As cyberattacks have increased in recent years, one area of particular concern has been those that target hospitals and health systems. These attacks have affected not only private information but also threatened the lives and well-being of patients.
A major shift
Hospitals rely more than ever on computerized systems to manage their information and systems. With the added complications related to the COVID-19 pandemic, the dangers associated with cyberattacks have only worsened.
“It’s part of a trend we’ve seen building over the last couple years, even before the pandemic,” said Scott Shackelford, chairman of the IU Cybersecurity Risk Management Program. Unfortunately, health-care providers are very much in the crosshairs. Not only do they often have insurance and deep pockets, but doctors need access to patient information to perform procedures and provide required services.
Because of this vulnerability and urgency, Shackelford said, “They are more likely to pay up.”
“If you look at the surveys that have been done, about one-in-three health providers have been hit by ransomware attacks just since 2020, and there’s been a 45 percent uptick in that rate since last December,” Shackelford added.
One recent attack, on Johnson Memorial Health in Franklin, Indiana, disabled its computer system. Although the hospital said it could still manage its patient intake, the loss of computer capabilities slowed operations down dramatically.
“We’re used to sending lab orders via computer, sending prescriptions to pharmacies via computer, so we’re going back to a real reliance on paper again,” Johnson Memorial President and CEO David Dunkle said. “We’re using more human runners, people taking lab recs between the ER and the lab.”
This has given hackers the ability to disable medical imaging devices like MRIs. They can then shut down or interfere with machines. A recent study by McAfeeEnterprise’s Advanced Threat Research Team uncovered that an IV pump created by German medical manufacturer B. Braun possessed a susceptibility that would allow hackers to change medicine doses remotely.
And while traditional phishing attacks require a user to open a corrupted file — a trend that is now on the decline — new attacks can use so-called Zero Click malware, which can infect a system merely through receiving a text or email.
Additionally, sensitive data that health systems possess gives hackers the opportunity to sell this information online — or threaten to — with demands rising into the millions of dollars. After a 2009 U.S. law was passed that required Medicare and Medicaid providers to implement electronic health records, these risks have only accelerated.
Life and death circumstances
Hospitals are now not only seeing the financial risks with cyberattacks, but the threat to their patients’ lives.
In July 2019, Springhill Medical Center faced a massive ransomware attack that disabled its electronic devices. This failure created dire circumstances for one infant, causing doctors to be unable to monitor the child’s condition during delivery. The infant died, and the hospital is being sued by the mother for malpractice—a charge Springhill denies.
Another attack in Düsseldorf, Germany in 2020 saw the death of a 78-year-old woman from an aortic aneurysm. What was supposed to be a routine pick-up turned into a nightmare, when the local hospital’s system was disabled by a ransomware attack, forcing the emergency department to turn away the woman and causing the ambulance to travel much farther. During this time, the patient’s condition worsened, and she eventually died.
With the vast amount of data and equipment at each of these health facilities—as well as the linked networks of many systems—the threat of cyberattacks in health care will only continue to grow unless more action is taken.
By Loretta Worters, Vice President, Media R-elations, Triple-I
Insuretech Connect – the world’s largest gathering of insurance leaders and innovators – last week brought together insurance technology stakeholders to network, share insights, and learn about leading-edge technology across all insurance lines.
Conference participants included Pete Miller, president and CEO of The Institutes, who discussed risk mitigation through new technology.
“Capturing data about the things we do and then allowing us to mitigate risk before we even get to the insurance function, that’s really where I think this industry is going,” he said.
One panel, Climate Risk and Resilience, focused on the importance of Insurtech and innovation to the success and sustainability of the industry. Moderated by Triple-I CEO Sean Kevelighan, the panel included Sean Ringsted, chief digital officer at Chubb; Christie McNeill, associate partner with McKinsey & Company and leader of ESG and Climate Change for the Insurance Practice in North America; Alisa Valderrama, CEO and co-founder of FutureProof Technologies, a venture-backed financial analytics software company specializing in climate risk; and Susan Holliday, Triple-I nonresident scholar and senior advisor to the International Finance Corporation (IFC) and the World Bank, where she focuses on insurance and Insuretech.
