Cyber Masterclass | July 2021

48 mins 23 secs

Share a link to this page

Automatically generated using Asset TV AI and Amazon Web Services.
It may contain errors and omissions.

Okay there's been a lot of talk lately or ransomware, what does this actually mean for U. K. Brokers here? To help me answer this question. I'm joined by a panel of experts in the studio. I'm joined by Darren Thompson, head of cybersecurity strategy at cyber cube as well as lindsey nelson cyber development leader at CFC under item and then dialing in today. I have Kathryn thomas senior director analytics at A. M. Best and Alana muir senior cyber underwriter at Aviva. Mhm mm. So starting with you, Darren, is it possible to model cyber? I think absolutely we're on a journey that's for sure. This is a relatively young industry um of course it's all about data and precedents and we're gathering data all of the time. I think if we go back just a few years we've come a long way in that period of time. And so applying data science to curate data and make analytics from that data that can help the underwriting and broken process is something that cyber clue 7100% focused on and, and so absolutely we can, we can model and we're going to get better and better as the years go on. And Lindsay, why does cyber need a specialist approach? It's this claims expertise that sits behind it really. At the end of the day, cyber claims are evolving every single week, it feels like at the moment, so you do need that specialist approach because the experts that sit behind the product are the ones that deal with France and we're variants every day. Uh the underwriters are the one that see the evolving landscape and and those two teams working together can really provide a proactive and reactive solution for policyholders as well as their brokers in terms of speaking points and Katherine for you, rating, insurers and reinsurers. How important is cyber to insurers rating? And was we, we've seen cyber exposure relevant to RMS rated, um, entities on two major fronts, firstly, how is the company itself protecting itself against cyber threats? And secondly, of the company? Right, cyber security insurance, How does it aggregate such exposures through, you know, to arrive at potential loss loss estimates? And Alana on the underwriting side, is there such good, Is there such a thing as good cyber risk versus bad cyber risk? Absolutely. I would say though, that it has changed from when cyber really kind of first hit the UK market, say 10 years ago, because what insurers were really looking for back then, where, you know, basic cyber hygiene. So, you know, your basic requirements like having a firewall, having antivirus in place. But now we're looking for a little bit more as we're seeing more and more claims come in. Again, we're not looking for everybody to be perfect because got to be realistic about this, you know, understanding and knowledge in the cyber area and there's still a bit of a dearth of experience there through different sizes of organizations. But for me I would definitely be saying, you know, where we are looking for a little bit more in terms of the education piece and in educating your employees because at the end of the day, they are your first line of defense. Thank you. So we've heard about these huge ransomware attacks in the news. They made headlines Darren when you're looking at the data. How widespread actually is the issue of ransomware? It's a very widespread issue. It probably is the most consequential issue facing the insurance industry right now. This period of time we've seen huge shifts, not just in the volume of ransomware traffic that we witness, but also the nature of those attacks as well. It was only a few years ago That the average ransomware demand would have sat around $500. We saw $50 million 12 months. So there's some huge shifts in the criminal effort behind ransomware as well. And I think on that, I mean a lot of the, I guess the attacks were hearing about are in the U. S. You know, big U. S. Companies, what to see if you look like in the UK Lindsay. Yeah, I think it's it's actually quite a common fallacy for clients in the UK or, or anywhere outside of the US to assume that cybercrime is a US issue, you know, on that. On that logic, you're actually more at risk, not less if if that's the premise that you believe in, because you're more vulnerable to criminals that way and you're less likely to adopt certain security provisions to prevent you from those attacks. But the reality is that is that criminals are going after companies because they're vulnerable. Not necessarily because they're valuable. And you know Darren mentioned that the big theme of that every cyber insurers talking about right now is ransomware and you know the beauty of ransomware is that it's not territory specific. Certainly not industry specific or even size of business. And by way of the fact that the US has quite a few larger companies. A lot of them have been on the cyber journey in terms of insurance for quite a bit longer than anywhere else in the world. Perhaps that's why we tend to hear about it a little bit more. But certainly at CFC we see policyholders affected all around the globe and the U. K. Is no exception to that whatsoever. And does it still look look the same as we're hearing in the U. S. Kind of these big gangs, Is it they still attacking people in the UK? They are absolutely, again it goes back to the vulnerability issue and and I think why the U. K in particular does get affected by these is to be to be completely transparent. A lack of minimum security controls around the business. So it does provide an easy gateway for cybercriminals to get into the systems. Uh the motivations behind attacking certain nation states will differ depending on the territory. That is true but the ultimate impact on the business um is still quite detrimental in terms of the business downtime, the rebuild cost to rebuild systems completely from scratch. And I think for a lot of UK businesses in particular uh decision to pay a ransom or not is often when that that's hotly debated