Insurers Face Cyber Risk Challenges from All Directions
Mitchell Wein | July 28, 2015
The NAIC Executive (EX) Committee recently established the Cybersecurity (EX) Task Force to act as a focus point for cybersecurity insurance regulatory activities. The task force held its first meeting on March 29, in Phoenix. Just before this meeting, the Task Force released its draft Principles for Effective Cybersecurity Insurance Regulatory Guidance.
The message is clear, there will be regulatory pressure to do something around cybersecurity. The National Institute of Standards and Technology framework (NIST) will act as the basis of the eventual recommendations, with the understanding that what is expected will be practical, consistent, flexible and scalable.
Additional data on the sale of cyber insurance products will be used to help regulators with financial oversight. As we reported in our Executive Brief on Cyber Risk trends in August 2014, insurers have been thinking about how to price and underwrite these risks for some time.
- In March 2014, AIG introduced a new product called CyberEdgePC that covered property damage and bodily injury.
- Insurance Journal reported in an article a year ago that TSC Advantage has also enhanced its cyber risk assessment Threat Vector Manager (TVM) technology for commercial organizations, critical infrastructure, and the public sector. That product offered customers security controls in areas including insider threat, physical security, mobility, data security, internal business operations, and external business operations.
Cyber risk coverage that has emerged in the last few years has included business interruption, rewards for capturing criminals, crisis management, cyber extortion of the network, data breach and complying with regulations, identity theft, and liability from defense costs, settlements, judgments, and punitive damages.
How does a cyber-liability policy get priced? Not easily. As NAIC correctly points out, insurers will be interested in risk-management and disaster recovery protection of a firms network, data, digital assets, physical assets, and intellectual property.
Insider risk from employees and third parties in the supply chain will need to be evaluated as well. The Target store breach, which stole credit card data, was achieved through malware being installed on the security and payments system though a trusted third-party supporting store heating and air conditioning equipment. The breach cost $150 million and Target’s reputation, not to mention the CEO and CIO’s jobs. Insurers will need to be very interested in employee access to systems and data access.
Of course, traditional protection like antivirus and anti-malware software, the frequency of updates and the performance of firewalls will be considered as well. The problem is complex, and the risk unknown. The risk continues to increase as the insurance business becomes more digital and smart devices proliferate, creating new attack vectors.
As a result, the cost is high for the insurance, and the insurers are limiting how much they will cover. A 2014 Crawford & Company study “The Future of Cyber Insurance” revealed few carriers are willing and able to indemnify over $50 million with the majority writing a maximum limit of $10 million or less. Today, the market to underwrite cyber risk is dominated by American International Group Inc., ACE Ltd., Chubb Corp., Zurich Insurance Co. Ltd., and Beazley Group Ltd.
As a growing number of firms require their vendors to purchase cyber coverage, the loss experience will become more extensive allowing for more accurate pricing of risk. This lack of experience is complicated by a shortage of people with the skills needed to assess the risk. As a result, cyber loss control services are starting to emerge as well. Marsh just launched Cyber Monitor and Cyber view in partnership with Cyence, a cyber-security analytics service provider, to look at threat indicators and security analytics.
NAIC’s task force will be responding to this by looking at the protection of information housed in insurance departments and the NAIC; the protection of insurer-held consumer data; and collecting information on cyber-liability issued policies. Inevitably, regulation will emerge in the U.S. as time goes by, both at a federal and state level.
Regulatory enforced reviews of carriers providing cybersecurity risk management and insurance coverage has begun to occur. Federal and state insurance regulators will also be looking to make a positive impact on this emerging insurance market.
The challenge is this: How does the carrier protect itself from cyber risk and assess how other firms the carrier insures protect themselves? Only time will tell how the challenge is met.
- The Rapid Evolution of Consumer Protection Regulation
- Talent Hunt: Finding, Attracting, Retaining Top People
- Insurers Flexing Their Distribution Models
- Technology Driving Disruption in Insurance
- Fear of ‘Next Bubble’ Challenges Life, Annuity Carriers
- Technology Allows Commercial Lines Insurers to Stand Out
- Single Sign-on Viewed as Biggest Tech Challenge for Agencies
- ISCS Observes 20th Anniversary; Scurto Predicts Major Changes Ahead
- Policyholders and Their First Impressions
- Progressive Making Progress on the UBI Front
- High and Dry: Insurers Search for Disaster Recovery Plans
- Insurers Sign The (Un)Dotted Line
- Reflections of a Retired Insurance CIO
- Mobile Device Management Just One Answer to BYOD Issue
- Lessons from GEICO and Progressive on Winning the Critical Buying Stage
- You Are a Target for a Cyber Attack
- Web-based Systems are the Next Evolution in Claims Technology
- Gaining a “Wow” Experience from Web Users
- Time to Shift from Business/IT Alignment to Business/IT Alliance
- Healthcare Insurers Changing to Consumer Model
- Organization is the Key for Selecting Software Vendors
- Analysts Expound on the Needs of the Mid-tier Insurance Market
- Finding the Cure for Obamacare’s Website
- New Software Solutions Benefit Insurers on the Inside and Outside
- Products, Market Impede Investment in Systems for Life Insurers
- Combatting Cyber Threats: Predict, Prevent, Persist
- The Future of Telematics Heads Beyond Insurance
- The Shame in Cyber Security Lapses
- Building Policy Administration Systems for the Future
- Insurers Look Into The Eyes of Their Policyholders
- It’s a New Dawn for the ITA
INSURANCE IT NEWS
- Few Surprises in Cybersecurity for Insurers
- Few Surprises in Cybersecurity for Insurers
- ITA Pro Weekly, January 20, 2016
- Verisk Releases Cyber Exposure Data Standard for Insurance
- British Insurer Selects Guidewire Core Systems
- Nationwide Private Client Expands into New States with ISCS Solution
- Majesco, Appulate Announce Strategic Partnership
- Boston Mutual Partners with Onyx Data Solutions
The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.
ITA is pleased to present the 2014 Webinar Series. We have many topics for you to choose from and attendance is open to all ITA members. The webinar topics are current and exciting — ranging from predictive analytics to telematics and will focus on the direction insurance carriers need to follow for the future. All webinars are presented by insurance IT professionals along with some of the leading analysts and consultants in the field. There is no cost to attend an ITA webinar. For more information and to register for the webinar, click the “title” of the webinar below.
BLOGS AND COLUMNS
Insurance carriers interested in meeting or exceeding their customer’s expectations regarding mobility are looking at a two-pronged approach... READ MORE
Robert Regis Hyle
Everybody has a wish list and it seems that atop the lists for insurance carriers still operating with legacy systems is the desire to do away with... READ MORE
As Guidewire Software prepares for the start of Connections, its 11th annual user conference that begins on Nov. 2, Brian Desmond, chief marketing... READ MORE
Strategy Meets Action will hold its annual Summit in Boston on Sept. 14 and the focus for this year is: Becoming the Next-Gen Insurer... READ MORE
Starting last fall when the technology company dropped Mastek from its name and became simply Majesco, its mergers and acquisitions, and hirings have... READ MORE
Digital represents a continuous form of disruption to existing or new business models, products, services or experiences enabled by data and... READ MORE
In spite of all the arm-flapping and hand-waving stirred by the Affordable Care Act (ACA), the way health insurance is purchased, and employee... READ MORE
- Vendor Views