Understanding Cyber Risk and Cyber Insurance
The Evolution of Cyber Risk
Technology advancements not only enhance the productivity of our businesses, they also bring with them risks. Risk is defined as the uncertainty of a financial loss. If we went back more than a hundred years ago, we’d find most of our technological advancements in the form of machinery and steam engines. Go back about a hundred years ago, and technological advancement was centered on electro-mechanical devices and the internal combustion engine. Businesses harnessed these innovations to increase the production and delivery of goods with greater efficiency. The insurance industry has always been in-step with advancing technologies because they create new risk vectors, which in turn drive new insurance markets. Steam technology created risks from boilers that could break down and disrupt business – or worse – explode, resulting in property damage and even death. The distribution of electricity and the subsequent wiring of factories generated risks from fires and electrocution. As new technologies evolve, hazards are identified; hazards are any conditions that increase risk. In the case of a steam boiler, a hazard would be improperly inspecting and maintaining the equipment. In the case of electrical wiring, hazards would include improper insulation or lack of junction boxes. Hazards can be managed with mitigation measures and by adhering to standards, codes, and laws. However, risks are always present, no matter how well you manage the technologies and mitigate the hazards.
The digital-technology transformation of businesses started in earnest some fifty years ago with the advent of mainframe computers. These systems were largely closed and not public facing. They were also expensive, which meant most businesses in the middle market sector did not have direct access to these systems; later time-sharing and leased access became available. In the eighties the personal computer revolution took hold. The productivity of the individual office worker shot up. Local area networks (LANs) emerged and slowly replaced the “sneaker-net” method of moving information around a business. Still, these networks were largely closed and not public facing, which limited risk of outside attacks. Real cyber risks started to emerge in the nineties as LANs became inter-networked between offices, and the dotcom boom drove public and business use of the Internet. Consequently, the first cyber insurance policies were written in the nineties as risks from cybercrime, digital fraud, hacking, data breaches, viruses and ransomware grew alongside the new technologies our businesses invested in to become more productive and efficient.
A Risk Management Approach
Businesses in the middle market segment typically do not practice good risk management when it comes to cyber risk. To manage cyber risk, organizations should assess the likelihood and potential impact of a cybersecurity event or incident and use the four components of risk management: avoid, accept, mitigate, and transfer. Most businesses in the middle market segment practice some combination of the first three components of risk management, usually by happenstance. However, without a formal approach to cyber risk management, most businesses will fail to address the transfer component. How do we know this to be the case? Because the transfer component uses Cyber Insurance to transfer risk, yet market penetration rates for Cyber Insurance within the middle market segment are estimated to be only around 22%.
The Four Components of Risk Management
- Avoiding Risk: Organizations may decide to avoid risk altogether by eliminating the use of certain technologies, activities or situations. For example, a company can avoid risk by eliminating no longer supported computer operating systems, like Windows NT 4.0. Electing not to collect certain types of data can be a powerful tool to avoid risk. Similarly, restricting access to data and systems is a way to avoid risk. Consider how Target was hacked – the data breach occurred because their HVAC vendor’s network credentials were stolen.
- Accepting Risk: There is no such thing as perfect security. A business therefore has to make strategic decisions about accepting risk from its use of digital technologies. If the risk is unavoidable, too expensive to manage, or provides you with a desirable return, you can accept the risk. Accepting risk means being prepared to burden the costs associated with both 1st party losses (your own expenses) and 3rd party claims (liabilities). Even relatively small businesses can have cyber risk exposures in the millions of dollars.
- Mitigating Risk: Businesses can reduce their probability of risk by implementing policies, processes, and investing in services that address cybersecurity concerns. Many organizations the middle market lack an executive with risk management responsibility, and therefore often shift mitigation efforts to the IT department. The resulting IT “budget perspective” disproportionately focuses on technical solutions and intrusion detection, rather than a true risk management approach. Risk is often not scrutinized from a financial and operational viewpoint, especially in terms of recovery and response to a cybersecurity incident, i.e. legal costs, PR fallout, crisis management, etc.
