Businesses large and small have been moving to cloud services due to the benefits it has to offer: savings, security, agility and scalability. In fact, a Harvard Business Review survey recently found that 85 percent of companies have increased their “reliance on the cloud” in the past year, according to a recent Property Casualty 360 article.
The great migration to the cloud can benefit the insurance industry as well. While the risks associated with the cloud are different and have been a concern for underwriters, cloud services offer greater security capabilities and a significant reduction in overall risk. A common fear, however, is that one event could trigger cyber-attacks on multiple organizations, ultimately leading to multiple claims and potential bankruptcy for an insurance company. If carefully managed and properly understood, the transition to the cloud could lead to better protected data and lower cyber insurance premiums. If not, the interconnectedness of the cloud could create a risk aggregation parallel to the asbestos claims in the late 1900’s.
Nonetheless, cloud based services can offer risk reduction for insurers’ portfolios. The aggregation of risk is certainly a factor, but “security services have begun to use the cloud to collect and pool information from every server and workstation that runs their security software. The result is a real-time picture of the threat landscape across hundreds of thousands of systems,” the article explains. Additionally, cloud security can identify and identify and patch software vulnerabilities as quickly as they appear. They collect a massive amount of metadata and can stop a zero-day attack as soon as it surfaces. The consensus is that cloud based services offers a level of security that outweighs potential risk, both for companies and their insurers. While its reliability and the aggregation of risk remains a concern, cloud providers have become better secured and more resilient in comparison to traditional approaches to cybersecurity.
Cyence, an economic modeling platform designed to assess cyber risk has been getting a lot of attention in the insurance industry, as it already raised $40 million in funding and has collaborated with Marsh to form its Cyber View and Cyber Monitor services. CB Insights had the opportunity to sit down with CEO Arvind Parthasarathi to discuss cyber insurance and cybersecurity risk rating providers.
Parthasarathi explains that Cyence focuses on key components. The first addresses the cybersecurity problem and the fact that spending money on cybersecurity cannot guarantee protection from a cyber-event and therefore, it must be thought of as a risk. Next, cyber provides an opportunity for growth while potentially exposing an organization simultaneously. An economic risk model must allow insurers to address the opportunities and perils of cyber. Third, there is a plethora of cyber ratings programs designed to rate an organization’s cybersecurity practices (which generally focuses on protecting individual companies), but none are catered specifically for the insurance industry (which generally looks at things in aggregate terms, from an economic view). This is how Cyence differentiates itself with the competitors. Lastly, Parthasarathi explained that cyber economic modeling is not always a technology problem, as many cyber-events and claims are a result of insiders, accidents, and privacy violations. Cyber insurance largely focuses on cybersecurity and technology when in reality, much of the problem revolves around human behavior and “being able to have an effective model that can have capital deployed on it.”
In regards to security ratings in the cyber insurance industry, there is much information about an organizations cyber posture that can be gathered in two ways – by “selling into the end customer” and “vender management.” However, Parthasarathi believes that’s very different than saying, “You know what, I believe this is the number and here’s my capital that I’m going to be against it.” In the end, ratings about an organization’s cybersecurity gathered from botnets, vulnerabilities and spam can provide great insight. But the insurance industry, Parthasarathi explains, “is looking for dollars, severity curves and probable maximum loss, which is removed from where the industry is around technical ratings.”
According to market valuations and future predictions, experts believe the cybersecurity market is slowing due to new selective tendencies many venture capitalist and corporate executives are embodying in relation to investments in security. The market is showing signs of contraction as companies become more aware of what type of security they are purchasing. The first signs of deceleration appeared earlier this year and have been supported by data that suggest the slowing of both front end capital investments in cybersecurity start-ups and back-end final product purchases. CB Insights says capital investments into cybersecurity companies in the third quarter of this year are down 24% from the same quarter last year. UBS’ Brent Thrill suggest that firms in the market will have an average growth of 20% this year and 17% next year.
Product purchasing has been bearish as well. Fortinet, a major cybersecurity provider that specializes in firewalls and associated software, lowered its third quarter predictions last year. Chief Executive Ken Xie suggests that corporate customers were “buying with less urgency than last year.” With this being said, security still remains at the forefront of the minds of corporate executives. According to a Citigroup survey, 79% of CIOs plan to increase their spending on network security over the next year. Analysts suggest that the decline in spending is due to companies becoming more focused on cloud based offerings instead of traditional hardware and firewalls. The current depressed valuations could spur a large cybersecurity investing boom in the near future.
