Cyber insurance – A strategic view

Cyber insurance is still relatively new, historical data are scarce, the risk has increased, it is not stable and predictable. Against this backdrop Vincent Van de Winckel spoke with two experts in the field from everis Portugal: Nuno Castro, Head of Insurance Practice, and Mauro Almeida, who is responsible for information security and cyber-security. The conversation covers topics such as the types of cyber insurance, the role of prevention in risk management, assistance in case of incident, the role of distribution networks, and recommendations to insurers entering and operating in this line of business.

Vincent Van de Winckel (VVdW): What types of products exist in Portugal? Are they adapted to the current context and risk? If not, what are the best practices for adapting policies?

Nuno Castro (NC, pictured below): Cyber insurance in Portugal is now available for subscription. Various examples such as the Cyber Safety from Fidelidade, Cyber Risks from Tranquilidade or the Cyberclear from Hiscox. The latter also includes a calculator for calculating exposure[2] Therefore, there are already examples of standalone products.

The product approach focused on Cyber, as an alternative to an extension of another insurance product, also allows insurers to offer additional coverage and services. For example, Tranquilidade’s Cyber Insurance includes prevention software, provided by a third party, where IP connections, web pages are analyzed and an anti-ransomware application is installed.

In addition, each insurer adjusts its clauses to try to identify the inclusions and exclusions of its product. This type of analysis and concern has been intensified with the increase in silent cyber events. In other words, non-affirmative or silent risks refer to exposure to cyber events that may give rise to other types of insurance (e.g. civil liability). These situations create friction with customers because they give rise to situations of interpretation rather than certainty.

Looking at subscription and defining the scope of the product, the underwriter may have four approaches[3]:

• Affirmative – include cyber exposure;
• Affirmative with sub-limits for coverage – include cyber exposure but include clear limits for coverage;
• Exclude all exposure – no claim related to cyber is accepted;
• Exclude exposure but admit some exceptional components.

These approaches make it necessary for insurer to revisit their traditional insurance contracts and adapt them to ensure that exposure is not higher than expected. As an example, in the UK, Lloyds issued a statement [4] to set a plan for the various types of products to be adapted, so as to be clear to customers if cyber exposure  is covered in its traditional insurance or not.

VVdW: What is the part of prevention in managing this risk? What does “cyber hygiene” consist of? What services can insurers offer their clients in this regard?

Mauro Almeida (MA, pictured below): Today, more than ever, organizations are exposed to a high risk of cybercrime. The attack surface on organizations has increased exponentially. Companies that are not prepared to take preventive action on these threats are much more likely to experience financial losses, operational or reputational damage. Information security, and cybersecurity, cannot, therefore, be seen as a cost to organizations, but rather as a preventive investment focused on reducing the risks that threaten the organization and its assets.

The concept of cyber hygiene can be described as the minimum, or essential, set of actions, at the level of people, processes, or technologies, which must be implemented by organizations in order to reduce the level of risk and their exposure to cyber-attacks. I am referring, for example, to the carrying out of training and awareness-raising actions for employees on the topics of information security, so that they are not the main vehicles for the introduction of threats in the organization, or the existence of regular backup mechanisms or processes of access management implemented in the organization. Important to mention that the bases to ensure a cyber hygiene must come from the top management. Only this way will it be possible to guarantee that it is correctly adopted across the organization.

In a preventive component, insurers can, and should, play a leading role with their customers. Cybersecurity should be perceived by customers as an extended and value-added service, which is not limited to the transfer of risk from the insured to the insurer. To this end, insurers must work with technological partners to create this preventive offer, associated with cybersecurity, risk assessment, continuous monitoring of potential vulnerabilities and support in the implementation of information security measures, and cybersecurity. The creation of this value offer translates into an increase in the insured’s cyber resilience, which is reflected in a reduction of the insurer’s risk and which can be translated, for example, into an incentive or reduction in the annual insurance premium.

VVdW: How can they help their customers to manage the negative impact that an attack can cause? What assistance and services might they have ready?

