Insurers strive to model cyber crime

In November 2014, a group calling itself the Guardians of Peace was discovered to have hacked into the computer systems of Sony Pictures Entertainment. Subsequent terror threats made to Sony by the hackers led to the cancellation of the New York premiere of The Interview, a controversial film about the fictional assassination of North Korean dictator Kim Jong-un.

By the end of 2014, the episode had already cost Sony roughly $15 million in investigation and remediation costs, while the US Federal Bureau of Investigation had concluded that the hackers were backed by the North Korean government, describing cyber crime as “one of the gravest national security dangers to the United States”.

Sony is not the first corporation to fall victim to cyber crime and it won’t be the last, but the high-profile attack, and the growing number of large corporates that have also fallen victim to cyber crime, have brought home the scale of the reputational, financial and political threat posed by hackers. It comes at a time when many companies are already considering their vulnerability to cyber attack, and insurers are grappling with the challenges of accurately modelling the risk.

“This is not a new risk, but the exposure of companies to cyber crime is often much greater than they would like to admit. When companies perform attack-and-penetration self-testing of their security infrastructure using third parties, they are often surprised by the extent to which their networks and information are exposed,” says John Langione, chief risk officer for North America at QBE in New York.

The challenge is that cyber insurance is still a relatively new discipline, and it lacks a comprehensive set of historical data to inform accurate underwriting and pricing of contracts. While insurers may be doing their best to take in as much relevant information as they can, there is not yet an industry-standard approach.

“The most pressing issue for insurers is that we don’t have access to rich historical data to actuarially model exposure to cyber risk. The industry relies to some extent on a small set of previous breaches that have been well publicised, and there are repositories where we can access the latest intelligence, but it is still far from the complete data set we would ideally want to use,” says Mark Bannon, senior underwriter for security and privacy at Zurich Insurance in London. 

Increased vulnerability

The growing demand for cyber insurance has been driven not just by the negative publicity surrounding hacking victims such as Sony, but also by the realisation that as more and more information storage and business activity takes place online, companies are becoming increasingly vulnerable. And while it is only the larger victims that usually make the headlines, low-level instances of hacking are now widespread.

According to the Information Security Breaches Survey, which is conducted annually by PwC on behalf of the UK government, 81% of large companies and 60% of small companies in the UK suffered a security breach of some kind last year.

The large number of firms that have experienced cyber crime highlights the fact that hackers come in many forms. While it might be only the more sophisticated groups that have the wherewithal to penetrate a large company like Sony, basic hacking software is now readily available online.

“The stereotype of a hacker is an individual with lots of machines and a real talent to penetrate something very secure, but, at the other end of the spectrum there are simple downloadable tools that search thousands of websites to find those with a deficiency,” says Dave Ovenden, head of the underwriting consultancy at Towers Watson in London. “Hacking has definitely become much more mainstream.”

The growing prevalence of cyber crime may be one factor driving companies to better manage the risk, but the cost of attacks is likely to be even more influential. In the UK, the average cost to small businesses of their worst security breach ranged from £65,000 to £115,000 last year, according to the PwC report, while for large companies the range was between £600,000 and £1.15 million – both significant increases on the average cost in previous years.

“Companies used to think management of this kind of risk was confined to the IT department, and it rarely concerned the board or even the business itself, but over the last few years cyber attackers have posed a much greater threat as they have moved into new sectors and become more malicious and sophisticated. It’s no longer a risk that can be ignored by the board,” says Vincent Geake, cyber and technology specialist at Deloitte in London.

As with any type of risk, once it has been identified as a business concern, companies must then go through a process of determining the level of exposure, how it can be managed, and to what extent insurance may be necessary. But with cyber risk still a relatively new concept, reaching consensus on standard definitions is far from simple.

Some industry practitioners have taken issue with the use of the term cyber risk in the first place, on the basis that it actually encompasses risks that have existed since the dawn of IT systems, such as loss of data and business interruption. While those risks must clearly be managed, lumping them under the generic ‘cyber risk’ label can be misleading, they argue.

