“Jazz is not dead. It just smells funny.” – Frank Zappa
For the last two decades, insurers have introduced products, which are intended to respond to cyber risk. However, the offerings seem to
lag behind the technology risks. As we enter the new era of the Internet of Things, the risks will expand exponentially, but so will the opportunities. Are we ready?
100 Years ago, back in the 90s…
According to Brian Brown, president of Atlanta Based CyberSpecialist Group, CyberRisk Insurance was introduced in the late 1990s. The biggest threat at the time was data loss from external miscreants or disgruntled internal employees.
Over time, the risk profile has expanded to business interruption, extortion, notification costs (in the event of personal identity theft), computer forensics, and public relations management.
However, commercial uptake for cyber risk coverage suggests that insurers may not be hitting the mark. The Insurance Journal notes,
A full 50 percent of U.S. firms do not have cyber risk insurance and 27 percent of U.S. executives say their firms have no plans to take out cyber insurance, even though 61 percent of them expect cyber breaches to increase in the next year.
So, do we take this as a fail?
In a 2015 news release, PwC insurance partner Paul Delbridge, raised caveats about the future of Cyber insurance generally:
As Boards become increasingly focused on the need for safeguards against the most damaging cyber attacks, insurers will find their clients questioning how much real value is offered in their current policies. … If the industry takes too long to innovate, there is a real risk that a disruptor will move in and corner the market with aggressive pricing and more favourable terms.(emphasis supplied)
So what does ‘innovate’ mean in this context? Let’s retrace the history from an outside-in approach.
History revisited
Cyber insurance came to the market in parallel with the rise of the Internet; a commercial network owned by no one and everyone at the same time. While viruses and malware could find their way into closed corporate networks on other paths (e.g., rocket sticks), the Internet was the super highway for saints and sinners alike.
Given that wide-open exposure, the first generation of CyberRisk underwriters were reluctant to take risks that were not well understood. Erring on the side of caution was de rigeur.
But that may be changing. And the catalyst is the same driving force that is creating the new risk profiles.
The Internet of Things changes everything….
The difference between the Internet of websites and the Internet of Things (IoT) is that the latter relies on technology for the management as well as the pure operations. The IoT assumes responsibility for functional control by turning complex decisions over to a combination of smart devices, analytics, and artificial intelligence, allowing for rapid responses to anomalous patterns.
A recent Deloitte posting put it this way:
many leaders are implementing an umbrella-level cyber risk paradigm, raising standards for cyber risk at every level of the organization, enterprise-wide, from pre-threat to post-event. That means preventing and anticipating IoT-related cyber threats before they take hold, monitoring and neutralizing threats already in play, and restoring normal operations as soon as possible when an organization is struck by a threat.
Sound daunting? It should. But achieving the objective is a critical success factor for the deployment of real-time IoT applications (think Telematics-driven Autonomous Vehicles). The functionality must be able to rely on decisions that can respond correctly in sub-second time frames.
This all won’t happen today, but ….
At the present time, this construct cannot be applied across all IoT applications. The development of common standards has not kept pace with the rapid introduction of unique implementations.
But there is hope. Deloitte suggests interim steps that will allow “deployment of loosely coupled systems, which can help ensure that the failure of a single device doesn’t lead to widespread failure.”
Beyond that, there can be incremental improvements to define harmonized standards based on business requirements.
Is this a job for insurance?
From an insurance standpoint, this is the evolution of a completely new infrastructure, which will require sophisticated risk transfer mechanisms.
Insurance carriers could play significant roles in underwriting the new capabilities as they emerge, but only with a new set of tools, techniques, and expertise. The risks are challenging, but no more so than the risks of the technology companies bringing solutions to the table.
The question is, Are we up to this challenge?