and and does certainly require the assistance of experts to help them come to an informed decision on what that should look like and Catherine. I know in a recent am best report, you describe the outlook for U. S. Insurers in terms of cyber as grim. Is it quite as a negative looking on the UK side? Well, I mean our report was specifically more on the on the us side and you know, you're you're right. It certainly was a difficult year last year. So we put out a report looking at us data based on an a I see statistics that showed total cyber claims rising 18% last year. And that was going to that increase in those first party ransom Where claims which account for 35% um, and accounted for 75% of overall cyber claims. And that really was driven by those increasing the frequency of ransom ware attacks. And I think we've seen that more generally as well outside the US as well. And what we're seeing is hackers becoming more sophisticated in their attacks, perhaps moving towards larger targets. And I think also what that report identified was that the motives appear to be changing. So we're moving from, you know, stealing identities and more third party claims to shutting down systems for ransom, those first party claims. And I guess Alana, you work with a lot of people in the UK market, you underwrite risks. What sort of trends are you seeing around ransomware? Um, Some of the comments have been made by some of the other speakers. I would say that, you know, there's there's no specific trade, there is no specific, you know, type or size of business that's been affected by ransom where in the UK specifically sme market, like I said, I've actually seen, you know, farmers and hairdressers that have been hit with ransomware and if I started when I started looking at cyber insurance over 10 years ago, if somebody said that to me, you know, would you speak to that size or that type of business about? It? Probably would have said no, but it's just you know, there are no specific parameters for who is going to be a victim. Unfortunately, that isn't was believed to be the case within the sme market. There's still this perception that it's, you know, the large, global companies when actually that's not the case. So it's starting to sound a little bit like no one is safe from the attack of cyber. Is that what you're seeing in the data? Yeah, that's that's certainly the case. What was also interesting in terms of the trade craft that the criminals are now employing to spread these ransomware attacks. We're seeing some pretty fundamental changes there as well. So that cyber cube, we're almost obsessed now with this concept of single points of failure. So very often that's an internet based service or it's a service provider that many, many, many smaller businesses are reliant on in some way the criminals using those single points of failure is almost a jumping off points for the ransomware and malware itself. So we saw this uh nor ransomware attack, but we saw the solar wind attack at the end of last year. So the winds single point of failure, we saw Microsoft exchange attacked back in april and just two weekends ago we saw the cassia attack. There's an example of ransomware propagated to manage service providers, interestingly though not infecting those managed service providers but rather using them as a jumping off point to many many small and medium sized businesses that those managed service providers look after. And the ransomware propagating to those some some 1500 businesses around the world. So we're seeing the technique of distribution change which is the other panelists have seen it can affect just any business at all and in that case would the criminals go after all of them? Cos ideally to them. Yeah. I mean we still see a numbers game really being played by the criminals. So what's what's quite an interesting technical dynamic and ransomware is it's actually quite a manually intensive process to track everybody that you've infected to demand the ransom, collect the ransom, Decrypt the data in every one of those companies. Imagine doing that for 1500 companies. That's a huge effort. So in most cases they're all infected. Not all of them of course would pay the ransom. And those that do pay the ransom may not expect to get their data back. And so this is a very inefficient process but nevertheless very damaging. Regardless of the criminal's ultimate intent and Lindsay, this is kind of a controversial topic right now. If you're working with brokers and clients, would you ever advise them to pay the ransom? Yeah, it is a it's definitely a hot topic at the moment. Uh you know, that question actually is one of the best ways to get uh you know, a client that brokers speaking to to re shift their thinking around their need for cyber insurance because the reality is is that most small businesses in the UK well actually choose to pay the ransom not knowing the alternative. And and without the expert guidance from the cybersecurity experts to help them make an informed, an objective decision as to whether to pay or not pay. Um, in an ideal world, no, we would never want anybody to pay a ransom. We don't want to be fueling crime, We don't want to give the profit that the criminals are going after and certainly getting every single week now with victims that are paying today. Uh, realistically, it's not the case that that payment should be banned outright or payment should be made full stop. Realistically, some businesses have no choice but to pay and it depends on a number of factors. Um, certainly whether they've got backups in place, there's a, there's a cost benefit analysis between the rebuild costs and lost profits and lost customers versus the ransom payment itself. The ability to recover as a business is specific to what the business is doing. And unfortunately if that were to stop or payments were to be banned, uh, ultimately, that has the effect of doing is potentially pushing crime into the underground ransom payments will be made. It just won't be as publicly, so it will divert the criminals attention to businesses who have no choice but to