- Transferring Risk: If you cannot avoid risk and mitigation cannot totally eliminate risk, that means an organization’s exposure to cyber risk will still exist. Cyber insurance is a means to transfer the risk to a 3rd party. Modern cyber insurance policies not only offer claims service (financial reimbursement) but include incident management services and access to teams of expert resources for containment, management, and resolution of cyber incidents. Beyond technical IT resources, cyber incidents demand that you have access to the appropriate legal resources, PR experts, crisis management professionals, and loss adjusters.
Cyber Risk Management
Exposures generated by new technologies exist no matter how well your organization safeguards and protects itself. Most businesses, have fire insurance, although fire risks are relatively low. Why? Because we accept we have fire risks, we know those risks represent substantial losses, and transferring those risks via insurance is a fiscally responsible thing to do to protect the business. Modern day building codes, industrial regulations and fire awareness have driven down fire risks significantly… but we didn’t get there overnight! The first fire extinguisher was not invented until c. 1819. The first salaried fire department was not created until c. 1853 (the first fire alarm followed soon after, c. 1857). It was not until 1925 that President Coolidge brought fire awareness to a national level and established Fire Prevention Week . In the intervening years the National Fire Protection Association (est. 1896) published over 300 fire codes that have been adopted as regulations and incorporated into laws. The NFPA continues to update and publish fire protection codes to this day.
In comparison to fire risk, cyber risk is just getting started. We don’t have the benefit of 200 years of experience in protecting, preventing and detecting cyber risks. We don’t have the benefit of codes and regulations built up over decades and incorporated into laws that govern how we operate and conduct our businesses. In risk management terms, we are only about 20 years into this – not very much time considering how quickly cyber risks have grown. As a result, the way our businesses manage and plan for cyber risks, is voluntary, self-guided, and not as well understood as other business risks.
Starting from a sound risk management perspective is critical (i.e. avoid, accept, mitigate, transfer), and while risk management may intersect with the functions of IT management, it is best administrated separately.
Risk Management vs. Information Technology Management
Why do we need to separate risk management from IT management? Recall what a hazard is… a hazard is a condition which increases the probability of suffering a risk. All too often CEOs are confronted with cyber risks, but lacking the appropriate risk management resources or experience, they focus their attention on perceived weaknesses in their technology defenses – associating the responsibility for risk management with the IT Department.
As a result, the approach to risk management is quickly reduced to technical solutions and mitigation without consideration of the other risk management quadrants. Studies consistently indicate that up to 90% of cyber losses start as a result of human error and/or social engineering schemes (e.g. an employee clicks on the wrong email link or attachment). Direct attacks on IT systems represent approximately 8% of cyber-attack incidents. Focusing your efforts on technical solutions where less than 10% of the risks exist is an obviously poor risk management strategy. You might even say it creates a hazardous condition.
Consider, while an intersection exists between risk management and IT management (i.e. mitigation and technical solutions), the majority of the losses you need to accept are only going to be incidental to the technology being used. For example, the majority of costs surrounding a data breach center around incident management, legal representation, regulatory fines, public relations, and credit monitoring services.
Wpproaching risk management as a technology management problem will insulate you from understanding and accepting the financial exposures, sources of risk, and how best to use insurance to transfer those risks.
For many middle market companies, cyber insurance will largely replace cyber security planning in the same way that property and fire insurance requires companies need to adhere to building codes and maintain fire suppression and detection systems due.
Organizations can think about cyber insurance similar to how today they might outsource some other services, such as payroll, benefits and HR management; all of these are complicated, regulated services and require specialized knowledge. Businesses need to view cyber insurance as a similar service and adopt the proper risk management philosophy – they cannot simply task cybersecurity to their IT department and ask them to become risk managers. Cybersecurity planning and insurance intersects with IT functions, but it is not in the best interests of a business to manage cybersecurity through an IT department. This is a very important distinction.
Cyber-risks are relatively high and disproportionately target middle market businesses – this sector tends to be less aware of the risks, and thus more vulnerable to attacks. Having some form of a cybersecurity plan and an insurance policy in place, which includes building awareness of cyber risks amongst your employees, is now critical. These plans should never be cross-operationalized with your IT resources but given executive level responsibility.