By Francis Beaudoin, National Lead, Technology Risk Consulting, KPMG in Canada, & Evan Garner, Senior Vice President, Willis Towers Watson
The conversation around cyber security is maturing. Organizations are becoming wiser to the risks of collecting, storing, and managing large volumes of data and, in so doing, paying greater focus to the role cyber liability insurance can play in cushioning the blow of digital incursions.
Cyber insurance isn't a new topic, either. The notion of transferring cyber risk to the insurance market dates back to the year 1999 when the potential fallout of Y2K spurred debate on where (if anywhere) cyber liabilities lived within a traditional policy, and it's a concept that had gradually come to dominate boardrooms as more and more large-scale data breaches and cyber attacks make the headlines.
Therefore, understanding how these conversations have changed and how organizations must adapt alongside them, is key to gaining an upper hand in the digital age.
The cyber insurance market in Canada is still relatively young. It is populated primarily by large-scale institutional entities (e.g. utilities, universities, healthcare providers, transportation agencies) that deal with significant volumes of sensitive data. As awareness around cyber vulnerabilities builds, however, these traditional clients are beginning to look beyond data leaks and hacks to address the additional risks of business interruptions, equipment failures, and systems exploitation.
The profile of the 'traditional cyber insurance buyer' is also expanding. Organizations across all industries are becoming more sophisticated in identifying the risks ahead and taking greater stock of their ability to prevent, mitigate, and recover from a cyber incursion.
That said, it's important to remember that you cannot outsource a risk you do not understand or control. Without clarity around one's cyber controls and vulnerabilities, it is difficult for both an organization and insurers to determine the level of insurance required and residual exposure. Therefore, more proactive organizations are inviting cyber risk and insurance professionals to the strategic table to gain greater clarity around their current cyber vulnerabilities and strengths to determine how best to transfer cyber risks into the insurance market.
Determining what cyber risk to transfer into the insurance market begins with understanding one's cyber exposures and threshold for damages. This can be a challenging discussion for many organizations, as it entails a holistic understanding of the risks associated with one's specific organization, industry, and location; as well as an in-depth knowledge of one's internal controls.
Other factors that come into play are the types of risks to be covered (e.g. business interruption, data theft) and whether or not an organization is vulnerable as a result of using cloud-based services or working with less secure third-party vendors.
It can be a lot to tackle, but that's where external cyber risk and insurance industry professionals can help leaders assess their current state and define an effective enterprise risk management framework. Moreover, cyber insurers often provide access to third-party cyber risk consultants that help inform the decision process and enhance an organization's risk management capabilities – bringing even more perspectives and skills to the conversation.
Accounting for human error: Nearly 75 percent of cyber insurance claims coming out of Canada are a result of human error. They can range from clicking the wrong link at work or losing a USB to accidentally granting access to outside parties or simply leaving a company laptop on the train.
Once an organization has an informed view of their cyber security posture, the work of finding an appropriate cyber insurance product begins. It's an important decision, to be sure; and the solution will be dictated by an organization's specific needs and capabilities. One organization, for example, may find it is not cost-effective to insure the entirety of the risk, and instead decide to transfer a portion of that exposure into the market because it makes more economic sense. Meanwhile, another may find that it makes sense to let the market carry the full weight of that exposure.
In short: there is no catch-all policy for everyone. There are industry standards, but in the pursuit of a cyber insurance policy that fits, every risk needs to be evaluated on an individual basis so insurers can position a policy to react in an exact way. For instance, companies that collect volumes of consumer data on a daily basis will require a cyber insurance policy vastly different from organizations that own or manage critical infrastructure. Here again, there is a benefit to partnering with cyber security and insurance professionals who can help determine the cost benefits of what is a logical place for organizations to start trading dollars with the insurance market and where to retain that risk.
Changes are still in store for the cyber insurance industry. As companies move towards automation, digital labour, and machine learning, we can expect insurance policies to evolve accordingly. And as the competition increases, we can expect those same providers and underwriters to evolve their practices in a bid to remain competitive.
Shifting regulations will also play a role in shaping the industry. Cyber breach reporting rules in the US are expected to take root in Canada and regulations around the handling of sensitive data will no doubt evolve as issues around privacy and consumer protection continue to grow.
Beyond these factors, one can only wait and see where cyber insurance will evolve beyond the next five to ten years. Just as terrorism policies were shaped by the unpredictable events of 9/11, so too will future cyber policies be influenced by new innovations such as blockchain and cryptocurrency, emerging threat agents like neurohackers, and technologies like photonics and advanced automation we have yet to even consider.
One thing is for certain, as the industry continues to mature, we will likely see more favourable terms and broader coverage. That, and wherever cyber insurance grows from here, it will be an interesting journey to watch.