In September, Apple issued emergency security updates to block ‘zero click’ spyware that could infect iPhones and iPads. “This silent way to hack a device is particularly alarming,” said Scott Field, head of international product strategy at Duck Creek, who warned that a financial institution could potentially be hacked in this way.
“If someone hacks a bank like that and is able to infect all of its customers, are we going to spend the time to figure out who is at fault and ultimately whose policy covers what?
“Probably, but is industry prepared from a reinsurance perspective to deal with a cyber attack that starts from a financial institution that has millions of customers, and then all of sudden all its customers are disrupted? Probably not.”
Speaking with the Re/insurance Lounge, Intelligent Insurer’s digital hub for interviews, debates and panel discussions, during a session, Field added that it’s only a matter of time before something that affects one company then infects all its customers.
Fellow panellist Ian Simons, marketing director at Chartered Insurance Institute, believes that the sector has made positive steps, and there’s a lot of collaboration between insurers and trade bodies taking place.
“The likelihood of a cyber event being the next big systemic shock is a very strong reminder that, as a sector, we have to be ready for something that isn’t just a combination of small claims happening iteratively but a major shock,” he said.
“When there’s an ability to have a lot of data to observe, companies respond well and quickly.”
Scott Field, Duck Creek
That’s not to say the insurance industry isn’t doing well on managing cyber risk. Field believes that, on obvious issues, such as ransomware, the industry is working well.
“When there’s an ability to have a lot of data to observe, companies respond well and quickly,” he said, before adding that more complex risks, such as when property damage comes into play, highlight unsolved problems.
“As an industry we’ve traditionally been experts on identifying risk and pricing risk whereas now, these larger companies have such robust and talented security teams working for them, that in some cases the industry could be better served by asking more questions and listening,” said Field.
Jenna McGrath, senior cyber economist at CyberCube and the third panellist in the Re/insurance Lounge discussion, said that clients are now realising that impacts from a cyber attack can reach into the property damage realm.
“Cyber has evolved to have similarities between traditional property damage and traditional lines of insurance, but the major difference is that we have years and years of records of what these kinds of claims/issues would look like from physical standpoint,” she explained.
“The industry may be clearer on insuring cyber risk, but many outside it are unsure what they need to buy protection for.”
Jenna McGrath, CyberCube
Closing the protection gap
The industry may be clearer on insuring cyber risk, but many outside it are unsure what they need to buy protection for, how to make sure they’re covered, and where they should be covered, said McGrath.
She advised that while employees need to be trained on best practices and undertake cyber risk training modules, companies also need to take an extra step and ask: “If something does happen, how will our company be protected and what kind of coverage should we purchase?”
McGrath added: “It’s a difficult topic as it’s a new and evolving point, and people are unaware of the downstream risks.”
Simons agrees that there is a protection gap, particularly on the small and medium-sized enterprise side of business.
He said: “There’s not just a protection gap—we need to make sure that people understand properly to what extent they can risk manage their own cyber risk.”
And, while closing the protection gap is a noble venture, a rush to bridge this gap can come with its own drawbacks.
“There’s definitely a lot of smart people who want to move faster to close that protection gap,” Field said.
“But when you have this rush of new people to bring new products to the market, there can be a bit of confusion.”
He added that the people who are hurrying to cover the protection gap with new ideas and new capital, are not always “particularly well-funded from a technology perspective”.
Simons added that insurers and others involved in the chain have evolved product coverage quite swiftly.
“There’s a lot of new ways of covering new risks by listening to customers,” he said. “On the flipside, you have to keep that in pace with the guidance, engagement and support you have with customers because, as you innovate new products, you have to make sure customers and others in the chain understand how that product works, how it works in conjunction with existing products, and which ones are appropriate for which customers.”
Unfortunately, said Simons, when product coverage is evolving at different speeds with different carriers it can be a difficult place for customers.
“Innovation in product coverage is great and necessary, but we also have to make sure it’s done ethically.
“We know that additional product coverage adds value and removes risk, and we need to spend as much time educating the client over how that works as on building a product and pushing it out.”
In agreement, Field concluded: “In insurance, moving quickly is good but moving cautiously and prudently and quickly in alignment is much better.”
To view the full Re/insurance Lounge session click here
Image: Shutterstock / Have a nice day Photo
“When product coverage is evolving at different speeds with different carriers it can be a difficult place for customers.”
Ian Simons, Chartered Insurance Institute
