It's the quiet ones you've got to watch...

It's the quiet ones you've got to watch...

Guidewire

Blogpost Image

Cyber-attacks are hardly new news, but they are an ever-changing threat. The cyber landscape does not stand still for long, and with each new technological innovation, hackers find new vulnerabilities to exploit for their benefit. Even with existing technology, hackers never cease to find new ways or loopholes for intrusion. The threat is coming from everywhere: past, present, and new technologies.

Just imagine the potential damage of cyber interference in today’s context of industrial connected devices - ATMs, pumps for water and gas, or power supplies are all at risk, affecting countless businesses and their customers.

Naturally, people expect physical losses to be covered by their organisations’ standard insurance policies, but this leaves connected assets at the mercy of cyber piracy. Potentially, they are fully exposed and at the mercy of hackers if data assets are left unreferenced on the policy itself.

You don’t ask, you won’t get

It is true that unless cyber protection is specifically defined as a part of your organisation’s primary insurance policy, the physical or financial damages caused by cyberattacks will not be covered.

Since IoT and other connected technologies are still relatively new, the insurance landscape that could support them is underdeveloped. So, much like alien invasions or spontaneous combustion, unexpected cyberattacks are often omitted from or poorly defined in standard insurance policies.

The difference, of course, is that cyber threats are tangible nowadays, and the public is well aware of the potential enormity of the damage delivered by a cyber-attack. From the Petya attack in 2017 to the recent Wizz Air breach, many people are now all too aware of the physical and reputational costs these events can result in. Any business would be wise to anticipate cyber strikes, but insurers also risk losing out by remaining silent on the matter. This could be in terms of damaged customer relations, or through losses incurred where, to appease a customer, an insurer covers damages they did not intend to insure.

Playing house isn’t always fun and games

Technology can be used to put a more informed price tag on cyber-attack risks. To substantiate this, we created a series of hypothetical scenarios with Aon to see what might result from a cyber-attack at a fictional hydroelectric dam in the U.S.

In our computer model the potential damage inflicted by hackers accessing flood gates at just one dam was calculated at approximately $10 billion in insured losses!

The only way to combat this risk is to start recognizing the elephant in the room. That is to say, insurance policies need to directly reference silent cyber risks by affirming or excluding them explicitly.

It is good to see insurers are gradually getting their ducks in a row when it comes to tackling the issue of silent cyber. Policy documentation is being reviewed and rephrased to be explicit on its inclusion, but it is a complex job.

The next challenge is working out how to best price cyber risks when there is so little precedent to draw upon. The market is certainly beginning to mature, but with an ever-changing threat landscape as new technologies create new risks, for the foreseeable future there will be plenty of work to do.

In this regard, a technology driven approach offers a strong solution for insurers. AI and specialist tools can be used to align standard risks with cyber-driven data, build out the context, and fill in the gaps for a policy that can accommodate cyber.

Building out new markets and expanding the customer base for cyber insurance is the best way to protect against losses. As more businesses start to reflect the reality of cyber risk in their insurance policies their ability to protect assets improves. Given the potential catastrophe that might be sparked by a large scale, nation-state sponsored attack, bringing the ‘quiet ones’ into the purview of the industry through continued expansion of the market is an absolute requirement if insurers or insureds are to have any hope of absorbing the impact.

This article was published originally in Finextra

Tags