In written comments to the presidential commission on cybersecurity, global insurance firm Marsh & McLennan calls for the expanded use of the SAFETY Act, which provides liability protections for providers of anti-terrorism technologies, to legally protect the nation’s critical industries such as power plans and telecommunications companies. Marsh & McLennan suggest the Act could be applied more broadly across industries to allow for more protective cyber protocols. “Companies that own and operate critical infrastructure, including power and water utilities, chemical plants, civilian nuclear facilities, dam operators and telecommunication providers, should be encouraged to submit their information security protocols and controls for SAFETY Act approval,” according to the firm.If accepted by the Commission on Enhancing National Cybersecurity, the proposal will be a controversial wrinkle in current protocol. It will put the Department of Homeland Security in the central role of dictating which industries best qualify for data and network liability protections under the law. The overall goal of the proposal is to improve the cyber resilience in the private sector.
The proposal has been met by some resistance from state insurance regulators who argue that private insurance providers are still improving in the services and products they can provide to atypical situations like this one. State commissioners argued that qualitative assessments and data based on actual incident experience will be needed in order to properly evaluate an applicant’s true cyber risk and to allow for the greatest degree of personalization in security plans. The NAIC writes, “Though demand is increasing, the cyber insurance market is still relatively small as cybersecurity risk remains difficult for insurance underwriters to quantify due in large part to a lack of actuarial data.”
The presidential commission is to release its policy recommendations for the next administration on December 1.
With the risks of cyber breaches, corporate cyber-espionage and ransomware becoming so costly to a firm’s finance and reputation, studies have shown an increased demand for cyber insurance. According to a September survey by the Risk and Insurance Management Society, 80 percent of the companies bought policies that exclusively pertained to cybersecurity in 2016, a purchasing increase of 29 percent from the previous year. “Respondents are most worried about reputational harm (82 percent), notification costs (76 percent), and business interruptions caused by both network outages (76 percent) and data loss (75 percent) from cyber breaches. Cyber extortions (63 percent) and the theft of trade secrets or intellectual property (42 percent) are also concerns,” according to the report. These fears have resulted in almost 70 percent of companies transferring risk of cyber exposure to a third party, and spending more than $1 million on cybersecurity protection, including active monitoring and employee education, as reported by 24 percent of risk managers.
The increase in demand is also due to the responsive increase in supply of cyber insurance carriers in the market. As of 2015, there are more than 60 companies covering cyber security in the U.S., with the global market seeing a similar growth. Sales are expected to reach $7.5 billion by 2020, and Leidos Risk Manager Rich Johanson says that carriers are expanding coverage and creating new products with equanimity to counter the augmenting cyberterrorist activities.
This leaves a great deal of work to be done among insurance agents and brokers. The versatility of insurance packages is not the only factor in increasing sales; education is also vital. The take-up rate will increase as more people are educated. Emily Cummins, a member of the RIMS board of directors, explained how “as insurance suites become increasingly available, more companies want to procure a plan that can fit their own unique needs.” Of the businesses that purchased cyber coverage last year, approximately 82 percent said their coverage met their needs. Sales will increase as carriers grow more proficient at underwriting a clear and coherent package.
The Federal Government’s three most powerful financial regulators, The Federal Deposit Insurance Corporation (FDIC), the Federal Reserve and the Office of Comptroller of the Currency (OCC), will propose new cybersecurity rules designed to protect financial institutions from cyberattacks. Banks with $50 billion or more in assets must adopt the most sophisticated cybersecurity and anti-hacking tools in order to be able to respond from a cyberattack within two hours, according to a recent Reuters article. The new rule will apply to roughly 40 banks as well as additional “non-bank financial companies.” While the selected firms would not be required to submit cybersecurity plans to federal regulators, agency officials claim they will monitor them for compliance.
The new rules will be divided into five separate categories. The first mandates that firms create a written risk management strategy approved by the board. Second, firms must “identify, measure, monitor, and control cyber risk consistent with the entity’s risk appetite and tolerances.” The rules also require the firms to establish an internal risk management department that coordinates with the company’s board of directors. Next, firms must also “gauge cyber risks brought on by their internal assets like company hardware and technology and external business relationships,” and lastly, the covered firms must create a formal strategy for dealing with cyber-attacks and data breaches. The rules are set to be finalized after industry input.