“Insurers are no stranger to climate and extreme weather,” Kevelighan said. “They have had a financial stake in it for decades.”
He noted that insured losses caused by natural disasters have grown by nearly 700 percent since the 1980s and four of the five costliest natural disasters in U.S. history have occurred over the past decade.
U.S. insurers paid out $67 billion in 2020 due to natural disasters. The insured losses emerged in part as the result of 13 hurricanes, five of the six largest wildfires in California’s history, and a derecho that caused significant damage in Iowa.
This year’s Hurricane Ida is expected to cost insurers at least $31 billion and to push Hurricane Andrew out of the top five damaging storms. 2021 has been another record year for wildfires. January 1 to September 19, 2021 there were 45,118 wildfires, compared with 43,556 in the same period in 2020.
The panelists talked about how insurers have long been aware of climate risk and – to the extent that existing data-gathering and modeling technologies allowed – considered it in risk pricing and reserving. As information storage and processing have vastly improved, the industry has not only gotten better at underwriting and reserving for these risks – it has identified opportunities in areas it once could only view as problems.
Improved modeling, for example, has increased insurers’ comfort with and appetite for writing flood coverage and spurred the development of new products.
“Insurers are and always will be financial first responders, but there’s a growing realization that risk transfer alone isn’t enough,” Kevelighan said. “Insurance is one important step toward resilience. It’s well documented that better-insured communities recover faster from disasters. But more is required to address increasingly complex global risks.”
Triple-I CEO Sean Kevelighan will join a virtual panel on Wednesday, Oct. 13, at 11 a.m., ET, to brief public policymakers on ways to build a robust cyber risk insurance market.
“To allow businesses to operate safely in an increasingly interconnected world, insurers are working closely with their commercial customers to mitigate cyber risks and to make sure businesses have the right types, and amounts, of cyber insurance,” Kevelighan said. “However, as we are seeing increasing uncertainty in the extensiveness of cyber risk, it is also essential that we better understand the role government needs to play in particular around law enforcement and international diplomacy.”
As previously noted in The Triple-I Blog, some in the national security world have compared U.S. cybersecurity preparedness today to its readiness for large terrorist acts prior to 9/11. Before those attacks, terrorism coverage was included in most commercial property policies as a “silent” peril – not specifically excluded, therefore covered. Afterward, insurers began excluding terrorist acts from policies, and the U.S. government established the Terrorism Risk Insurance Act to stabilize the market.
“A balanced public-private partnership that recognizes where insurance can be a helpful financial responder, and how government is an essential preventative tool, will be critical to helping mitigate the ever-increasing cyber risks we are facing in the world,” Kevelighan said.
Videos and voice recordings manipulated with previously unheard-of sophistication – known as “deepfakes“ – have proliferated and pose a growing threat to individuals, businesses, and national security, as Triple-I warned back in 2018.
Deepfake creators use machine-learning technology to manipulate existing images or recordings to make people appear to do and say things they never did. Deepfakes have the potential to disrupt elections and threaten foreign relations. Already, a suspected deepfake may have influenced an attempted coup in Gabon and a failed effort to discredit Malaysia’s economic affairs minister, according to Brookings Institution.
Most deepfakes today are used to degrade, harass, and intimidate women. A recent study determined that up to 95 percent of the thousands of deepfakes on the internet were pornographic and up to 90 percent of those involved nonconsensual use of women’s images.
Businesses also can be harmed by deepfakes. In 2019, an executive at a U.K. energy company was tricked into transferring $243,000 to a secret account by what sounded like his boss’s voice on the phone but was later suspected to be thieves armed with deepfake software.
“The software was able to imitate the voice, and not only the voice: the tonality, the punctuation, the German accent,” said a spokesperson for Euler Hermes SA, the unnamed energy company’s insurer. Security firm Symantec said it is aware of several similar cases of CEO voice spoofing, which cost the victims millions of dollars.