“There is a universal idea that cyber risk is really important and we should worry about it, but there is often a lack of understanding about what it actually is. Essentially companies are already concerned about losing data or finding their business can’t operate continuously; in most cases cyber is just a new way for those things to happen, rather than being a totally new risk,” says Neil Cantle, principal at insurance advisory firm Milliman in London.

In a paper on cyber security and the role of insurance issued in March by the UK government and insurance broker Marsh, cyber risk was defined as being synonymous with IT risk – “the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise”.

But beyond that broad definition, cyber risk can take a wide range of forms and be instigated by many different groups, including governments, terrorists, cyber criminals, disgruntled employees and lone actors. The point of attack and extent of the damage caused can also vary considerably, adding to the challenge for insurers.

Recognising the ambiguities surrounding cyber risk, officials at Zurich Insurance took the conscious decision to use different terminology, labelling its service in this area ‘security and privacy insurance’, rather than cyber insurance.

“Cyber is an over-used term and means different things to different people, but the fundamental concern we hear from potential buyers is around data breach. As the owner or custodian of large volumes of records and information, companies have a duty of care to safeguard that data against breach, which is where our insurance focuses,” Bannon at Zurich says.

If data breach is assumed to be the greatest concern associated with cyber, it then needs to be broken down into individual risks that must be managed and mitigated, whether through internal security measures or insurance.

Geake at Deloitte believes there are three particular types of attack that hackers might attempt on a firm’s data: confidentiality, which would encompass the simple copying of data; integrity, meaning the changing of data, such as taking over a social media feed or falsifying transaction data; and availability of data, whereby hackers would delete or encrypt data so that the hacked company cannot access it.

Those three types of attack could have varying levels of severity for a particular business depending on how it operates, so making a thorough assessment of the potential business impact of a cyber attack is the first step in managing the risk, says Geake.

“Companies need to understand the threat landscape that is applicable to their particular sector and then look closely at their IT architecture and internal controls. They also need to assess what the business impact of a data breach might be. Only then is it possible to determine the real risk, and whether it should be transferred to an insurer,” Geake explains.

When it comes to insuring against cyber risk, some existing policies that protect against business interruption may already cover data breach at some level, and there is also a growing market for standalone cyber risk protection. But the recent UK government paper cited industry surveys suggesting just 10% of UK firms have cyber cover in place, whether as a standalone policy or as part of a broader policy.

Lack of data

For insurance companies, the process of underwriting and pricing standalone policies for cyber cover is somewhat different to other forms of insurance, largely due to the lack of precedent and data. In many cases, it relies on in-house or external experts in IT and security who can test companies’ infrastructure and determine their resilience.

“We engage preferred IT experts to perform pre-assessments of potential buyers of cyber insurance. They review their systems and security in forensic detail and report back on any deficiencies, which we would then share with the client. Once the company’s protection reaches a certain level of sophistication, our policies are tailored to fit their unique requirements,” says Bannon of Zurich Insurance.

In the absence of sufficient data on which to model cyber insurance policies, most practitioners agree this kind of detailed review is critical to a rigorous underwriting process, at least for larger policies with larger limits, but that doesn’t mean the eventual pricing of policies is free from tension.

“For larger accounts, insurers would want to see some form of penetration test to methodically find any weaknesses in the client’s defence and then the policy can be written on the back of that. There is often a difference of opinion between insurers and clients on the perception of the risk and where insurance should be priced, but that is a difficult problem to solve with limited data,” says Ovenden of Towers Watson.

Steven Anderson, product executive for privacy and network security in North America at QBE, acknowledges that crafting insurance for cyber risk is still at a relatively low level of sophistication but, given the growing demand for cover, it’s an unavoidable challenge.

“It is widely agreed that we don’t yet have sufficient data to support pricing of cyber liability, so when trying to file a product and get actuaries to write that product, it’s a bit like putting your finger in the air to see which way the wind is blowing. I’m not sure that any insurance companies can have developed accurate models yet, because there haven’t been enough losses to inform those models,” says Anderson.

We don’t have access to rich historical data to actuarially model exposure to cyber risk