KEY TRENDS:

• Over the past six months insurers have put corporate cyber security systems and processes under close scrutiny.
• Boards must proactively address their cyber exposures.
• Businesses must audit their cyber supply chain to ensure each component is meeting cybersecurity standards.

Over the past six months there has been a significant shift in the cyber market. Insurers are subjecting clients to far greater scrutiny because the potential for cyber claims has increased dramatically with risks extending beyond the underwriting of a single business and its security processes. Cyber is one area of insurance that’s incredibly difficult to underwrite because the risks of non-compliance by multiple suppliers can quickly aggregate to significant losses across a business ecosystem. This has shifted the position of risk for insurers globally, and their perspective on how to underwrite that risk is continuing to evolve.

In recent months we’ve seen the attack on United States software vendor SolarWinds in which malware was planted in an update that compromised more than 18,000 clients, including US government departments such as Homeland Security and a whole host of big-name private companies. Microsoft was also attacked, with ransomware installed on its Exchange servers. That affected 250,000 corporate servers across the world, including the European Banking Authority.

These incidents help illustrate the enormity of the threat that businesses face – and of the risk insurers are striving to manage. As a consequence scrutiny during the underwriting process has increased significantly: more and more questions are being asked, processes and procedures further explored – all in all it’s a longer and more challenging quoting process.

For example, one of the largest risks is ransomware – both the frequency and severity of recorded claims have increased in the last 12–18 months, so there are a number of security controls examined around this risk particularly.

One insurer added 30 questions to the renewal proposal form specifically to address ransomware risk.

Understanding tech risks is imperative

In light of the SolarWinds and Microsoft attacks a business’s supply chain is now – understandably – under greater scrutiny. Businesses should be vetting their supply chains and proactively addressing any potential gaps. After all, a chain is only as strong as its weakest link. If you can go to an insurer with a robust audit process, you can provide a level of confidence in your business being a good risk.

For businesses, internal education on cybercrime is imperative throughout the organisation – particularly as 38% of all cybercrime in Australia succeeds due to human error.

Everyone involved in business today –compliance teams, technology teams, executive leadership and boards – must understand the world of technology. They must be comfortable talking about their security risk management framework, committing to a security investment strategy and understanding the terminology that significantly impacts their business, and its implications. They must understand the technology strategy, the risks they face, and how those risks are to be managed by the business.

There are some very simple and straightforward actions to take – such as compulsory employee training, multifactor authentication, tabletop tests, software updates (patching), back-up protocols and access privilege management – and insurers will be looking into your policies and procedures around these measures. What are you doing with audit results? How often are you training, testing and measuring the results? How quickly are you implementing patches? Can you verify that?

How cyber risk assessment has changed

Insurers are now examining corporate procedures. For example, in the past multi-factor authentication was ‘nice to have’ and it protected access to systems across the enterprise; now it’s almost compulsory. If you don’t have it, it’s going to be difficult to find insurance.

Overall, businesses have to realise the threats they face. The cost of cybercrime is expected to reach $6 trillion by end of 2021. When you conduct a risk and threat analyses, cybercrime has to figure majorly in that. Ransomware alone attacks a business every 11 seconds – it’s huge organised crime.

We’re quickly moving towards a situation where unless you can demonstrate you’re doing everything you can to defend your business, you’ll be asked to part-underwrite that exposure, or even be turned down flat by the insurer because the risk is assessed to be just too great.

After years of talking about the threat of cyber, time has run out. Businesses need to act, and this is why insurers and underwriters have changed their approach so dramatically.

Directors and officers’ liability Cybersecurity needs to form part of the overall business strategy, and the tech team must be fundamentally involved in that process. For boards, cyber must be a focus because if a business doesn’t have the right security controls, shareholders will hold them accountable for not addressing this properly and potentially damaging the company itself.

This article first appeared in the Gallagher Business Insurance & Risk Market Update published mid year. It was written by Robyn Adcock | Cyber / Tech Practice Leader, Gallagher & Alberto Piccenna | Client Manager, Professional & Financial Risks, Gallagher.