From the perspective of the extended services to be provided by insurance companies, a 24×7 incident detection service may be made available to its customers associated with the existence of a CSIRT team (Computer Security Incident Response Team). The incident detection service would allow the management of all alerts originated by a customer’s SIEM (Security Information and Event Management) (installed onprem or also available in a SaaS model), while the CSIRT team would ensure the management, support, and resolution of cybersecurity incidents, ensuring their correct containment, analysis and eradication. These types of services are extremely specialized and differentiated, outing the sphere of what is an insurer’s core business. From a cost / benefit perspective, I see this service to be made available to their clients remotely via a technology partner.

VVdW: Are the distribution networks sufficiently trained and informed about cyber risk?

NC: Cyber risk, being a new type of risk, needs an end-to-end analysis of the activities in the insurer’s value chain. This new risk requires the creation of a new product and, as such, all activities in the value chain are impacted.

From actuarial design to claims management, it is necessary to reflect on how customers will now be supported so that they can continue to perceive the insurance company as the organization that will help them in the event of an unwanted event.

In traditional insurance, distribution networks play an extremely important role, not only in terms of policy sale / renewal, but also in customer support. As such, in the case of cyber- risk, which it is relatively recent insurance, it will be necessary to train the distribution network for the various activities in which they will be involved.

In the current context, it is still unclear whether the role of the distribution network will also include the management / monitoring of claims since these are contexts with a high complexity and completely different from the “analog” world. Where previously the mediator would easily be seen helping the client in sending a friendly declaration, here it is already more difficult to visualize a mediator in contact with an IT department to report a breach in a client and provide the necessary data. On the other hand, we can imagine the mediator as an influential actor to try to improve the security posture of his policyholders.

Additionally, we can also reflect on the entry of new players without being the traditional partners of agents and mediators in this type of products. In other words, partners who have the additional skills necessary to manage digital risks or who can orchestrate the response to meet the expectations of this type of insurance.

VVdW: What other measures should insurers take to ensure the attractiveness and profitability of cyber insurance?

NC: In a risk analysis of the product portfolio, it is always important to understand the level of risk I accept. How I can measure it to accept the subscription and how I can monitor it to understand if the context has changed. In the case of cyber insurance, these activities continue to exist. However, the necessary skills are different.

In the case of risk definition, with cyber being a recent product, the insurer will have to be able to define criteria in order to understand and predict what types of risks he is exposed to. However, if in the automotive business, there is a centralized database of claims – Segurnet in Portugal -, in the case of cyber this does not yet exist, although there are already several actors (eg EIOPA) indicating the need for such a tool. This void hinders the transfer of knowledge which also requires a legal construction of contract that is still very dynamic between the various players so you can define and contain the limits of its coverage.

Regarding the correct segmentation of the market and the criteria that help in underwriting, there are currently two approaches: one via questionnaires and the other through digital tools for risk assessment. In the first case, a traditional approach is followed to identify the most relevant criteria in terms of questions to customers and they fill out the questionnaire for risk assessment. In the second case, there have been several innovations in terms of identifying risky postures through scanning tools (eg BitSight) of what is publicly exposed by that organization. This assessment makes it possible to identify the average maturity in the services that the potential insured provide to the respective customers.

In case we have already accepted the risk and the contract exists, insurers are also currently training themselves for the same scanning tools or for regular auditing processes to validate whether the exposure to risk remains or changes. For example, if there is a failure in an IT service provider, like AWS, all customers who have this service are being impacted and, as such, it can be a very high risk portfolio. It is extremely important for insurers to understand the dynamics and fluctuations in terms of exposure, so that they are also able to calibrate which policyholders the risk has reduced, but also those that will rise, so that they can adjust pricing.

In terms of risk limitation, we have also witnessed the need for a legal framework that permit a clear construction of contractual clauses across the various operators, as well as covers with predefined values and knowledge of the various events, to be included or excluded from policies. For example, in the UK, insurers were obliged to exclude any loss related to cyber events from other insurance coverage (eg a fire resulting from a short circuit caused by a hack).

In short, insurers must obtain and improve their digital risk selection and monitoring skills, as well as address the cyber theme in a holistic way and restrict some covers that may expose them to very adverse situations.

VVdW: Some instances, such as Intel, argue that to contain and protect against cyber threats, one global collaboration is needed, especially in relation to standardization and sharing of intelligence. What are the current initiatives of this type in Portugal and in Europe?

