What Cyber Insurance Industry Learned from 2017 Hacks
The NotPetya, WannaCry and Equifax hacks of last year were evidence that the U.S. insurance industry has been ill-prepared to handle a large cyber attack and needs to up its game.
However, as a consequence of the attacks in 2017, the industry and its customers may be at a tipping point in favor of better cyber readiness and coverage, according to panelists at the 2018 AIR Casualty-Cyber Seminar, held February 27 in New York City.
They also called for public officials to move beyond circa-1970s thinking about cyber and collaborate more with the private sector to mitigate the risks.
The cyber experts said that a lack of experience and data are behind what they see as the industry’s underpreparedness in a constantly evolving cyber risk environment.
“The threat could come from a dozen different directions,” said panelist Brad Gow, global cyber product leader at Sompo International. “I don’t know where the threat is going to come from, but I do know that as an industry, the insurance industry really is not prepared for that.”
Panelists agreed that as ransomware attacks, in which hackers steal data or make it unreadable and refuse to provide a solution unless paid a ransom, become more prevalent, and attacks on supply chain infrastructure are expected to increase, one cause for concern is the U.S. insurance industry’s lack of experience.
“There are some [carriers] that have never experienced this sort of hack-type event, and there are only a few well-known carriers out there that have been around long enough and have suffered enough losses to build up a substantial amount of premium,” said panelist Kara Owens, global head of cyber risk at TransRe.
This has led to a lack of understanding of the constantly evolving cyber threat environment, panelists agreed.
“When looking at cyber, not all hacks are the same, not all hackers are the same, intentions vary, capabilities vary and obviously the techniques and procedures that the adversaries are using are varied and different,” said panelist Frank J. Cilluffo, associate vice president and director at the Center for Cyber and Homeland Security. “Yet we tend to bundle and jumble terms together. It reminds me of kids’ soccer, when everyone is swarming toward the ball, but we need to spread the field out and understand how we can approach this a little better.”
He added that although the risks are broad and the industry should recognize it can’t protect against everything from every perpetrator, it needs to be working to minimize risk as much as possible.
“I think with some of the attacks, if they were a lot worse, you would see much more drastic change,” Owens said. “But I think with some of the attacks, we have seen some carriers responding.”
As one example, Gow pointed to the NotPetya cyber attack that occurred in June 2017.
“The insurance industry in the West and much of the U.S. really dodged a bullet,” he said.
The NotPetya attacks used software disguised as the Petya ransomware that surfaced in 2016. Although a solution to reverse damage from the Petya ransomware was eventually found, the NotPetya malware resulted in another global outbreak last year. The malware was designed to enter corporate networks using a hacked version of a popular accounting program in the Ukraine and destroy data and filesystems within each computer. Although the majority of attacks occurred in the Ukraine and Russia, firms that were hit saw losses in the hundreds of millions of dollars with weeks- or even months-long business interruptions, according to Gow.
“That one event, had it been a true zero-day or had it affected Western economies rather than just the Ukraine and Russia for the most part, it really would have turned into the most significant event of 2017,” he said. “And it would have largely turned the cyber insurance market on its head.”
A zero-day attack occurs when developers have not had time to fix a newly discovered software vulnerability before it is taken advantage of by hackers. The term zero-day is a reference to the idea that there are zero days to fix a newly exposed problem or vulnerability within a software program or operating system before the security hole is discovered and exploited by cyber criminals.
“We did see a little [change] after NotPetya, and Equifax is one of the larger losses that we’ve seen last year,” Owens said.
Indeed, Equifax Inc. said in March it expects costs related to its massive 2017 data breach to surge by $275 million this year. Reuters reported that the incident at the credit reporting bureau could turn out to be the most costly hack in corporate history.
“We have seen some companies that may have been some of the more naïve capacities moving up the tower, so obviously they got a little bit scared from that,” Owens said. “I think some of it is good because now people are trying to figure out how to really respond to those things, so if you were a carrier that never experienced it, now you’ve gone through that exercise at least.”
Cilluffo agreed that as attacks become more prevalent and widespread, the insurance industry is beginning to prioritize cyber-related issues, devote the resources, put together a risk profile and protect the most privileged and most valuable information.
“I think we’re at that tipping point,” he said. “If there’s one thing that did come out of NotPetya, it was at least that the meat and potatoes were being done in the U.S. Where you saw the biggest impact was in countries that weren’t updating the software. It was sort of the same with WannaCry as well. It was hammering entities that weren’t even updating software.”