A plausible – but still hypothetical – scenario involves manipulating video of executives to embarrass them or misrepresent market-moving news.
Insurance coverage still a question
Cyber insurance or crime insurance might provide some coverage for damage due to deepfakes, but it depends on whether and how those policies are triggered, according to Insurance Business. While cyber insurance policies might include coverage for financial loss from reputational harm due to a breach, most policies require network penetration or a cyberattack before it will pay a claim. Such a breach isn’t typically present in a deepfake.
The theft of funds by using deepfakes to impersonate a company executive (what happened to the U.K. energy company) would likely be covered by a crime insurance policy.
Little legal recourse
Victims of deepfakes currently have little legal recourse. Kevin Carroll, security expert and Partner in Wiggin and Dana, a Washington D.C. law firm, said in an email: “The key to quickly proving that an image or especially an audio or video clip is a deepfake is having access to supercomputer time. So, you could try to legally prohibit deepfakes, but it would be very hard for an ordinary private litigant (as opposed to the U.S. government) to promptly pursue a successful court action against the maker of a deepfake, unless they could afford to rent that kind of computer horsepower and obtain expert witness testimony.”
An exception might be wealthy celebrities, Carroll said, but they could use existing defamation and intellectual property laws to combat, for example, deepfake pornography that uses their images commercially without the subject’s authorization.
A law banning deepfakes outright would run into First Amendment issues, Carroll said, because not all of them are created for nefarious purposes. Political parodies created by using deepfakes, for example, are First Amendment-protected speech.
It will be hard for private companies to protect themselves from the most sophisticated deepfakes, Carroll said, because “the really good ones will likely be generated by adversary state actors, who are difficult (although not impossible) to sue and recover from.”
Existing defamation and intellectual property laws are probably the best remedies, Carroll said.
Potential for insurance fraud
Insurers need to become better prepared to prevent and mitigate fraud that deepfakes are capable of aiding, as the industry relies heavily on customers submitting photos and video in self-service claims. Only 39 percent of insurers said they are either taking or planning steps to mitigate the risk of deepfakes, according to a survey by Attestiv.
Business owners and risk managers are advised to read and understand their policies and meet with their insurer, agent or broker to review the terms of their coverage.
Increasing cybercrime incidents resulting in large losses – combined with some carriers retreating from writing the coverage – is driving cyber insurance premiums sharply higher.
Once a diversifying secondary line and another endorsement on a policy, cyber has become a primary component of any corporation’s risk-management and insurance-buying decisions. As a result, insurers need to review their appetite for the peril, risk controls, modeling, stress testing and pricing.
Rapid growth in exposure without adequate risk controls,
Growing sophistication of cyber criminals, and
The cascading effects of cyber risks and a lack of geographic or commercial boundaries.
While the industry is well capitalized, A.M. Best says individual insurers who venture into cyber without thoroughly understanding the market can put themselves in a vulnerable position.
“The cyber insurance industry is experiencing a perfect storm between widespread technology risk, increased regulations, increased criminal activity, and carriers pulling back coverage,” according to Joshua Motta, co-founder and CEO of Coalition, a San Francisco-based cyber insurance and security company. “We’ve seen many carriers sublimit ransomware coverage, add coinsurance, or add exclusions.”
Worsening since the pandemic
A recent Willis Towers Watson study found primary and excess cyber renewals averaging premium increases “well into the double digits.” One factor helping to drive these increases, Willis writes, is the sudden shift toward remote work on potentially less-secure networks and hardware during the pandemic, which has made organizations more vulnerable to phishing and hacking.
The average cost of a data breach rose year over year in 2021 from $3.86 million to $4.24 million, according to a recent report by IBM and the Ponemon Institute — the highest in the 17 years that this report has been published. Costs were highest in the United States, where the average cost of a data breach was $9.05 million, up from $8.64 million in 2020, driven by a complex regulatory landscape that can vary from state to state, especially for breach notification.
The top five industries for average total cost were:
For the health care sector, the average total cost rose 29.5 percent, from $7.13 million in 2020 to $9.23 million in 2021.