pay, um, such as critical national infrastructure or health care systems as we've seen recently in europe. Uh, and those are really the businesses that we don't want to be affected because it is literally a matter of life and death in some of those instances. So, uh, in an ideal world, again, no, we don't want to be paying the criminals, but realistically, some businesses don't just don't have the choice. So, uh, you know, to have that expert guidance that comes with cyber insurance policies to inform that decision, It's really more crucial than ever given the landscape. And I know we've spoken briefly about these really small businesses that are hit by cyber criminals. What do they need in that instance? I mean I'm sure they're going to be very distressed and not know a huge deal about cyber what are kind of the key services they need there. Yeah and it's a it's a really good point because you know one of the objections that we get from a lot of sme clients is that they've got a full fledged I. T. Department or perhaps just one person uh they're managing their I. T. So they've got everything under control. And you know I think the main takeaway from that when a ransomware attack happens is the functions of an I. T. Department are extremely different from the functions of an incident response department. And those two don't have to be mutually exclusive. They can work quite well together. But the incident response teams are the ones who actually see, you know, in the case of CFC 15 plus brand somewhere events every single day. They're the ones that know the criminals tactics, they're the ones that can help a business make a decision about whether to pay or not pay, how to source Cryptocurrency determine um if there was any data exfiltration involved. So have they actually stolen information to allow them to demand a higher extortion amount from clients? Those are all decisions and you know, I would actually, sorry, add the most important 12 that is do sanctions checks around that. And you know, there are there are many sanctions around the world, certainly in the U. S. With a fact, but there are UK sanctions and U. N. And EU and global sanctions all over the world and where it is literally not legal to pay the ransom. And so it's quite important that instant response experts are guiding smes through that process because a lot of them just won't have that expertise themselves. And Catherine on the regulatory side of your rating, the insurers and reinsurers, how central is how they handle ransomware attacks and management of risk to their rating? I suppose what we're not we're not really looking at how the insurers themselves manage those ransomware attacks. So I don't think that's really what we're looking at from a rating point of view. I think what we're what, you know, what we're more concerned about is that as you know, as we see an increasing frequency and severity of cyberattacks and ensures appetite growing, growing for that risk as we have have seen. And, you know, we're interested in, you know, how that how those risks are accumulating for those companies. So with rated insurers writing cyber insurance, we're asking them for information about the policies that they have, the limits that are involved. You know, how they're providing, cover whether it's on a standalone basis or bundled with other covers, what industries they're covering as well. And then details about their average claims costs, their defense costs, the legal settlements and and also, you know, the cost of those crisis services that they are providing as well. And the benefits, you know, to to your point there, the benefits that those crisis services can provide. So what we're really doing is, you know, holding discussions with rated entities to understand their underwriting and their risk selection processes and how they are measuring their risk aggregations as well as the data standards they have in place. And, you know, for the rating, you know, it's only really if that is material that this information is taken into account in an individual companies review and you know, determining whether that information that we're gathering as part of that process in as part of those discussions would have an impact on the company's rating. Really depends on, you know, the materiality of the types of coverage and the aggregation relative to the capital position of the company. So, you know, at the moment, what we do when we're looking at a company's balance sheet strength, we use our capital model and as part of that, you know, we stress it for a PML now in R rated universe. The current, the current exposure to castro events that could be caused by a cyber attack is actually, you know, it's low relative to the potential losses that could occur from a natural catastrophe. So for most companies, what we would be doing is stressing for one and 100 wins, Number 1 100 earthquake, 1 to 50 earthquake. Um but what we, I would qualify that though, because I would say that, you know, as we have seen the number of companies writing cyber insurance grow and these types of products and coverage evolve. You know, we are seeing material exposed companies and for these companies we would be using perhaps they're modelled output or you know, other scenarios that they've run um that look at an extreme cyber loss event to test the ability of their capital to withstand such an event. And that would be in addition to any natural catastrophe stresses that we're running, It's really interesting comparing it to I guess, you know, older risks in terms of insurance, like natural catastrophe has the kind of view on that big cyber catastrophe as that. Is that seen as a growing risk or not in the last few years? No, I mean absolutely, you know more company and it comes back to that. It does, it does depend on whether this is a material exposure for for a particular rate identity. But we have seen, you know, we've seen more insurers writing cyber insurance and seen their understanding of the potential, how these losses could potentially aggregate grow as well. So it has become an important part