The recent WannaCry ransomware attack made a lot of companies wanna cry. As such attacks become more frequent and gain scale, cyber insurance promises to be the next big blockbuster in the insurance industry. Cyber risk experts from Allianz Global Corporate & Specialty (AGCS) discuss how companies need to become more aware and protect themselves.
Recently, WannaCry, a ransomware program, infected more than 230,000 computers in 150 countries. Hackers demanded payments in bitcoins to allow users to access their data.
The attack hit several large companies, including a major American parcel delivery company, a European car manufacturer and a Spanish telecom company. It disrupted the operations of Britain’s National Health Service (NHS) and affected some operations of German rail network Deutsche Bahn, among others.
South Africa is leading among the countries affected in Africa, with approximately 83 websites infected followed by Ivory Coast and Nigeria. Egypt, Algeria and Morocco complete the top six countries, while only a small number of attacks have been located in the rest of the continent. The most attacked sector in the region was healthcare, similar to what was seen in the UK, and large companies were also the most targeted, according to data compiled by Fortinet, a security company.
“The stoppage of the outbreak was rather fortuitous. While this ‘flaw’ in the malware has been ‘fixed’ – we can expect a new and improved attack. ‘Smart’ malware such as this will become the norm and organisations must do all they can to protect themselves,” said MD of Cyanre, Danny Myburgh, an AGCS Africa IT partner for Cyber Insurance.
The incident again highlighted how vulnerable companies are to cyber risks – be it a technical glitch, a human error or a cyberattack – and the business interruption that usually follows.
Reuters reported that the total cost of resuming operations could run into billions of dollars for companies.
As such attacks become more frequent; companies are becoming aware of the need to protect themselves – not just from such attacks but also from the losses that they could bring.
This is why the cyber insurance market promises to be the next blockbuster in the insurance space, according to Chief Underwriting Officer for corporate lines at AGCS, Hartmut Mai.
While cyber insurance is already a mature market in the US with an estimated premiums volume of $3 billion, it is still an emerging segment in Africa.
“Cyber incidents ranked as a top risk in South Africa for the second year in a row and fifth in Africa in this year’s Allianz Risk Barometer. Clearly businesses are concerned about the proliferation and impact of cyber incidents,” said AGCS Africa Head of Financial Lines, Nobuhle Nkosi.
“Legislative developments in African countries and the African Union on cyber security and personal data protection and increasing levels of liability will see growth accelerate on the continent,” continued Nkosi.
The need for cyber coverage
Technology is a double-edged sword. On the one hand, it makes processes easier and less time-consuming; on the other, it opens companies up to new risks. Industrial companies are increasingly interlinking their equipment and processes – the so-called Internet of Things (IoT) – to improve their operations but this exposes them to the greater risk of business interruption in case of an attack or a glitch.
“The more the industry integrates supply chains and processes, and digitalises production into ‘smart factories’, the more vulnerable the long-established industrial companies become as well. For them, the risk of business interruption tends to be paramount,” said Mai.
The threat doesn’t always come from hackers. Many a times, it’s just a technical failure or an employee deliberately or accidentally introducing viruses or paralysing computer systems.
When a crisis unfolds, compensation for financial loss is important, but the support services that often accompany cyber insurance are invaluable. Computer forensics, data and systems recovery as well as professional crisis communication can help a policyholder get back on its feet quickly.
“Assistance services, which we provide ourselves or through our partners, are therefore becoming increasingly important,” said Mai.
Of course, developing solutions for new risks come with challenges. Given that cyber crime is a relatively new threat, the insurance industry needs to tread with caution in developing such products.
“We lack historical claims data because it involves an insurance product that is still relatively new in our portfolio. Also, companies shun publicity when they have been victims of a hacking attack because they are worried about their reputation,” explained Mai.
The portfolio management of cyber risks is also challenging and the accumulation risks are enormous. Through the digital networking of companies and supply chains, an incident at an individual company can quickly spread like wildfire, immobilising entire industries.
Imagine the operations of an energy provider or a cloud services provider are disrupted due to a cyberattack, it will trigger numerous policies – not just cyber policies, but also other coverage, if property damage and business interruption occur.
“At the moment, the accumulation risk is still manageable because not many companies in Europe, Asia and Africa have cyber insurance yet,” said Mai. However, just like director and officer (D&O) liability coverage, cyber insurance is expected to become the standard for companies over the medium term.
“Cyber insurance will be a blockbuster – and we must prepare ourselves for it. When the much stricter data protection regulations take effect in Europe in 2018, not just big corporations but also mid-market and smaller companies will want to buy cyber coverage,” said Mai.
Data as a tool
According to Mai, insurers have to consider evaluating the technical standards and the information technology maturity of a company differently. “Individual risk dialogues and detailed IT and process audits that we usually do for large companies would be too complex for smaller and mid-sized companies,” said Mai.
“Going forward, we aim to increase our automated cyber risk analytic capability by cooperating with data analytics companies. They use IP address-based screening, linguistic algorithms and other comparable methods to evaluate the level of IT security of a company. Such cyber resilience ratings could especially help us in offering cyber coverage to small and medium-sized businesses and retail clients through digital distribution platforms,” continued Mai.
C for cyber strategy
Given the frequency of cyber events in the recent past, there’s no denying that cyber security and related insurance will soon become an important part of corporate risk management strategies.
“In 2016, AGCS generated premiums in the mid-range double-digit millions with our cyber policies. Demand and policy transactions continued to increase significantly in the first quarter. No management board member or CIO has any doubts about the danger anymore even if their IT security is state-of-the-art,” said Mai.
The market is gathering steam and we will likely see more modular cyber solutions that can be adapted individually to a particular company.
At the moment, AGCS limits its share of cyber coverage to 100 million euros per client as the market is still new and the risks are harder to assess. For individual companies, up to 500 million euros capacity is available in the cyber insurance market.
As a new ‘normal’ emerges, companies may not be able to completely avoid the bite of bytes. What they can do is ensure that the pain is minimal.