute. “This is exactly why it should be U.S. government policy to disclose to software vendors the vulnerabilities it buys or discovers as soon as possible, so we can all better protect our own cybersecurity,” he continued. This marks the second attack on U.S. government-related agencies this month accused of having Russian ties, creating further tension between U.S. and Russian relations.
A newly released report backed by security consulting firm Herjavec Group estimates cybercrime will account for $6 trillion of annual damages by 2021. To put it into perspective, cybercrime has cost governments, businesses and citizens $3 trillion in the past year. The report defines damages as “any incident where hackers caused the destruction or theft of money, intellectual property, personal or financial data. Additional monetary losses experienced due to lost employee productivity embezzlement, fraud, forensic investigations or other restoration efforts,” are also included in the total. As the number of first-time internet users increases significantly and the Internet of things (IoT) grows exponentially, the world will have to protect 50 times more data by 2020 than it does today, according to the repot.
Due to China’s involvement in United States’ cybercrime, which costs U.S. businesses an estimated $100 billion per year, cyber expert Fred Tsai has proposed a mutual $2 billion insurance fund to relieve financial losses resulting from external cyber-attacks. A need for a comprehensive strategy against cybercrime involving the U.S. and China began when Presidents Jinping and Obama launched a joint effort to combat cybercrime for commercial gain. Fred Tsai suggests that the two countries build on this joint effort by each contributing $1 billion to a shared insurance fund in which private organizations can file claims and receive compensation from the fund when cyber-related financial losses occur from an outside country. Both U.S. and Chinese organizations can draw from this fund following an external cyber-attack.
It should also be noted that the U.S. cyber insurance market is currently about $2.75 billion in premiums written, and predicted to reach $20 billion in the next 10 years, so this cyber fund would be relatively short-lived. When the $2 billion investment runs dry, Tsai explains that the fund would be “replenished through premiums, which would increase for the country found to be the source of an attack.” While this idea is certainly a long-shot, innovative approaches to combat cybercrime should be welcomed by the public sector.
What do terrorism, conventional crime, natural disasters and political instability have in common? Ray Kelly, vice chair of K2 Intelligence and former police commissioner of the NY Police Department, says of these potentially catastrophic events , cybersecurity could be a key ingredient in all four. As a result, combatting cybercrime is not just an IT issue. It involves the entire company from the initial planning stages to the breach response plan. As cyber threats increase in size, volume and sophistication, all employees must have a sound approach to cybersecurity and always be on the lookout for suspicious activity. In fact, around 80 percent of cyber intrusions can be attributed to employee carelessness due to a lack of cyber education.
Kelly claims that the New York police department had 100,000 intrusion attempts per day. Larger organizations, on the other hand, often experience millions of threats a day. As a result, organizations should take the “not if, but when” approach to cyber-attacks, as every organization is likely to fall victim at some point. To help a company get back on its feet, Kelly explained that the entire C-suite should be involved in a business continuity plan – a organized strategy to help recover from a catastrophic event, especially if it involves cybercriminals due to the complexity of the risk.
The HHS Office for Civil Rights (OCR) has announced plans to begin investigating smaller health care data breaches as cybercrime on the health care sector reaches an all-time high. Due to inadequate cybersecurity practices combined with the goldmine of valuable personal identifiable information (PII) stored in the networks of health care providers, cybercriminals have increasingly targeted healthcare organizations of all sizes with ransomware, network attacks, data theft and other forms of cybercrime. As cybercriminals begin targeting smaller organizations due to the lack of cybersecurity resources, OCR will begin devoting more time, money and energy investigating these smaller attacks. Previously, OCR’s regional offices have devoted resources to investigate reported breaches when 500 or more individuals’ PII has been compromised, but starting this month regional offices will begin investigating the “root causes” of incidents involving less than 500 victims.
When deciding which breaches to investigate, the office will “prioritize according to the size of the breach [or] whether any unencrypted PHI was stolen or improperly disposed of; any breaches involving unwanted incursions to IT systems (hacking, malware, phishing), and the nature and sensitivity of the data involved.” Additionally, OCR will pay particular attention to cases where multiple breach reports have similar characteristics. OCR hopes this will lead to better cybersecurity practices among health care organizations of all sizes, leading to better protection of patients’ confidential health information.