of, you know, how we would view their risk management, but also, you know how we review how we view their potential balance sheet strength and the risk to that balance sheet strength from a systemic cyber loss. So, Lonnie, you spoke a little bit about small businesses that might be hit by a cyber attack. What you is the role of cyber insurance, Is it to mitigate and protect against risk or is it to pay out if someone is attacked? I would say it's more a combination of both. I would say it's a little bit different to your standard classes of insurance. You know, it's more of a service and speaking to a lot of, I mean a lot of smes face to face and that seems to be one of the things that they hadn't realized until you actually speak to them about it in a bit more depth that were actually there not only to to provide some support upfront with some of the additional services that the different insurers offer. When an attack happens, we hold their hands through the whole process, make sure they meet all the legal obligations and ultimately get them back up and running as soon as possible can put them in the position they were in before or sometimes even in a better position. Um, and then, you know, if there's any other issues that come out of that, the third party element, then we would like to pay out in the event of that. So I think it's a very, very different type of insurance and like I said, it's much more of a service which really holds our hands through the entire process. So yeah, it's a combination of all of those fear. I think I would just, I think, you know what we've really seen talking to companies right in this business over the past. Yeah. That as you know, loss experiences deteriorated. There really has been an increased focus by insurers on risk selection and with that a corresponding increase in focus on plants, risk management and mitigation. With insurers more frequent looking to see what they can do to support that with, I don't know, perhaps a greater recognition that they can't just pay damages post event and then significantly increased rates to offset those escalating costs. And you know, they do have to demonstrate the value of what is ultimately a discretionary purchase for a business and by providing some loss mitigation services that that is a mutual, mutually beneficial way of adding adding value. I'll put that to both of you in the studio as well as It is quite simple question is insurance to pay out or is it too risky to be a hand holder? I guess I would certainly agree with the other panelists is certainly a combination of the two. I think it's important for CSOS. So the security organizations whose responsibility is to look after their businesses. However big or small that business might be to really embed the business of risk transfer Into a security strategy. I still don't see that happening more than sort of 30% of the time. So I talked to a lot of security teams who are working in businesses and very often insurance may be present. It may be packaged with other cover, for example. And very often it's seen as something else. You know, something separate from the core security strategy of the business. That's fundamentally wrong. We should be thinking about mitigation and transfer as part of a cohesive strategy for securing the business. And I think insurers, brokers as well as security professionals elsewhere, really needs to be promoting that way of thinking. Yeah, I'd I'd agree with the the other comments made on the panel about cyber insurance really does act more as a service rather than what the words on the page are saying in a reactive policy. Uh you know, it's interesting, Catherine made comments about there being new entrance into the market and I think that that has been the case. It's been a relatively small uh Uh soft market for the last 20 years of its existence as a product line in the last 6 to 12 months, I think we've seen more people than ever actually restrict cyber capacity that they're putting up exiting the market full stop certain exclusions on on policies and, you know, that gets around comfort level of continuing to write cyber as a line of business. So going back to the question, I think as any cyber insured today, if you're not making your product a proactive service driven one up front and and having the policy work for clients from the very first day that they bind it, which as a product line like cyber, we're fortunate enough to be able to do and and provide continuous monitoring of those clients for vulnerabilities. Uh, I don't know how people can actually provide the coverage as broad as it is, even at the price point that it is now where rates are certainly firming and rising quite quickly. I don't know how you can provide a product that doesn't offer the proactive upfront because ultimately that's going to help with the frequency of claims. Um, it's certainly going to help mitigate the severity if we can get ahead of it, the quicker that you do. Of course, that's a better outcome from a, from a severity perspective, financially. So I think in short cyber insurance has to be a proactive service. Uh, but really it depends on the company that you're talking to in the size, certainly for larger clients, they are just looking for that response and financial reimbursement. They've got their own teams in the house for smes. It is, you know, the full replacement of not having an ID department is having the security experts that come with cyber insurance. I think it's gonna be quite interesting to see how that service element evolves over time as well. So we're already seeing evidence of insurers, you know, wanting to surround their insurance product with, with professionals with people with service as some of the other panelists have mentioned. I think we can expect to see interesting partnerships developed there as well, not just with incident response firms, lawyers, et cetera, but also with technology vendors. So, so there are certain security controls that we all know should be implemented as a basic set of controls and very often those, those, those can be sort of implemented