Since the start of the year, cyber insurance rates have increased 7 percent for small businesses, according to AdvisorSmith Solutions. For midsize and large businesses, AdvisorSmith said, those increases were closer to 20 percent.
AIG last month said it is tightening terms of its cyber insurance, noting that its own premium prices are up nearly 40 percent globally, with the largest increase in North America.
“We continue to carefully reduce cyber limits and are obtaining tighter terms and conditions to address increasing cyber loss trends, the rising threat associated with ransomware and the systemic nature of cyber risk generally,” CEO Peter Zaffino said on a conference call with analysts.
In May, AXA said it would stop writing cyber policies in France that reimburse customers for extortion payments made to ransomware criminals. In a ransomware attack, hackers use software to block access to the victim’s own data and demand payment to regain access.
The FBI warns against paying ransoms, but studies have shown that business leaders today pay a lot in the hope of getting their data back. An IBM survey of 600 U.S. business leaders found that 70 percent had paid a ransom to regain access to their business files. Of the companies responding, nearly half have paid more than $10,000, and 20 percent paid more than $40,000.
Cyber risk is unlike flood and fire, for which insurers have decades of data to help them accurately measure and price policies. Cyber threats are comparatively new and constantly evolving. The presence of malicious intent results in their having more in common with terrorism than with natural catastrophes.
Insurers and policyholders need to be partners in mitigating these risks through continuously improving data hygiene, sharing of intelligence, and clarity as to coverage and its limits.
Before Sept. 11, 2001, terrorism coverage was included in most commercial property policies as a “silent” peril – not specifically excluded, therefore covered. Afterward, insurers began excluding terrorist acts from policies, and the U.S. government established the Terrorism Risk Insurance Act (TRIA) to stabilize the market.
TRIA requires insurers to make terrorism coverage available to commercial policyholders but doesn’t require policyholders to buy it. Originally created as three-year program allowing the federal government to share losses due to terrorist attacks with insurers, it has been renewed four times: in 2005, 2007, 2015, and 2019.
“The cyber landscape to me looks a lot like the counterterrorism landscape did before 9/11,” historian and journalist Garrett Graff said during a recent Homeland Security Committee event at which scholars and former 9/11 Commission members urged lawmakers to increase funding for the Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies focused on preventing attacks.
Cyber is more complicated, said Amy Zegart, co-director of Stanford University’s Center for International Security and Cooperation, due to the private sector’s role “as both a victim and a threat vector. There are more people in the U.S. protecting our national parks than there are in CISA protecting our critical infrastructure.” Cyberattacks like the one on the Colonial Pipeline underscore this reality.
When TRIA was reauthorized in 2019, a crucial component was the mandate for the Government Accountability Office (GAO) to make recommendations to Congress on amending the act to address cyberthreats. The trillion-dollar infrastructure bill now being considered in Congress proposes $1.9 billion for cybersecurity, with more than half set aside for state, local, and tribal governments. It would establish a Cyber Response and Recovery Fund for use by CISA.
Like terrorism before 9/11, much cyber risk remains silent. Silent cyber – also called “non-affirmative cyber” – refers to potential losses stemming from policies not designed to cover cyber-related hazards. If silent cyber isn’t addressed, insurer solvency could be affected, ultimately hurting policyholders.
The United Kingdom’s Prudential Regulation Authority in 2019 sent a letter to all U.K. insurers saying they must have “action plans to reduce the unintended exposure” to non-affirmative cyber. Later that year, Lloyd’s issued a bulletin mandating clarity on all policies as to whether cyber risk is covered. This led many insurers to exclude cyber or include it and price the risk accordingly.
“Other regulators and the rating agencies have been less vocal about the issue” writes Willis Towers Watson, “and, until recently, efforts to address silent cyber have been limited.” Some insurers – most notably in the specialty mutual sector – updated their policies in the mid-2010s to provide clarity on cyber. But, until recently, movement elsewhere has been sporadic, Willis writes.
