A growing demand for cyber insurance is being met by new offerings from carriers. But evolving cyber threats call for a new approach. Three key elements can help protect carriers from the potentially massive risk of offering cyber insurance.

In my previous blog post, I discussed the growth and evolution of the cyber threat. In this post, I look at how carriers can limit risk and liability.

My colleague Uwe Kissman heads up Accenture’s Cyber Security Services. He tells an interesting story that serves as a great starting point. It’s a very short story. It goes like this:

“Very recently, a client that was considering purchasing an expensive and complex industrial machine asked Accenture’s team of cyber security specialists to assess how ‘air tight’ the security of this machine was. It took us just one hour to break into it and take control.”

It is important for companies to stop assuming big tech players and manufacturers of complex machinery have them covered and to begin thinking out of the box when it comes to security. This customer demonstrates the kind of proactive effort and thinking that businesses—and insurers—need to employ when it comes to cyber security. However, to do it they will need more expertise than most have in-house.

Uwe’s focus is on helping businesses by bringing a reality-based, high-end attacker’s point of view to their organizations. His team then designs advanced security approaches, taking into account the operational and financial realities of the business. At Accenture Insurance, we lean on that knowledge to help our insurance clients design and deliver marketable solutions that are backed by the appropriate safeguards.

Increasingly, this will be the kind of input carriers need to design cyber insurance offerings that can keep pace with evolving cyber threats.

Cyber insurance—the challenges

While the majority of insurers have launched cyber insurance of one kind or another, common challenges prevail. Each poses new questions for cyber insurance providers.

  • Cyber risk is evolving: Can insurers recalibrate their offerings to manage risk adequately?
  • Risk models must change: Can insurers adapt fast enough as new variables emerge?
  • A single event may spark multiple claims: How can insurers weather such a storm?
  • Security policies, infrastructure and standards will help customers self-protect and lower risk: Can insurers insist that their customers comply?
  • Businesses often don’t detect security breaches, or only do so long after the fact: How will this impact insurance?

Being able to ensure that a cyber insurance customer has adopted a suitable security posture, with suitable audits, will be imperative for any insurer to limit liability. However, this will not be enough to ensure the customer is secure. Compliance with security standards and best practices merely puts the foundation in place. Nor is the cyber insurance provider offering to secure the company, it is offering risk cover. Is this a position that needs to evolve?

For businesses, cyber insurance is foremost a means to cover the financial impact of exposure to cyber threats, especially recovery. For consumers, the interest in cyber security extends from insuring loss of data, privacy and assets to covering physical security. How can insurers provide this kind of risk cover in a hyper-connected world without massive risk to their own businesses?

Insurers that partner with vendor-neutral security specialists will keep pace with shifts in the security landscape.

There are three requirements:

  • Partner to gain a deep understanding, and keep abreast of current and evolving threats, and adapt policies accordingly
  • Educate customers and drive awareness
  • Insist that minimum auditable security postures be maintained

Of these three injunctions, the first will be most critical to success in the cyber insurance market.

Uwe suggests that while insurers may want to partner with tech specialists and technology vendors to create a specific solution, possibly one tied to the use of specific technology—a firewall or smart device, for example—they will do well to also partner with a security specialist that is vendor-neutral to advise them of shifts in the security landscape. I believe that such a provider will also need to have the partnerships and platforms in place to access global security data, and the analytics capabilities to assess risk.

Insurers need to design and deliver marketable solutions that are backed by appropriate safeguards and keep pace with evolving cyber threats.

SwissRe suggests that leveraging big data and smart analytics may augment traditional actuarial analysis to enable re/insurers to respond quickly to fast-changing underlying risk factors. 

SwissRe suggests that leveraging big data and smart analytics may augment traditional actuarial analysis to enable re/insurers to respond quickly to fast-changing underlying risk factors.

Source: Swiss Re Economic Research & Consulting

For businesses, the reality is that cyber security talent is in short supply and it’s affecting their security capability. Some researchers predict a global shortfall of 1.5 million information security specialists by 2020. That’s just the tip of the iceberg, according to Uwe, who has just been involved in tough Accenture negotiations to acquire Maglan, an Israeli security specialist, to boost our own capabilities.

To access the level of advanced and sophisticated security skills they need, businesses are increasingly turning to specialist managed security services providers. Similarly, partnering with a specialist in this field will help insurers better understand and assess risk, limit liability, and help ensure their cyber insurance customers are better informed and protected.

In my next post—Cyber threats: the IoT security gap is an opportunity for insurance—I take a closer look at the cyber risk which the IoT opens up.

For more on the cyber security conundrum for insurers, and to get detailed insight into Accenture’s research, read this report.

 

Submit a Comment

Your email address will not be published. Required fields are marked *