via technology. So we are starting to move into a space now where the insurance community wants to recommend certain measures be taken, whether they be about people process or technology. It makes sense to me that more technology partnership should evolve from there. And so perhaps we get to a point where insurers start to recommend certain technology domains or maybe even partner with vendors in that space and you do have access to a lot of the data on that front. Is there any mitigation or any kind of strategy you've seen that makes a company less likely to be attacked or to do better in that situation? Is there any anything standing out there very clear, they're very clear that these are the things that are not unique to the insurance industry. You know, very often as a security analyst and asked, you know what one of the first, the only things I should do in order to lower my risk posture with regard to security and actually we all know what they are. You know, it's multi factor authentication and making sure that our password hygiene is is second to none. You know, it's good endpoint protection at the customer and employee education. It's also employee empowerment, making that education, engaging and exciting for those employees. You know, it's it's closing network ports so that this is this is people process and technology and they're very, very clear standards and guidelines that help us to understand the priority which we should attack those mitigation efforts. So I think those mitigations are very clear. The sort of the the insurance world kind of role in all of that is I think something that's still kind of moving around a little bit and so again at cyber kiwi, we make recommendations via our product is to the mitigation should should be in place. But the follow up to that can be challenging. So, how how big do you want your questionnaire to be when you're asking your customer about all of these various measures that they should be using to mitigate risk, for example, is a big challenge and insurance right now. So it's a it's a moving space. I think it's been very interesting to see how that services component that we've we've been sort of discussing here is going to evolve over time. So I would say, I feel um the risk mitigation part of the policy is huge. I see they can mention there's a lot of clients face to face at the beginning of the cyber Germany. So they're just investigating and what they can get and exploring the covers and at that stage they might not have all those basics in place that's been mentioned. So it's important to have the service providers they're ready so that then you could actually pass them over to somebody that they could speak to about implementing them to then allow them to to purchase a policy. So they do have the security posture that insurers are looking for. And I guess it's kind of on that point a lot of what cyber issues are you sort of seeing uniquely facing smes For me it's 100% the supply chain issue. Um you know classic sme outsources their IT outsources various functions in their business. It makes sense for them it makes financial sense for them to do it. They don't need to be headcount wages etc. Um but it does come with its own risks. You know I think of on one year I saw over 200 clients was a busy year and only about 5% of those clients had ever thought about the outsourced service provider risk to their business. Um and you know, see what kind of due diligence have you done in your outsourcers? We saw years and years ago now, but the SSP outage that affected a lot of the insurance broker community who because they said they'd never tested their business continuity or disaster recovery plan, you know, so they don't have to be I. T. Specialists. They just need to ask them some basic questions that you would ask if you were looking to set up a contract with any other outsourcing or on any anything party really, you know, do you have a disaster recovery plan? When was it last tested? If your systems go down, what are your fail over procedures? You know, these are the kind of things that you'd be looking for them to ask, You know, like in a short questionnaire, we've seen it with, you know, Casey attack, looking to go after the outsource service providers today and attack their clients. You know, I'm going back to what we've already said, size doesn't really matter. You know, if you are an sme and you use that outsource service provider that's been compromised, that you need to be able to have a secondary option to make sure that your business can get back up and running again. And I think it's important to understand that technology can help us to understand that problem that's being articulated again, if you think about that problem as single points of failure, where are the services that this smes reliant on? And where are the potential aggregation points? Where should that service be disabled? Many, many smes are affected. We can do analysis of that. We have the data available to us to really start to map that if you like, that ecosystem of single points of failure to help insurers to understand the questions that should be asked with regard to those supply chains and Katherine. Is that a risk when you're looking at ensures that working with so many clients that there is, you know, risk that their clients could be hit by the same attack or that kind of lack of diversification issue. No. Yes. I mean it absolutely is. And that is, you know, when we're looking at, you know, one of, one of the key parts of our analysis is a company's risk management and you know, when it comes to managing their cyber exposure, that is clearly, you know, an important factor and you know, having you know, appropriate personnel that you understand the risk landscape and are recommending mitigated procedures to their clients is an important part of that. When we're having those risk management discussions with the company, well then, you know, what we think is really important is, you know, for insurer that is exposed to cyber risk through the, through the business. It's writing is that it has a well