WannaCry targeted computers in May 2017 that were running the Microsoft Windows operating system by encrypting data and demanding Bitcoin ransom payments.
“I think all of these attacks, even if the companies weren’t impacted, are starting to really make people think through whether they have coverage or not,” Owens said.
She said she believes as companies realize they don’t have the coverage they think they do with other product lines, they’re going to focus more on cyber insurance. She pointed to Maersk, a transport and logistics company that reported a more than $200 million loss due to the NotPetya attack, as one example.
“They didn’t buy a cyber specific policy,” she said. “They ended up putting claims into a couple of different policies…but now they’re in the market trying to buy [cyber] coverage.”
She added that she also believes directors and officers (D&O) insurance is under more pressure now with increased demand from companies realizing directors and officers could be at fault if a cyber event occurs.
“I do think that it’s definitely gotten a lot better over the last few years,” she said. “You see a lot of carriers utilizing a lot more modeling tools, making strategic partnerships with cybersecurity firms, doing a lot more on the pre-incident side and doing a lot more research with various academic institutions…but I agree that there is a long way to go.”
Cilluffo stated that it has become increasingly important for the public and private sector to collaborate in order to mitigate and respond to cyber threats.
“How many companies – the biggest in the world – went into business thinking they had to defend themselves against foreign intelligence services?” he said. “Historically, that’s the role of the government.”
He said that as cyber attacks have gone largely unabated with minimum response so far, although now the U.S. government is beginning to discuss how to better respond to bad actors. The White House publicly blamed Russia for the NotPetya cyber attack last year, months after private cyber experts reached that conclusion.
“We can’t firewall our way out of this problem,” he said. “At some point, we’ve got to get to the point where we can communicate offensive capabilities.”
With this in mind, Cilluffo called on the U.S. government to take a second look at any outdated information in order to keep pace with ever changing cyber risks and better protect against attacks.
“It’s not to suggest that there aren’t good people doing the right thing in Congress, but the problem is, we’re taking on 21st century problems armed with 19th century knowledge,” he said. “All of the laws involving both government and industry – because ultimately, I think industry is going to drive most of the solutions – are from the 1970s before the internet existed. There’s something wrong with that.”
He added that although lawmakers should exercise caution, as he believes even well-intended legislation could be detrimental with advances in technology, the solution needs to be better balanced.
“The fact that we don’t have a national data breach notification law is crazy,” he said. “It doesn’t add up because the way we’re thinking about these issues is circa-1970.”
Panelists stated that for the insurance industry, the problem is the same.
“If you look at every other policy besides a cyber policy, they’re not thinking about the exposures that currently exist,” Owens said. “As an industry, we have to look at that and rewrite policies to address the solution, whether it’s excluding [the exposure] or permanently covering it. We need to be understanding what the exposure is and underwriting and pricing for it, because as an industry, that’s our job.”
Gow said it will be up to carriers to police themselves and operate responsibly.
“It’s a little bit distressing to me to see that hasn’t really been the case to date in the insurance industry,” he said, adding that as things in the cyber world and the current threat environment are developing and changing so quickly, the insurance industry has some work to do in terms of how to monitor the coverage it is providing.
“The insurance industry has the most to lose because we’re the ones who are extending the $10 million and $15 million and $20 million limits on an individual company,” he said. “As an industry, we’re not even really prepared. We don’t have the actuarial experience to underwrite the coverages that were commonly available five years ago. It’s just that the data’s not there. The actuaries drive the price of strategies to the carriers, and the data is not there to price this stuff.”
That being said, Cilluffo said he believes the insurance industry is starting to see significant change.
“I think the one thing I would caution is what we think the greatest vulnerabilities and/or risks are right now could obviously change, and we have to remember the adversary has a vote in that set of issues,” he said.
Because of this, he said that U.S. insurance industry needs to move past blaming only the victim when a cyber breach occurs and start blaming the perpetrator as well.
“At the end of the day, many of the breaches are due to poor behavior – whether it was malicious or unintentional – and we have to arm that workforce with knowledge and insight,” he said. “As we’re starting to see more automation, I think our defenses have to be.”
Additionally, Cilluffo said the insurance industry needs to get to a point where it can design more secure systems at the infrastructure level.
“By secure, I mean more resilient systems,” he said. “We’re never going to stop everything all the time. By the time we get anything written down, it’s overtaken by events. But what we can do is minimize consequences, minimize impact, bounce back and make that cost less significant.”
He added that if the industry can become more resilient, it will be able to better protect against incurring cost at the outset of a cyber event.
“You want to build in the beginning, not when it’s on quicksand,” he said.