Cyber Insurance: Industry Underinsured

Monday, July 17, 2017 @ 01:07 PM gHale

Manufacturers and insurance providers are starting to come together to understand just what the industry is facing in terms of cyberattacks and their potential ramifications.

One fact facing the industry right now is it is underinsured against a major global cyberattack — which could trigger losses on a par with natural disasters such as a hurricane, earthquake or a flood.

Exec Survey: Risk Management Weak
Old OSes Prevalent, Vulnerable to Breaches
IoT Attacks Can Truly Cost a Company
Half of Companies Don’t Have Security Insurance

This is one of the conclusions of a study conducted by Lloyds of London and risk modeling firm, Cyence.

The report, “Counting the cost: Cyber exposure decoded,” examines two attack scenarios.

In the first, attackers make a malicious modification to a hypervisor controlling the cloud infrastructure, which causes multiple server failures in multiple cloud customers. In the second, a Zero Day vulnerability affecting an operating system with 45 percent share of the market ends up obtained by unidentified criminal groups that attack vulnerable businesses for financial gain.

In the first (cloud) scenario, the projected losses range from $4.6 billion for a large event to $53.1 billion for an extreme event. In the Zero Day scenario, the projected losses range from $9.7 billion for a large event to $28.7 billion for an extreme event. While that may sound dramatic, the report also notes losses could be much lower or very much higher: as low as $15.6 billion or as high as $121.4 billion for an extreme cloud event.

The uninsured gap could be as much as $45 billion for the cloud services scenario — meaning that less than a fifth (17 percent) of the economic losses are covered by insurance. The insurance gap could be as high as $26 billion for the mass vulnerability scenario – meaning just 7 percent of economic losses are covered.

This represents a major market opportunity for the cyber insurance industry, and a poor understanding of the financial risk level within industry.

The report comes out after major global ransomware attacks (WannaCry and NotPetya) and a U.S. government warning to industrial firms about a hacking campaign targeting the nuclear and energy sectors. 

This variation in projected costs is caused by the second major conclusion drawn by the study — neither the security industry nor the underwriting industry has sufficient understanding of global cybersecurity risk to formulate accurate risk/exposure figures for insurance purposes.

The goal of the report is to increase insurers’ and risk managers’ understanding of cyber-risk liability and aggregation. It analyzes six trends that contribute to digital vulnerability. These trends are:
1. Volume of contributors: The number of people developing software has grown significantly over the past three decades; each contributor could potentially add vulnerability to the system unintentionally through human error.

2. Volume of software: In addition to the growing number of people amending code, the amount of it in existence is increasing. More code means the potential for more errors and therefore greater vulnerability.

3. Open source software: The open-source movement has led to many innovative initiatives. However, many open-source libraries are uploaded online and while it is often assumed they have been reviewed in terms of their functionality and security, this is not always the case. Any errors in the primary code could then be copied unwittingly into subsequent iterations.

4. Old software: The longer software is out in the market, the more time malicious actors have to find and exploit vulnerabilities. Many individuals and companies run obsolete software that has more secure alternatives.

5. Multi-layered software: New software is typically built on top of prior software code. This makes software testing and correction very difficult and resource intensive.

6. “Generated” software: Code can be produced through automated processes that can be modified for malicious intent.

Cybersecurity has little data in a market that remains under siege with new and more sophisticated attackers. This is further complicated by a poor understanding of liability and risk aggregation in cyber liability.

Today, Lloyd’s Class of Business team estimated the global cyber market is worth between $3 billion and $3.5 billion and by 2020, it could be worth $7.5 billion.

Property/casualty insurers wrote $1.35 billion in direct written premium for cyber insurance in 2016, a 35 percent jump from 2015, according to reports by Fitch Ratings and A.M. Best. These figures represent a fraction of the U.S. $528.2 billion net written premiums for the whole insurance market that domestic carriers wrote in 2016.

“For the insurance industry to capitalize on the growing cyber market insurers would benefit from a deeper understanding of the potential tail risk implicit in cyber coverage,” the report said. “Risk managers could use the cyber-attack scenarios to see what impacts cyber-attacks might have on their core business processes, and plan what actions they could take to mitigate these risks.”

Leave a Reply

You must be logged in to post a comment.