defined risk identification process that you can quantify its exposure to cyber risk. We expect them to have a risk appetite statement that clearly articulates the amount that they're willing to lose because of a cyber event and the rationale for that. And one that incorporates risk controls to ensure that, you know, losses from a stress event don't exceed that risk appetite. I think what we also then expected that to be supplemented by you know, stress tests using, you know, other internal models that they've built themselves or working with. External model providers and service providers that have been validated. I think that, you know, all that is really because what we're concerned about is that an insurer whose risk management approach is deficient in, you know, any of these aspects can really find itself subject as you say, to an accumulation of losses that are beyond its risk tolerance, could impact its capital and therefore its credit rating. And I guess Lindsay you look at it from the other end of the market, working closely with brokers. What are some of the common claims that you see from your clients? Yeah, the UK, it would be uh, it would be strange to not in the UK context mentioned social engineering fraud and cybercrime something that's still addressed under cyber policies but gets much less attention these days in comparison to ransom, where the severity of them tends not to be too too large, but the frequency is absolutely there and for UK smes in particular um it tends to be the reason that they actually want to explore the idea of cyber insurance in the first place. And it is against similar to ransom where in a way it's not specific to any industry in terms of who has an exposure and who doesn't. So even the companies that don't necessarily hold vast amounts of third party data, if any at all. Um they'll always be dealing with cash going in and out of the business and that's where that electronic theft of funds exposure comes into play. Um So we do see in comparison to our global portfolio, the U. K. Is actually disproportionately affected by social engineering fraud. It accounts for the largest amount of claims by frequency for for CFC severity is 100% ransom. Where which will come back to I'm sure. Uh But because the ability to make real time payments in the U. K. Whereas typically elsewhere in the world there's a whole time if you want to make a transfer from one bank to the other. Um A lot of the times businesses are falling victim to those and Even with quantum's of £25,000 to £50,000 per victim. Still quite significant for a small business at the end of the day, particularly on the micro side. Um I would just go back to one of the comments that were made on the panel as well in terms of smes being particular targets as well. We do, they do tend to get the double edged sword as well of not just being caught in the crosshairs of larger systemic events such as Cassie a couple of weeks ago and then solar winds a few months back. But they're also seen as a means to an end to the ultimate end target, which is a large big box company. Um So particularly if you're a contractor working with um big name companies, you might have access to their networks and again the path of least resistance to a larger company who has that dedicated team around them to avoid those attacks. So I think smes really do get the worst of both worlds in terms of falling victim to attacks. They're not necessarily the target of. And I guess from a policy point of view, is there? S any specific cyber policies? Yeah, there are, you know, typically the coverage that small businesses are looking for is something that will give them easy access to a security team. So a lot of cyber policies these days geared towards small businesses um will offer nail access on that to encourage reporting for suspected or actual events under the policy. We don't want any sme clients fearful of the impact it will have on their policy and then trying to handle the instant themselves. Then it comes back to us all too late. Um You know at CFC we've done unlimited reinstatements on our policy for small businesses only because of the cybercrime factor. And we do tend to see businesses get hit multiple times throughout the term. So that tends to be a selling point um for those small clients but no otherwise it is it is fairly similar to what you'd expect and I think the reality is clients, especially small businesses don't necessarily understand the intricacies of what's in a cyber policy today. So we want to make sure that the policy is responding in any case and we're giving them the coverage that they would expect to have addressed and what they are actually demanding to have under their program. And I'm interested Alana on the underwrite inside because we talked about all these different mitigations in different ways of handling handling cyber risk. We are in the market right now, it is a little bit harder to get guess capacity that has been in the past. What can brokers do to ensure that they do get that capacity? Yeah. So give us a good presentation probably say, you know, give us as much information as possible with regards to their cybersecurity posture. Um if there's information missing, you know, set up a face to face meeting with a client with the underwriter. Um That's something that I think not only adds value to the clients so they know who they're dealing with, they have confidence and ensure that they're there looking to trade with. And as well you can find out a lot more information when you've got the right people around the table. I think one of the things that maybe throws clients and also brokers is the fact that it's not really a one person completes form. You know what you tend to need to have the you know your C. So for the security side but then you need to have your F. D. For the financial site um maybe corporate governance. So it's it's good to get all those people around the table and actually have a gonna flesh out the security, find it a bit more about the you know the culture within the organization and also make recommendations to the client