The recent proliferation of ransomware attacks leading to business interruption has led to cyber insurance – which began as a diversifying, secondary line – becoming a primary insurance-purchasing consideration. Unfortunately, while policies are available, many policyholders still incorrectly expect to be covered under their property and liability policies. Confusion around cyber coverage can lead to unexpected gaps.
“In a best-case scenario, a cyber incident may trigger coverage under multiple policies and increase the available total limit to respond to a covered event,” said Adam Lantrip, CAC Specialty’s cyber practice leader. “In a more common scenario, multiple policies may be triggered but not coordinate with one another, and the policyholder spends more on legal fees than the cost of having purchased standalone cyber insurance in the first place.”
Cyber risk will only grow in significance, complexity, and cost as the world becomes more wired and interdependent. The costs of cyberattacks are potentially massive and need to be mitigated in advance.
By Loretta Worters, Vice President, Media Relations, Triple-I
Despite the prevalence of cyber threats and the increasing number and severity of incidents, directors, officers, and C-suite executives remain too much in the dark when it comes to cyber risk and insurance, Risk & Insurance writer Alex Wright describes in this month’s cover story, Vigilance Demanded.
While specific policies are available to cover the risk, many policyholders still expect to be covered under their property and liability policies — but are not. Risk & Insurance, an affiliate of the Institutes and the Triple-I’s sister organization, notes that commercial insurance policies still suffer from a lack of clarity regarding damage from cybercrimes.
Confusion around coverage can lead policyholders to experience unexpected coverage gaps.
“In a best-case scenario, a cyber incident may trigger coverage under multiple insurance policies and increase the available total limit to respond to a covered event,” said Adam Lantrip, CAC Specialty’s cyber practice leader. “In a more common scenario, multiple insurance policies may be triggered but not coordinate with one another, and the policyholder spends more on legal fees than the cost of having purchased standalone cyber insurance in the first place.”
Of particular concern to insurers is silent – or “non-affirmative” – cyber risk, in which potential cyber-related events or losses are not expressly covered or excluded within traditional policies. In such cases, insurers can end up having to pay unexpected claims for which the policies weren’t adequately priced.
“Cyber risk is present in just about every insurance policy now,” said Tracie Grella, AIG’s global head of cyber insurance. “But because it hasn’t been factored into the underwriting of standard policies such as property, or properly identified, assessed, priced for and put into the aggregation model, it presents a huge systemic risk that can’t simply be ignored.”
Silent cyber first manifested in the WannaCry, Petya and NotPetya cyber-attacks of 2017, which devastated everything from shipping ports and supermarkets to advertising agencies and law firms, the article explains. The resulting losses from the encryption of master files and subsequent Bitcoin ransom demands for restoring access were the costliest on record, surpassing $3 billion.
Underwriters, brokers, and policyholders need to understand how ever-evolving risks and legal frameworks will affect their policies. They also need to keep themselves appraised of the scale of the problem and understand the most common misconceptions and coverage disputes around silent cyber.
By Marielle Rodriguez,Social Media and Brand Design Coordinator, Triple-I
Triple-I’s “Insurance Careers Corner” series was created to highlight trailblazers in insurance and to spread awareness of the career opportunities within the industry.
This month we interviewed Sunil Rawat, Co-Founder and CEO of Omniscience, a Silicon Valley-based AI startup that specializes in Computational Insurance. Omniscience uses five “mega-services” that comprise of underwriting automation, customer intelligence, claims optimization, risk optimization, and actuarial guidance to help insurance companies improve their decision-making and achieve greater success.
We spoke with Rawat to discuss his technical background, the role of Omniscience technology in measuring and assessing risk, and the potential flaws in underwriting automation.
Tell me about your interest in building your business. What led you to your current position and what inspired you to found your company?
I’m from the technology industry. I worked for Hewlett Packard for about 11 years, and hp.com grew about 100,000% during my tenure there. Then I helped Nokia build out what is now known as Here Maps, which in turn powers, Bing Maps, Yahoo Maps, Garmin, Mercedes, Land Rover, Amazon, and other mapping systems.