A recent hack, suspected to be of Russian origin, hit the National Republican Senatorial Committee (NRSC). The online store of the NRSC was compromised with malware that compromises credit card information and has been skimming the information of thousands of credit cards for the past six months. The NRSC is believed to be one of more than 5,900 e-commerce sites hit by the same perpetrators.
Security experts believe that the stolen data was sent and consolidated in a network of servers in Belize. It is believed that the servers are owned and operated by a Russian-language internet service provider. The stolen credit card information was likely sold illegally on the dark web and anyone who purchased a product or donated via the NRSC website could have been affected. Dutch security analyst Willem De Groot says it is unknown how many credit cards were stolen from the NRSC but suggests, “According to TrafficEstimates, the Republican store has received some 350K visits per month lately. A conservative conversion ratio of 1 percent yields 3,500 stolen credit cards per month, or 21K stolen credits cards since March.” He goes on to say that based off the current black market price per card, the hackers could have made about $600k of the NRSC alone.
De Groot’s analysis of the malware found in the NRSC shows the hackers latched on to weak passwords and other security vulnerabilities. In addition, he discovered that the malware was also found within databases of the e-commerce sites which is how they were able to operate unnoticed. There has been no formal announcement from the Republicans but it is believed the party took steps to correct the problem. While other sites have also taken steps to correct the issue, hackers are continuing to infect new sites rapidly.
An unknown hacker, scanning for unsecured databases, was able to access more than 58 million records from the data management firm Modern Business Solutions (MBS). MBS primarily serves the automotive, employment and real estate industries. The original hacker was able to pinpoint the unsecure, open source database using the search site Shodan.io. The information was passed on and doxed three times by an individual who was identified using the Twitter handle @0x2Taylor. It was first doxed on the file sharing site MEGA twice, both times being removed, then once again on a smaller file sharing site. The leaked information includes names, IP addresses, birthdates, email addresses, vehicle data and occupations.
The initial leaks uncovered more than 58 million records but the individual identified as @0x2Taylor later referenced an additional set of data containing about 258 million rows of personal data formatted similarly to the first leak. Risk Based Security (RBS) was unable to verify the validity of this data because the MBS database had been secured by the time of the second release according to research done by RBS.
For fear of retaliation from the alleged Russian tampering in the American presidential election, the Obama administration is equipping for possible covert cyber activities. Current and former U.S. intelligence officials have told NBC News of their direct knowledge on the situation. The CIA has been tasked with delivering to the White House various options for “clandestine” cyber operations aimed to harass and “embarrass” the Kremlin leadership. Although no details were provided, sources have confirmed that the agency has already started selecting targets, opening cyber doors and making other preparations. Traditionally, the NSA is the center for American digital spying, but due to the covert nature of the task, the CIA’s Information Operations Center (IOC) will take the lead and work alongside NSA and Pentagon specialized analysts.
This is not the first time the CIA has been appointed with such a task. Two former officers, who worked on Russia, explained that there is a long history of the White House asking for options for covert action against Russia. But missions were never carried out based on political decisions. Former CIA deputy director Michael Morell expressed skepticism on an extensive attack against Russian networks: the U.S. does not want to set a precedent for other countries to do the same against them. But, general consensus of the intelligence community is that unless the U.S. stands up to cyber-attacks from Russia, “we’ll only see more and more of it in the future.” One former officer said that we need “to remind them that two can play at this game and we have a lot of stuff.”
Vice President Joe Biden reassures the nation at “Meet the Press” that a message will be sent to Putin and that “it will be at the time of our choosing, and under the circumstances that will have the greatest impact.”
The Obama administration is considering a wide range of retaliation strategies against Russia, including the use of financial sanctions, in response to hacking intended to influence the 2016 elections. “The president, earlier this year, signed an executive order designating authority to the Secretary of the Treasury allowing the United States government to deploy economic sanctions against individuals or even countries that are involved in nefarious activities in cyberspace. So the president has taken steps to give his own administration more authorities to be considered as part of an effective and proportional response,” said White House Press Secretary John Earnest. The issue has been in the spotlight not only because of the election but also the potential for the creation of new rules for cyber defense policy.