of things that they could maybe think about or look to do. And I guess that on that kind of pricing point Daryn with cyber, it's a new risk that's a hurricane risk or natural catastrophe risk that we've seen. How effective is that data in pricing cyber risk? It's kind of all we have really, you know, other than the questionnaire, which in itself is a form of data. I mean the one of the benefits we have here is that we are fundamentally talking about connected systems, we are talking about you know, eating internet ecosystems, we are talking about documented process and hopefully in most cases and so this is all data that can be converted to analytic, you know that we can model from that, we can run simulations from that we can rate from uh and so we we do have that advantage. Of course. You know, one of the fundamental sort of disadvantages is that unlike natural catastrophes, the number one, we don't really have presidents of what I would categorizes sort of category one event I want to cry and not picture uh about as close as we've come. Um, you know, in those cases, you know, still haven't seen the sort of global losses of, you know, a big hurricane or an earthquake and so we don't have that president. So we are making assumptions, hopefully, you know, well documented and fairly intelligent assumptions, but nevertheless assumptions, secondly, I do, I do concern myself about sort of the rolling thunder aspect of a cyber attack. So so in a natural catastrophe, we have good models, we have president's, we kind of know how these things play out very often in large scour attacks with big footprints. Um, what we see on days 12 and three and not what we experienced three weeks later. And so we have this kind of rolling thunder aspects, you know, if I think about cloud, for example, one of the simulations that we kind of model in terms of aggregation event would be the outage of a large cloud service provider. Well, you know, the the losses, the accumulations that we would expect to see from that would roll out over a period of weeks and possibly even months and it might even be years before we fully understand the loss. So that's a big challenge in cyber and something we're working really hard on. And I guess Lindsay on that when we're talking about pricing, do you feel like the industry has got a better grip in terms of price? And we've seen rates go up, for example, do you feel that's that's correct pricing, is that going to be here to stay, which will be used on that? Yeah, certainly the industry is unanimous and getting back to a position of profitability and getting the price right, because because in the last few years it hasn't been right as a result of stock market conditions, new competitors, uh, you know, brokers of course, advocating for the best coverage at the lowest price for clients. So of course that's that's had an impact on that. And now we're in that position where the losses are happening, although I would say with frequency, not as much as severity with frequency, actually saw a dip in the last quarter, which is a number of few factors we can touch on. Uh, but, you know, in terms of what the next few months looks like, I don't see pricing changing. I don't see the price increases or the hard market softening any time and at least the next year, If I'm completely honest with that, I think it's taken a while to get back to the position we are now. I think a lot of those conversations in the UK market specifically have only happened in the last three months. Whereas we've heard about the noise of it from the U. S. In the last year. So um there are several things that cyber insurers can do to mitigate both the frequency and severity on that point. And this will help ultimately with with how long price increases are around for. Um certainly on the frequency side, going back to our earlier comments on the proactive services, obviously the more that we can get ahead of claims and prevent them before a client even knows to file a claim that helps with the frequency. And a lot of insurers are taking that um that in hand to provide to their clients from day one because it's in our mutual best interest to do so. And then on the severity side we can control and mitigate the severity of of claims by providing expert assistance, providing the right people at the right time. And a lot of cyber ensures now are looking to bring those capabilities in house to have complete project management over that. Um you know, instead of the outsourcing functionality of the claims department, this allows cyber insurers to now control that and be there from beginning to end for a client and hopefully that results in a better outcome for both the client and the insurer to help with rate stability and Katherine. Obviously you have this bird's eye view of the industry. Are you sort of seeing this initially? I guess even five years ago cyber might have been considered an emerging risk. Have you seen that the industry is now maybe get a better handle on cyber and Yes, I think I think it has, I mean, it has historically been a very profitable line of business for insurers and what we've also seen is as a result of, you know, the margin that had been built into reserves, reflecting, you know, as you say, the increased certainty associated with the new and evolving line of business. But that, yeah, perhaps these worsening results have been delayed because we've seen, we've seen them enjoy some pretty substantial reserve releases from this line of business, but certainly as we've seen the risk environment deteriorate and perhaps become increasingly complex. That has without doubt presented a threat to the sustainability of that profitability. Um, and we've, you know, we've seen insurers increasing loss picks materially increasing rates, you know, in the past two years, rates increasing by as much, you know, over 50% we here reported, But also that tightening in terms of cover and, you know, as I mentioned earlier, we've also seen a much great focus placed on risk selection and risk mitigation. Um, so and actually one another thing that happens when you