I met my co-founder, Manu Shukla, several years ago. He’s more of the mad scientist, applied mathematician. He wrote the predictive caching engine in the Oracle database, the user profiling system for AOL, and the recommender system for Comcast. For Deloitte Financial Advisory Services, he wrote the text mining system used in the Lehman Brothers probe, the Deepwater Horizon probe and in the recent Volkswagen emissions scandal. He’s the ‘distributed algorithms guy’, and I’m the ‘distributed systems guy’. We’re both deeply technical and we’ve got this ability to do compute at a very high scale.
We see an increasing complexity in the world, whether it’s demographic, social, ecological, political, technological, or geopolitical. Decision-making has become much more complex. Where human lives are at stake, or where large amounts of money are at stake on each individual decision, each individual decision’s accuracy must be extremely high. That’s where we can leverage our compute, taken from our learnings over the last 20 years, and bring it to the insurance domain. That’s why we founded the company — to solve these complex risk management problems. We’re really focused on computational finance, and more specifically, computational insurance.
What is Omniscience’s overall mission?
It’s to become the company that leaders go to when they want to solve complex problems. It’s about empowering leaders in financial services to improve risk selection through hyperscale computation.
What are your main products and services and what role does Omniscience technology play?
One of our core products is underwriting automation. We like to solve intractable problems. When we look at underwriting, we think about facultative underwriting for life insurance where you need human underwriters. The decision-making heuristic is so complex. Consider somebody who’s a 25-year-old nonsmoker asking for a 10-year term policy of $50,000 — it’s kind of a no-brainer and you can give them that policy. On the other hand, if they were asking for $50 million, you’re certainly going to ask for a blood test, a psychological exam, a keratin hair test, and everything in between. You need humans to make these decisions. We managed to take that problem and use our technology to digitize it. If you take a few hundred data fields, and a few 100,000 cases to build an AI model, it quickly becomes completely intractable from a compute standpoint. That’s where we can use our technology to look at all the data in all its facets — we automate and use all of it.
Once you’ve got an AI underwriter’s brain in software, you think from the customer intelligence standpoint. You’ve got all this rich transaction data from your customers to pre-underwrite, qualify, and recommend them for different products. We’ve also built a great capability in the data acquisition area. For workers comp and general liability, we have the data that improves the agent experience. We can also correctly classify any NAICS codes and can help with claims avoidance and finding hidden risk. We’ve also got a great OCR capability. In terms of digitization of text, we can take complex tabular data and digitize it without any human in the loop. We’re able to do this worldwide, even in complex Asian languages. We also do a lot of work in asset and liability management and can do calculations that historically have been done in a very low-powered, inaccurate manner. We can run these calculations daily or weekly, vs annually, which makes a big difference for insurance companies.
We also work in wildfire risk. A lot of wildfire spread models look at a ZIP+4 or a zip code level, and they take about four hours to predict one hour of wildfire spread, so about 96 hours to predict one day of wildfire spread at a zip code level. In California, where I am, we had lots of wildfires last year. When you double the density of the grid, the computation goes up 8x. What we were able to do is improve and look at the grid at 30 meters square, almost at an individual property size. You can individually look at the risk of the houses. At a 30-meter level, we can do one hour of wildfire propagation in 10 seconds, basically one day in about four minutes.
Are there any potential flaws in relying too much on automation technology that omits the human element?
Absolutely. The problem with AI systems is they may generally be only as good as the data that they’re built on. The number one thing is that because we can look at all the data and all its facets, we can get to 90+ percent accuracy on each individual decision. You also need explainability. It’s not like an underwriter decides in a snap and then justifies the decision. What you need from a regulatory or an auditability standpoint is that you must document a decision as you go through the decision-making process.
If you’re building a model off historical data, how do you make sure that certain groups don’t get biased again? You need bias testing. Explainability, transparency, scalability, adjustability — these are all very important. From a change management, risk management standpoint, you have the AI make the decision, and then you’ll have a human review. After you’ve done that process for some months, you can introduce this in a very risk-managed way. Every AI should also state its confidence in its decision. It’s very easy to decide, but you also must be able to state your confidence number and humans must always pay attention to that confidence number.
