Insurance-Canada.ca - Where Insurance & Technology Meet

Cyber Risk, Insurance, and Aligning with Hope

In spite of some arcane-sounding words and phrases, the vast majority of insurance transactions are pretty straight-forward. However, insurers, brokers and third parties are looking to new opportunities to get a broader portfolio. And a number of insurers are looking to cyber risk as a new tab on file. But what are the challenges?

This isn’t your standard product sell …

Insurers, brokers, third parties, and clients, are looking to cyber risk for new revenue, and are realizing that claims are not the same as other standard risks. For example, Los Angeles-based NAS Insurance is a Lloyd’s coverholder and has four offices in the US. More to the point, NAS focuses on cyber risk and coverage.

With 15 years’ experience, NAS insurance is well known for cyber insurance. Matt Sherman, Senior Vice President of Specialty Reinsurance, said: “A lot of carriers, program administrators and brokers still don’t feel completely comfortable getting into the cyber space.”

NAS Insurance’s 2019 Cyber Claims Digest reported that:

Cyber claims among its non-healthcare policyholders grew by a staggering 38%. Cybercrime claims, across both the healthcare and non-healthcare segments, were up 68% over 2017, led by financial fraud, which saw a 79% rise.

Jeremy Barnett, senior vice-president at NAS, said,

The most significant increase of cybercrime activity is in financial fraud. These fraudulent transactions are often a result of email phishing schemes that lead to payments or wire transfers of funds to cybercriminals posing as our insured’s clients or business partners.

Interestingly, Cyber Liability needs to stay ahead of new new risks and, according to the NAS Cyber liability page, the “NetGuard Plus cyber liability insurance policy has been reengineered to help businesses of all sizes combat cybercrime and address emerging cyber risks” (emphasis supplied).

Post-breach Risks from the Ponemon Institute

In late 2018, the Ponemon Institute published “Managing the Risk of Post-breach or ‘Resident’- Attacks.”

While we think that individual bad guys and evil actors in criminal states are the majority, Ponemon looked to “attackers who may already be residing within the perimeter, including insiders that might act maliciously”.

Ponemon recruited over 600 US security professionals to understand the risk to insiders.

At the end of the study, the authors noted that “almost two-thirds of respondents lack efficient capabilities to detect and investigate ‘stealth’ attackers before serious damage occurs.”

One overarching element: “The findings consistently show that organizations do not fully understand the risks associated with this type of threat, are unprepared for resident attackers, and have little ability to discover and remove them.”

Specific capabilities to ‘preempt, detect, and respond to post-breach’ need to be strengthened:

  • Organizations have low confidence in their ability to prevent serious damage from these attacks;
  • Senior leaders lack understanding of the threats and do not clearly communicate business risk;
  • Most organizations lack the ability to detect resident attackers, particularly insider threats;
  • Capabilities are low to prevent attackers from finding connections and credentials that enable lateral movement;
  • Incident response appears to be the weakest link in the threat-handling chain;
  • Investments in most areas will increase, but the budgets are shifting significantly toward threat detection;

The survey provides details and recommendations throughout the report. If you are not scared just yet, Ponemon will supply the push over the cliff.

However, there is hope …

As much as bad guys can stay ahead, the time is very short. The Ponemon study notes that that there are three specific actions:

  • Preempt – Undertake proactive measures to improve hygiene to make the environment more difficult for the attacker to operate in.
  • Detect – Identify signs of attacker presence as close to their initial beachhead (“patient zero”) as possible.
  • Respond – Act efficiently to stop attacks in progress while reducing disruption to the business.

So, where are you on the action?