as well, particularly the US, what we have seen is defense and cost containment expenses rising above normal inflation. And those, you know, because of, you know, sometimes the line a line of business, particularly when it's written as not a specific product product, the ambiguous coverage language and perhaps regulatory interventions mean that those costs quite can be quite significant. But, you know, we have seen, you know, risk management and understanding of the risk improving it, the insurers that right this line of business and there are certain, you know, best practices that we would certainly view favorably when we're looking at an insurer that right side that has cyber exposure in the rating assessment. So, you know, as we've said that interconnectedness of cyber risk, uh we would see as important the development of single risk limits with regard to policy holders, shared services providers where there's common back to attack or other correlation, all factors. So, you know, we certainly view that as a conservative approach that could prevent huge losses as a result of a single event. I think, you know, one thing we do see is extremely important, both, you know, on the natural catastrophe side and also on the cyber side is the company's data quality. That is an extremely important component when we're assessing companies risk management capabilities and you know, acknowledging that perhaps that process of data collection and aggregation related to cyber risk is still evolving. It has evolved significantly in recent years. And then finally, you know, and I mentioned it in terms of the reserve releases that we've seen, you know, given that lack of consequence oriented oriented data, an actuarial information for this risk, I think the establishment of contingency reserves for cyber losses, we would view as demonstrating a prudent risk management approach and you know, in a conservative approach to what is still an evolving and emerging risk. Thank you. Just coming to the end of the panel now, I'm going to turn to each of you and if you could just choose one trend that UK brokers need to look out for in the next year in regards to cyber, I don't know, it's hard, there's a lot out there. So coming to you first, erIN one trend UK brokers should look out for. Well, I'm sorry to be repetitive, but it's ransomware, you don't expect ransomware to stop evolving. We're tracking right now, uh, you know, a lot of innovation and investment going in on the criminal side to the next wave of ransomware attacks. And you know, just within that, some of the trends we would expect to see would be thinking about data integrity. So rather than encrypting data, what if we change data? Imagine a business that's incredibly reliant on accuracy of data being taken hostage on account of the fact that data has now been changed so business still operates, but there's huge consequences in health care, for example, should data be changed? That would be one trend the application of artificial intelligence to ransomware. We would expect to evolve over the next year as well. So there are a few. Um, and then also the importance of those single points of failure. So, so the ability to start to understand these ecosystems, these digital supply chains that our clients are reliant on. It's really important to build an understanding of that lindsey, I'd say, uh external security assessments and scanning of clients. So I think what is coming quite quickly as a lot of cyber insurers actually scanning clients for existing vulnerabilities, uh, not just for existing policyholders to inform them of those vulnerabilities to get ahead of claims, but also to inform underwriters as to whether to accept or decline a risk. And that's something that we've seen quite a bit of overseas, um, and shows a lot of merits where it's been able to detect open RdP ports or or credentials being sold over the dark web were allowed to close those, those digital windows and doors potentially before getting on risk and move into Catherine. And trying to think of something that we haven't really talked about it yet. But I mean, one thing that we haven't touched on is the availability of reinsurance, um, you know, the uncertainty associated with potential aggregate events and you know, that lack of a robust claims track record with this line of business does mean that historically we've seen cyber insurers protect themselves with significant reinsurance. So quote shares, stop loss covers as well as, you know, clash covers in place. But you know what we have seen in recent years is capacity and reinsurance sector tightening. We've seen more reinsurers taking a more cautious approach to this risk, including loss ratio caps, event caps within the protections they offer. And then of course, at 11 we saw cyber exclusions widespread in treaty renewal's. So I think it will be interesting to just watch how that market response, given the importance to the cyber insurance market. And Alana, for me, it's keeping an eye out for those potential class actions. AVIVA have been notified of a couple of claims of potential class actions coming through against SMES. So that's definitely an area to watch and not be interesting to see what the findings are going to be from the google versus Lloyd um, case to to see how that progresses. Unfortunately, that's all we have time for. Thank you so much for watching.


There's been a lot of talk on Ransomware, but what does this mean for UK brokers? On the panel discussing are:

  • Catherine Thomas, Senior Director, Analytics, AM Best
  • Alana Muir, Senior Cyber Underwriter, Aviva
  • Lindsey Nelson, Cyber Development Leader, CFC Underwriting
  • Darren Thomson, Head of Cyber Security Strategy, CyberCube

Learning outcomes:

  1. Understand what ransomware is, and what threat it presents to the UK insurance industry
  2. Be aware of some of the tools and strategies that the UK insurance market is utilising to mitigate and protect itself against cyber risk
  3. Be able to explain the unique challenges that UK SMEs face in relation to cyber risk


, , , , , , , , , , , , , ,