What is traditional insurance lacking in terms of technology and innovation? How is your technology transforming insurance?
Insurers know their domain better than any insurtech can ever know their domain. In some ways, insurance is the original data science. Insurers are very brilliant people, but they don’t have experience with software engineering and scale computing. The first instinct is to look at open-source tools or buy some tools from vendors to build their own models. That doesn’t work because the methods are so different. It’s kind of like saying, “I’m not going to buy Microsoft Windows, I’m going to write my own Microsoft Windows”, but that’s not their core business. They should use their Microsoft Windows to run Excel to build actuarial models, but you wouldn’t try to write your own programs.
We are good at system programming and scale computing because we’re from a tech background. I wouldn’t be so arrogant to think that we know as much about insurance as any insurance company, but it’s through that marriage of domain expertise in insurance and domain expertise in compute that leaders in the field can leapfrog their competitors.
Are there any current projects you’re currently working on and any trends you see in big data that you’re excited about?
Underwriting and digitization, cat management, and wildfire risk is exciting, and some work that we’re doing in ALM calculations. When regulators are asking you to show that you have enough assets to meet your liabilities for the next 60 years on a nested quarterly basis, that becomes very complex. That’s where our whole mega-services come in — if you can tie all together your underwriting, claims, and capital management, then you can become much better at selection, and you can decide how much risk you want to take in a very dynamic way, as opposed to a very static way.
The other things we’re excited about is asset management. We are doing some interesting work with a very large insurer. What we’ve been able to do is boost returns through various strategies. That’s another area we’re excited about — growing quite rapidly in the next year.
What your goals are for 2021 and beyond?
It’s about helping insurers develop this multi-decade compounding advantage through better selection, and we’re just going to continue to execute. We’ve got a lot of IP and technology developed, and we’ve got pilot customers in various geographies that have used our technology. We’ve got the proof points and the case studies, and now we’re just doubling down on growing our business, whether it’s with the same customers we have or going into more product lines. We are focused on serving those customers and signing on a few more customers in the three areas where we are active, which is Japan, Hong Kong, China, and North America. We are focused on methodically executing on our plan.
With the cyber risk environment worsening significantly, a recent A.M. Best report says, “prospects for the U.S. cyber insurance market are grim.”
The recent proliferation of ransomware attacks leading to business interruption and other related hazards has caused cyber insurance – which began as a diversifying, secondary line – to become a primary component of a corporation’s risk management and insurance purchasing decisions.
Consequently, the A.M. Best report says, insurers urgently need to reassess all aspects of cyber risk, including their appetite, risk controls, modeling, stress testing, and pricing, to remain a viable long-term partner for dealing with cyber risk.
Cyber insurance “take-up” rates (the percentage of eligible customers opting to buy the coverage) are on the rise, according to a recent Government Accountability Office (GAO) report – to 47 percent in 2020 from 26 percent in 2016. This increased demand has been accompanied by higher prices for cyber insurance, as well as reduced coverage limits for some industry sectors, such as healthcare and education. In a recent survey of insurance brokers, the GAO says, more than half of respondents’ clients saw prices rise 10 to 30 percent in late 2020.
“The rate increases for cyber insurance outpaced that of the broader property/casualty industry, but the increase in cyber losses outstripped the rate hikes, which suggests more trouble for 2021 as ransom demands continue to grow,” said Sridhar Manyem, director, industry research and analytics at A.M. Best.
The A.M. Best report says the challenges the cyber insurance market faces include:
Rapid growth in exposure without adequate underwriting controls;
The growing sophistication of cyber criminals that have exploited malware and cyber vulnerabilities faster than companies that may have been late in protecting themselves; and
The far-reaching implications of the cascading effects of cyber risks and the lack of geographic or commercial boundaries.
In April, Federal Reserve Chairman Jerome Powell said cyberattacks are the foremost risk to the global financial system, even more so than the lending and liquidity risks that led to the 2008 financial crisis.
