Cyence, an economic risk modeling platform for cyber risk, debuted its product last September and since then, has received much attention in the insurance industry. Carrier Management Editor Mark Hollmer had the opportunity to sit down with Cyence Co-Founder and CEO Arvind Parthasarathi to discuss how their cyber analytics platform will allow the insurance industry to look at cyber risk in an entirely new way – in “dollars and probabilities.”
With cybercrime only increasing and traditional network security premiums becoming obsolete, the cyber insurance market is a huge, untapped opportunity for insurers and reinsurers. Mandatory legislation on cybersecurity in several U.S. states has led to more mature and better cyber liability insurance policies. PWC forecasts that annual gross of premiums will increase from $2.5 billion in 2015 to $14 billion by 2022.
The Presidential Commission on Enhancing National Cybersecurity issued a 100-page report with 16 urgent recommendations on ways that President-elect Trump can improve the nation’s cybersecurity, particularly in his first 100 days of office. Main points include creating a cyber nutritional label to help consumers shop wisely and establishing an international cybersecurity ambassador.
Blockchain offers a secure approach to storing sensitive information and performing functions, suitable for exposed environments that demand high cybersecurity. Its use of sequential hashing, cryptography and decentralized structure, which all took decades of research and refining, make it virtually impossible for any outside party to “unilaterally alter data on the ledger.” Bitcoin was the first application of blockchain, launching in 2009.
The National Institute of Standards and Technology (NIST) has released a set of guidelines “aimed at helping researchers better understand the Internet of Things (IoT) and its security challenges.”
After more than seven months, Commission on Enhancing National Cybersecurity has finalized its report on the Cybersecurity National Action Plan (CNAP) and is submitting it to President Obama. The Commission, which consists of “top strategic, business and technical thinkers from outside of Government,” according to a recent Politico article, was established as part of Obama’s effort to enhance the nation’s cybersecurity posture. The report is expected to be available to the public soon.
Members of the Commission explained the report focuses largely on short-term recommendations, with “market-based solutions rather than government regulations,” such as incentives and voluntary standards. The objective of CNAP is to enhance the nation’s long-term cybersecurity structure in both the public and private spheres. However, Kiersten Todt, executive director of the Commission explained that “the urgency of these issues is now. So what we hope is that many of these recommendations will be able to be executed.”
It is unclear how President-elect Donald Trump will handle the executive order and the Commission’s recommendations in the report, but the Commission has stated that a nonpartisan approach has been a key focus. Experts on the matter said that the nonpartisan nature of the executive order could give Trump a “rare opportunity to build on the work of President Obama.” Stanford University cyber researcher and Commission member, Herb Lin, also explained that “the political environment is very different now than it was before the election,” and that the Commission was “very scrupulous about not compromising the nonpartisan nature of the report.” The Commission consists of both Republican and Democratic representatives.
Trump has emphasized the need for the incoming administration to take a strong stance on hackers while simultaneously building out offensive cyber capabilities. The President-elect has vowed to create a “cyber review team” and change the nation’s stance on cybersecurity in the first 100 days of office, meaning he may choose to start fresh with his own agenda instead of building on that of Obama’s.
Inside the beltway and around the nation this week there has been zero escape from prognostications on what a Trump administration means for every issue imaginable. So, we’ll pile on…what about cyber? Well, we, at The Council, expect cybersecurity to be a significant issue. That statement seems obvious but the Republican platform actually includes a section advocating for “a free market for cyber insurance and makes clear that users have a self-defense right to deal with hackers as they see fit.” While the latter part has many nervous, we could see cybersecurity (and insurance) garner more oxygen than expected in the first 100 days (especially given the highly publicized hackings ahead of the election). On the surface, the President-elect’s cybersecurity stance doesn’t seem to vary much from President Obama’s policies. However, his pro-national security and law enforcement approach to cybersecurity is different and Trump will have to delicately balance between business interests and national security.
As we look to our parochial areas of interest, we are well positioned to effectively represent Council members as things heat up on the hill in 2017. Sen. John Thune is a major cyber player as chairman of the Senate Commerce Committee and we look forward to continuing to work with him on issues stemming from critical infrastructure cybersecurity. The Council supports a single standard for breach notification, and we believe good legislative opportunities will develop there. Lots to unfold so stay tuned. We will skip next week because of the holiday but will be back after. On behalf of The Council, we wish everyone a wonderful Thanksgiving.
For years the insurance industry has invested in incentive programs to help reduce risk and prevent claims. For example, health insurers may lower premiums to encourage good lifestyle choices just as carriers may offer discounts when homeowners install smoke detectors and security systems. A recent Information-Management article explains that these incentives are a win-win for policyholders, who can invest their saved money on a safer home or healthier lifestyle, and for the insurance company, due to a reduction in claims. If discount incentives are proven to reduce risk, theoretically an organization with the latest cybersecurity technologies and proper cybersecurity polices will claim after a cyber-attack or data breach.
Although the cyber insurance market is beginning to gain traction, the industry is still young and many organizations are not taking cyber-threats seriously, despite brokers’ encouragement to purchase cyber insurance as a stand-alone policy. While a cybersecurity incentive policy would theoretically reduce cyber-risk, there are several reasons why carriers have been slow to adopt such policies. For one, cyber insurance is not regulated the same way auto and home insurance is – policies vary drastically and prices are not standardized. Additionally, an organization with the best cybersecurity is still susceptible to a breach due to employee negligence. How can one guarantee an organization is keeping up with best cybersecurity practices? Nonetheless, as the market matures, discount incentives could serve and a motivation to purchase a cyber policy as well as increasing an organization’s cybersecurity posture on the front-end.
Data from Privacy Rights Clearinghouse (PRC) found that state and federal government agencies disclosed of 203 data breaches throughout the past five years. What’s more, the 203 breaches resulted in nearly 47 million stolen, compromised, or exposed records, which does not include data breaches where the government agency did not disclose the number of compromised records. However, the number of breaches and exposed records is generally less compared to most private companies, as data maintained by PRC suggest that financial and insurance companies, retailers, and other businesses disclosed 950 breaches accounting for 245 million records. Nonetheless, government breaches often attract more attention due to significance of the information, such as personally identifiable information (PII) and financial information. Click here to see the seven largest government data breaches
While recent data breaches and hacking attempts on government entities have spotlighted growing cybersecurity concerns with Russia, it turns out that Russia has a cybersecurity problem of their own. Kapersky lab, an international cybersecurity and anti-virus provider headquartered in Moscow, claims to have blocked more than 73 million hacking attempts with malicious attachments in Q3 2016. Of all the organizations targeted by cybercriminals, banks led the way accounting for 27 percent of the phishing attempts. According to the report, the overall number of attempted hacks increased 37 percent compared to the previous quarter. What’s more, spam with global email traffic has also increased dramatically, with six in ten of all emails containing spam. While spam is often just “unwanted advertising … the majority of malicious spam emails during the past quarter contained ransomware, which is yet more proof of the rising epidemic of this type of malware,” said Daria Gudkova, Head of Content Analysis and Research at Kaspersky Lab.