Reporters working for the New York Times have recently been targeted in a series of attempted cyber breaches with strikingly similar characteristics as the attacks carried out against Democratic Party organizations in recent months, which revealed stolen DNC documents to WikiLeaks. While The Times spokeswoman Eileen Murphy claimed the company had seen “no evidence” of any internal breach and that there is only evidence that several New York Times email accounts were possibly compromised, the attempts provide further evidence that Russian spy agencies are targeting public and private organizations with connections to the U.S. political system.
In response to the attempted breach, Murphy stated, “We are constantly monitoring our systems with the latest available intelligence and tools. We have seen no evidence that any of our internal systems, including our systems in the Moscow bureau, have been breached or compromised.” While The New York Times has neither confirmed nor denied the ongoing investigation, officials claim “The times has hired a private security firm to work with U.S. security officials to determine how the hackers were able to gain access,” according to a recent article from The Hill.
The lack of actuarial data and the unpredictability of cyber risks have many insurance companies wary of jumping head first in the cyber insurance game. While most of the major players have already entered the field, contributing to an estimated $2.75 billion market, there are also fears that a catastrophic attack on multiple organizations could single-handedly cripple an insurance company. To combat this underwriting issue, Tel Aviv-based startup Cybewrite is currently developing a platform to help underwrite cyber insurance policies.
By providing the underwriter with the proper information and tools, he or she can make “data-driven” and “evidence-based” decisions when offering cyber coverage to businesses. “We translate cybersecurity-related data we collect from various sources using our innovative tools and algorithms into cyber insurance policy recommendations in an agile, scalable and cost-effective manner,” said Nir Perry, CEO and founder of the company. “We do so using a combination of big data tools and unique cyber know-how.” The underwriter can, in return, use the tools to guide their client on the coverage that best fits their needs and price range. Cybewrite is a cloud-based platform that collects customer specific and industry data that helps identify specific levels of risk, which can help craft the cyber insurance policy, Perry explained. The company plans to launch Cybewrite in the beginning of 2017.
Due to a significant increase in high-profile data breaches in 2016, Aon claims to have brokered more cyber policies to Australian organizations in the first half of this year than it did in all of 2015. While the concept of cyber insurance is far more evolved in the United States, recent cyber events in Australia, such as an online census failure this month, have sparked recent interest in cyber protection. In fact, when cyber insurance emerged in Australia in 2013, Aon wrote just five policies throughout the year. In 2016, Aon has written 750 cyber policies and $5.25 million in premiums – a quarter of the Australian cyber insurance market, according to Aon’s Cyber Global Practice Leader Kevin Kalinich. While 70 percent of big businesses in the U.S. have some sort of cyber coverage in place, Kalinich said that only one in 10 major Australian businesses currently has cyber insurance. Kalinich predicts a 10-fold increase in premiums written in the next few years, particularly due to developing data breach notification requirements.
Guy Carpenter & Company recently announced plans to partner with cybersecurity firm Symantec Corporation to create a cyber aggregation model. The model aims to “include a comprehensive catalogue of cyber scenarios from which insurers can derive frequency and severity distributions to measure the potential financial impact of loss from both affirmative cyber coverages and “silent” all-risk policies where cyber is the peril, but no cyber exclusions exist,” according to Guy Carpenter. This strategic alliance will be led by Guy Carpenter’s Cyber Solutions Specialty Practice to leverage Symantec’s data analytics and cyber knowledge to create an unparalleled cyber aggregation model. “By combining Guy Carpenter’s risk management and catastrophe modeling expertise with Symantec’s technical knowledge and proprietary data, we are pioneering a cyber aggregation model to help reinsurers gain a better understanding of their correlated cyber risks and to manage and protect their capital in extreme cyber scenarios,” said Tim Gardner, CEO of U.S. Operations at Guy Carpenter. As the cyber model builds on itself, it will allow insurers and customers to better understand the complexity of today’s cyber-attacks.