Updated: Jan 11
"Follow the money" is a familiar phrase most often associated with identifying the culprits of fraud and financial crime. But it's also a good indicator for other issues - and this context understanding the prevalence and significance of certain kinds of risk. Whatever, your personal experience of insurance companies, their "raison d'etre" is to price and absorb risks - and to make a profit out of that. They make their money by understanding how to price risk - primarily based on claims history. What's the relevance of this to risk professionals? It's that the number of claims and their magnitude are a good indicator of whether a threat is increasing or decreasing.
Which is why some relatively recent developments in the cyber insurance market should be heeded. According to the Marsh Global Insurance Index cyber insurance premiums are ramping up at an exponential rate. This means only one thing - the size and frequency of claims is increasing and insurance premiums are rising accordingly.
There are also changes in the cover available: recently Lloyds of London announced that state backed attacks would no longer be covered by policies issued on it's market. Notwithstanding the lack of clarity over whether or not a particular cyber-attack was state sponsored or not, the fact that this is a market-wide exclusion provides an indication of the concern risk carriers have in relation to the frequency and financial impact of the threat. Policy holders should be aware that this can affect existing policies and their obligations under those policies
In 2017 Merck was crippled by the notpetya virus. It's insurer refused payment based on an assertion that the virus was Russian originated and part of the annexation of Crimea. Merck contested this and the issue was finally settled early this year - 5 years later.
In addition to the Lloyds exclusion there are further indications that claims may not be settled if an insurer feels a policy-holder has been negligent. For instance, the pending litigation between Travelers Property Casualty Company of America and International Control Services (ICS) contains a salutary lesson in terms of understanding what's really going with cyber security management in your organisation. As part of the policy, ICS were required to provide assurances that certain security measures were in place - which was duly signed off by the ICS CEO. When ICS tried to claim under the policy following a major cyber attack, Travellers rebutted the claim on the basis that the security measures were not deployed and, under those circumstances, a misleading representation had been made. The case is still pending - but still sends out several important messages:
Risk carriers are requiring policy holders to provide attestations of the deployment and operation of cyber security measures;
Ignorance of non-performance or sub-optimal performance is no defence;
Using "we've got insurance" as an excuse not to invest in information security can cost you dear: it can take years for disputes to be settled. In the meantime the policy holder has to bear all of the recovery costs and the litigation costs associated with the dispute;
When the insurance industry starts to introduce exclusions, raises premiums & places obligations on policy holders it's a clear indication that claims are becoming more frequent and larger. Organisations outside of the industry don't have this kind of visibility into threat manifestation - the insurance industry does, and we should all take notice.
Our "Getting to Grips with Cyber" service assists exec teams & their audit committees to establish cyber risk exposure reporting that senior non-specialists can understand. Our incident simulation service helps organisations to assure and improve their cyber security incident plans and capabilities