MA: In cyberspace there are no boundary. It is a land that belongs to only, at the same time, to us all. In this context, it becomes exceedingly difficult, if not impossible, to manage and control who has access to what and at what time. The diversity, increasing level of complexity and professionalization and the increase in cybercrime, associated with the lack of visibility about them, leads to excessive and dangerous levels of trust for organizations, with a consequent increase in the exposure of organizations to cyber-attacks and the impact of these same attacks.

Global collaboration initiatives, in particular those related to the standardization and sharing of intelligence, are fundamental for raising organizations’ awareness of cybercrime, for a coordinated response to cyber-attacks and for a general increase in their ability to identify, mitigate and recover from cyber-attacks.

At the national level, the work carried out by governmental entities, such as the National Security Office, in particular the National Cybersecurity Center, has been instrumental in promoting a culture of security and supporting State bodies, operators of critical infrastructures and companies, both in raising awareness and consciousness of information security, and in increasing their resilience to cyber-attacks.

Internationally, in December 2020, the European Commission and the European External Action Service (EEAS) presented a new EU strategy for cybersecurity[5] , with the aim of strengthening Europe’s resilience against cyber-attacks and ensuring that all citizens and businesses can fully benefit from reliable and credible digital tools and services. The new strategy contains concrete proposals for the use of regulatory, investment and action instruments.

In early 2021, the European Council adopted conclusions on the Cyber Security Strategy, in which it stresses that cyber security is essential to building a resilient Europe, ecological and digital, and where the objective was established to achieve strategic autonomy, while preserving an open economy. This involves strengthening the capacity to make autonomous choices in the field of cybersecurity, with the aim of consolidating the EU’s digital leadership and its strategic capabilities.

VVdW: What would you recommend to insurers who are considering launching into this new line of business?

NC: The cyber branch has two possible paths that are not mutually exclusive: one more focused on security and the other more focused on operation. In the case of security, there are various insurances for cyber-attack / malware or other direct attack strategies. In the case of the operation, we can speak of examples such as Parametrix [6] which focuses on providing insurance against downtime of 3^rd party entities on whose services the organization’s activity depends.

The activation of insurance such as the one described above is an example of how digital asset insurance is a market segment with high potential for growth and differentiation. The expansion of information technology in the various business processes and society reinforces, not only this trend, but also the associated vulnerabilities. As such, precautions are necessary.

It is also essential that insurers find a technology partner to support them in three complementary dimensions: with respect to the internal or external client; in a strategical dimension; designing, implementing, communicating, and managing change.

MA: Strategically, it is important to define a security plan. At everis, we believe that the basis of any successful security plan is the correct identification of the risks to which the organization is exposed, as well as the real impact and probability of these risks. We support organizations, national and international, by conducting cyber analysis – risk, based on the main methodologies and standards, systematized through iterative processes that are transversal to the organization. These analysis’s, carried out by our experts in cyber – risk, allow us to identify and prioritize necessary critical security controls, set the security plan to implement and identify the tools and technologies that support the adoption of a model or strategy of security more adequate for the organization.

From a design and implementation perspective, the partner must guarantee strategic partnership relationships with the main manufacturers of security solutions, market leaders, differentiated knowledge and the necessary experience in the design and implementation of these solutions. These two factors guarantee insurers the necessary capacities for the adoption of these technologies, from the analysis and design of the processes and architecture to be implemented, to their installation and integration with the existing technological park, making information security and cybersecurity a differentiating factor in the market in which they operate.

Transversally to information security, we believe that, to change behaviours, it is necessary to change beliefs. Company employees are the main agents of change. And it is in this aspect that everis, through its multidisciplinary teams, supports organizations in the definition and execution of change management and communication plans, and in the creation and execution of awareness programs adapted to the business and organizational culture, on an ongoing basis over time, and which include mechanisms for assessing their effectiveness.

[2] https://www.hiscoxgroup.com/cyberexposurecalculator/

[3] http://www.guycarp.com/insights/silent-cyber-web.html

[4] https://kennedyslaw.com/thought-leadership/article/non-affirmative-cyber-risk-phase-2-classes-of-business/

[5] https://www.consilium.europa.eu/en/policies/cybersecurity/

[6] https://parametrixinsurance.com/