Validating cybersecurity

March 29 2019 by Nick Ferguson

Global cyber insurance premiums are forecast to more than double to US$10 billion by 2020, driven by continued high-profile incidents and increased competition among insurers to win a bigger share of the growing market.

Just this month, the personal information of more than 800,000 blood donors was exposed by a data breach at a vendor to Singapore’s Health Sciences Authority, while Norway’s Norsk Hydro was hit by an “extensive cyber attack” that paralysed parts of its systems worldwide and cost an estimated US$40 million in the first week alone.

Despite the rise of such incidents, businesses are not yet convinced of the value of cybersecurity products, particularly in Asia, even though the likelihood of cyber attacks is disproportionately higher here than in other regions. This is partly due to confusion about the choices on offer.

“Organisations want the best possible protection against fast-evolving cyber threats, but many struggle to navigate the crowded cybersecurity marketplace,” according to Thomas Reagan, US cyber practice leader at Marsh, which launched a product this week to help insurance buyers make more informed choices about products and services to manage cyber risk.

Cyber Catalyst, which is so far only available in the US, brings together leading cyber insurers to identify and evaluate solutions they consider effective in reducing cyber risk. The initial group of insurers includes Allianz, Axis, Axa XL, Beazley, CFC, Munich Re, Sompo International and Zurich. Microsoft will be a technical adviser to the participating insurers.

“We’re helping organisations make smarter choices about their cybersecurity investments and we’re drawing on the collective insight and experience of the global cyber insurance industry to do it,” said Regan.

This kind of approach can help insureds to evaluate products that address cyber risks such as data breach, business interruption, data theft or corruption, and cyber extortion. And it can also help to achieve enhanced terms and conditions.

With the rapid growth of exposures, insurers have tightened pricing and retention guidelines for companies that have not addressed vulnerabilities — but buyers that demonstrate increased levels of security and internal policy controls can achieve premium decreases. “Increased competition in the marketplace has also played a factor as insurers fight to write the better risks,” according to Willis Towers Watson.

Indeed, as carriers focus on better management of limits, Willis says that many are now offering no more than US$10 million on a given placement. Norsk Hydro, which said this week that its primary insurer is AIG, lost substantially more than that in the first week of disruption and continues to operate at reduced capacity 10 days later.

While Marsh’s programme of validated cybersecurity providers can help to reduce the risk of such financial losses, a more important aspect may be the added security it can offer to companies with responsibility for personal information, where prevention is far more valuable than insurance — once such data is stolen, the damage is often irreversible.

The vendor to Singapore’s health authority, for example, mistakenly placed donor information on an unsecured database on an internet-facing server and failed to put in place adequate safeguards to prevent unauthorised access. It is unclear whether this data was accessed, but hackers would have had access to donors’ names, ID card numbers and in some cases blood type, height and weight.

“Criminals stealing your medical information or diagnosis codes is no longer a plot twist reserved for TV dramas,” said Aaron Zander, head IT engineer at HackerOne. “Cybercrime damage is expected to hit US$6 trillion annually by 2021 and this is just the beginning of medical record breaches, as these records are worth far more than your easily replaceable credit card.”

Marsh does not currently have any plans to bring its programme to Asia, but a system for validating the quality of a vendor’s cybersecurity arrangements would clearly be of value.

MORE FROM: Insights
  • Courting alternative capital

    • June 14

    There is growing interest in adding Asia risk to the ILS market, says leading cat bond law firm.

  • Captives take on cyber risk

    • June 14

    Companies are increasingly interested in insuring themselves against cyber incidents.

  • Exiting India’s life market

    • June 6

    As many as 15 promoters in 11 life insurance companies may be interested in divesting, but who will buy?

  • Too big to sail

    • June 6

    The insurance market has not kept pace with the growing size of containerships.