Silent but deadly? How cyber risk is affecting your insurance

NCC Group
NCC Group
Jul 21, 2017 · 4 min read

Written by: Paul Vlissidis

It’s a truism that a business becomes ever more dependent on its IT, OT[1] and now IoT[2] so it’s understandable that cyber security risk now pervades almost every area of an organisation.

This means that many aspects of traditional insurance risk can also be affected by cyber-related issues,. This is known in the industry as ‘silent’ (or non-affirmative) cyber risk.

Examples might include Product Liability insurance, Directors & Officers (D&O) insurance and Business Interruption insurance where the risks covered may be directly or indirectly affected by cyber security issues.

A ransomware attack that results in significant business interruption — such as those that recently hit the headlines — may lead to claims against directors from shareholders or customers who feel that a business has not made sufficient effort to address technical debt and, more specifically, security debt in their IT, OT and IoT systems.

But interruptions could be in a business’s supply chain — as opposed to a direct attack — and many policies do not address these issues at all.

One of the starkest and most obvious differences when it comes to cyber business interruption is the lack of a physical cause. Whereas, in the physical insurance domain, business interruption is triggered by a property damage event, in a cyber world it can be far more challenging to evidence a virtual cause and quantify losses.

Insurance Industry & Regulatory Response

The insurance industry response to cyber risk has been patchy with some underwriters and brokers embracing the issues while others still attempt to treat cyber risk as analogous to physical risk. It’s not unusual for cyber cover to sit with departments more used to assessing stolen stock or fire damage.

The Prudential Regulation Authority (PRA) is seeking to address this issue. Following a consultation exercise in November 2016, the PRA has now issued a supervisory statement (SS4/17)[3] which is relevant to all UK non-life insurance and reinsurance firms and groups within the scope of Solvency II (‘Solvency II firms’). This includes the Society of Lloyd’s and managing agents.

SS4/17 focuses on the underwriting risks from two sources:

1. Affirmative cyber insurance policies, such as data breach products

2. Non-affirmative (‘silent’) cyber risk, which refers to the implicit cyber exposure within ‘all risks’ and other liability insurance policies that do not explicitly exclude cyber risk.

Underwriters are required to ‘reduce unintended exposure’ to the ‘silent’ cyber risk. This may lead to robust exclusions for cyber risks in many non-cyber policies in future. This, in turn, may prompt businesses to consider explicit (affirmative) cyber risk cover.

SS4/17 goes further by also requiring all firms that underwrite insurance which could contain a cyber risk component to have clear strategies on how these risks will be managed and regular management information showing exposure for both non-affirmative and affirmative cyber risk.

Lastly, the statement requires that all firms have appropriate investment in cyber risk skills so that the cyber landscape is clearly understood.

What does this mean for policy holders?

  • It’s likely that policies such as business interruption insurance and product liability may henceforth exclude cyber risk by default.
  • For many companies with a high dependency on cloud computing platforms, such cover would likely be a total waste of money unless some elements of cyber risk are included.
  • Policy holders should therefore carefully read any exclusions to see if cyber risks are covered and seek to take out explicit cyber cover should it be required.

What does this mean for insurers?

For some insurers, the silent cyber risk has simply not been addressed in their policies before now. Expert cyber risk advice will be in short supply in an industry that is already suffering a significant skills shortage to meet the ever growing demand of the market.

Suggested approaches

  • There are national schemes (such as Cyber Essentials) which give insurers the option to insist on certification by policy holders to address some of this silent cyber risk. This would have the simultaneous effect of reducing security debt and lowering premiums for this type of insurance.
  • Insurers could offer ancillary services to policy holders such as the Federation of Small Businesses (FSB) and LHS Solicitors cyber helpline, which NCC Groupprovides to all FSB member companies.
  • Insurers could offer sophisticated risk assessment tools which would allow a quick and easy measure of a prospective policy holder’s cyber risk maturity level. It would be helpful if a common standard were used across the industry based on, for example, the top five NIST Cyber Security Controls[4] for SMEs and the top 20 for larger businesses.
  • Non-cyber insurers could offer expert cyber risk services to clients who have difficult/intangible risks to insure.
  • Where silent cyber risk is in the supply chain, policy holders and insurers should work together to enforce Cyber Essentials with key suppliers. Additionally, there should be a minimum insurance coverage and a clear statement in contracts for good and services as to who is liable for forensics costs or breach notifications.
  • Finally, insurers could offer managed detection and response services to key clients.

NCC Group is working with insurance providers on all of the above areas.

SS4/17 is an acknowledgement that cyber security is a significant aspect of many types of business risk. The insurance industry view of cyber risk is maturing and cyber risk insurance is now an important component in an overall risk mitigation strategy.

References

[1] OT = Operational Technology

[2] IOT = Internet of Things

[3] http://www.bankofengland.co.uk/pra/Pages/publications/ss/2017/ss417.aspx

[4] https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf

Originally published at www.nccgroup.trust.

Keylogged

A cyber security publication from NCC Group

)

NCC Group

Written by

NCC Group

NCC Group is a global expert in cyber security and risk mitigation.

Keylogged

Keylogged

A cyber security publication from NCC Group

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade