By Bill Kelly
Talk to a chief technology officer or chief risk officer of a Fortune 500 company and ask them what keeps them up at night. Most likely they will respond with, “Being hacked.” Their reply is an expected one, but it doesn’t address the real challenge. While executives who take measures to prevent their companies from being hacked are smart, even more intelligent are those who have protected their companies financially for when they actually do get hacked.
And they will. The WannaCry attack – which Rob Wainright of the European Union Agency for Law Enforcement Cooperation says compromised more than 200,000 computers – showed companies around the world how truly vulnerable their systems are. It shouldn’t have come as too great a surprise. We live in a world that’s become dependent on advanced communications tools; and with the emergence of autonomous vehicles, virtual reality and the Internet of things, ours is a world poised to become even more reliant on these kinds of technologies.
As a result, vulnerabilities in business products, platforms and software will be exposed at an alarming rate by cybercriminals who seek to disrupt businesses and benefit financially. The financial, legal, operational and reputational risks are significant, and so is the need for a sophisticated and comprehensive risk management solution. While cyber insurance premiums account for between two and three billion dollars today, insurance industry analysts anticipate this number will skyrocket to a maximum of $20 billion in premiums by 2022.
Current cyber coverage cannot stand
This rise in premiums speaks to the greater challenge. The more reliant we all are on advanced communications technologies, the more complex risk becomes and the more significant the financial vulnerability for companies becomes. Imagine, for instance, if an individual were able to hack into the high-tech infrastructure of a driverless smart car and cause the vehicle to crash. What would be the financial vulnerability of the manufacturer? And how would an insurer underwrite an insurance policy designed to mitigate the financial costs that would stem from such an incident?
Several court rulings have concluded that anything with a digital component that is not covered explicitly by another type of insurance may be classified as cyber. The upshot of these rulings is that damages and losses that resulted from WannaCry, as well as from the October 2016 attack on Dynamic Network Services, were likely covered by cyber insurance policies.
Which begs the question: As cyber attacks become more commonplace, more sophisticated and more damaging, will the current coverage approach to cyber exposures be adequate? I doubt it. That means that companies should consider including carefully crafted cyber insurance policies as a part of their risk management response to the continually developing cyber risk environment.
Work with your carrier to get the right coverage
So what exactly should a cyber insurance policy cover? You have options. If you’re a vendor that relies on digital communications, you can get a policy customized to cover your operations in the event of an interruption caused by a cyber attack, as well as the financial impact the attack has on your clients. Policies also can be designed to mitigate potential financial losses and ensure that your communications network stays up and running if it’s compromised by an attack. Policies are even available to cover business interruption due to system failures not caused by an attack.
And it’s not just the financial coverage that’s important. There is also the risk management services that are provided by some cyber liability insurers, who provide their clients with access to teams of professionals from an array of disciplines. Their collective focus is to provide you with the type and amount of risk management support that is intended to protect you from attacks, mitigate the effects of an attack once it occurs, and get you back up and running as quickly as possible following an attack.
That doesn’t mean we in the insurance world have got everything figured out when it comes to cyber coverage. Insurance carriers are continuing to improve the way they use data so that they can strike a balance between the amount of coverage they want to provide to consumers and making sure they do not overextend their coverage appetites. The key for insurance providers is to design cyber insurance policies that will adequately secure the futures of their clients and of themselves.
Four questions to get you started
That’s our challenge in the insurance industry. Yours is to act. It’s only a matter of time before cybercriminals attack businesses in the United States at a calamitous level. You must start working now with your insurance carrier to adopt your own cyber insurance policies before this kind of attack happens. I suggest you start by asking your carrier four basic questions:
- What is your cyber claims philosophy and the principles on which it is based? In cases of ransomware, for instance, do you counsel clients to adopt a zero-tolerance approach to demands, or is your modus operandi based on flexibility and leaving as many options open as possible?
- Do you have a process your claims team follows when I call for help in emergencies? As a start, will I be able to reach an actual person at any time day and night, or will my calls go first to an answering machine?
- What kinds of vendors do you have in place to call on when my system comes under attack?
- How deep and strong is your bench? Can your company guarantee to supply my organization with the proper kinds and numbers of professionals at a moment’s notice?
Again, it’s only a matter of time – when, not if – take the time to protect yourself ahead of the next big cyber attack.
About Bill Kelly
Bill Kelly is a Senior Vice President, managing the E&O underwriting team. He joined Argo Pro in January 2015. Kelly has 25 years of experience in various senior underwriting and management roles. Prior to joining Argo Pro, Kelly was a Vice President of commercial D&O for Hartford Financial Products where he was responsible for all commercial D&O underwriting within the U.S. and Canada.