“The world evolves, and the risks change as well and I would say that the risk that we keep our eyes on the most now is cyber risk,” Powell said. “There are scenarios in which a large financial institution would lose the ability to track the payments that it’s making, where you would have a part of the financial system come to a halt, and so we spend so much time, energy and money guarding against these things.”
More recently, FBI Director Christopher Wray compared compared the current spate of cyberattacks with the challenge posed by the Sept. 11, 2001, terrorist attacks. He said the agency was investigating about 100 different types of ransomware, many tracing back to hackers in Russia.
As we’ve written elsewhere with respect to natural catastrophes, it seems the world has entered a phase in which the traditional emphasis on risk transfer through insurance products is no longer sufficient to address today’s complex, interconnected perils. A focus on resilience and pre-emptive mitigation is in order, and insurers are well positioned to serve not only as financial first responders but as partners in managing these evolving hazards.
Ms. Winnie Tsen, Assistant Director, Financial Markets and Community Investment, U.S. Government Accountability Office (GAO), was one of the key contributors to the GAO’s May 2021 report on cyber insurance.
Colonial Pipeline Co. operates a 5,500-mile system that transports fuel from refineries in the Gulf of Mexico to the New York metropolitan area. It said it learned Friday that it was the victim of the attack and “took certain systems offline to contain the threat, which has temporarily halted all pipeline operations.”
Individually, the event demonstrates the threat cybercriminals pose to the aging energy infrastructure that keeps the nation moving. More frighteningly, though, it is yet another example of how vulnerable the complex, interconnected global supply chain is to disruptions of all kinds – a message that isn’t lost on risk managers and insurers.
The DHS described the attack on an unnamed pipeline operator that halted operations for two days. Although staff didn’t lose control of operations, the alert said the company didn’t have a plan in place for responding to a cyberattack.
“This incident is just the latest example of the risk ransomware and other cyber threats can pose to industrial control systems, and of the importance of implementing cybersecurity measures to guard against this risk,” a CISA spokesperson said at the time.
Not just energy companies
It isn’t only energy and industrial companies that need to be paying attention. According to cyber security firm VMware, attacks against the global financial sector increased 238 percent from the beginning of February 2020 to the end of April, with some 80 percent of institutions reporting an increase in attacks.
“Cyber is an existential issue for financial institutions, which is why they invest heavily in cyber security,” says Thomas Kang, Head of Cyber, Tech and Media, North America at Allianz Global Corporate & Specialty (AGCS). “However, with such potentially high rewards, cybercriminals will also invest time and money into attacking them.”
He pointed to two malware campaigns – known as Carbanak and Cobalt – that targeted over 100 financial institutions in more than 40 countries over five years, stealing over $1 billion.
An ACGS report shows technical failures and human error are the most frequent generators of cyber claims, but the financial impact of these is limited:
“Losses resulting from the external manipulation of computers, such as distributed denial of service attacks (DDoS) or phishing and malware/ ransomware campaigns, account for the significant majority of the value of claims analyzed across all industry sectors (not just involving financial services companies).”
According to the report, regulators have turned their attention to cyber resilience and business continuity.
“Following a number of major outages at banks and payment processing companies, regulators have begun drafting business continuity requirements in a bid to bolster resilience.”
Not just cyber
The COVID-19 pandemic has taught the world a lot of lessons, not the least of which is how vulnerable the global supply chain – from toilet paper to semiconductors – is to unexpected disruptions. Demand for chlorine increased during 2020 as more people used their pools while stuck at home under social distancing orders and homeowners also began building pools at a faster rate, adding to the additional demand. Such disruptions can ripple through the economy in different directions.
Business interruption claims and litigation have been a significant feature of the pandemic for property and casualty insurers.
When the container ship Ever Given got wedged in the Suez canal – one of the most important arteries in global trade – freight traffic was completely blocked for six days. Even as movement resumed, terminals experienced congestion and the severe drop in vessel arrival and container discharge in major terminals aggravated existing shortages of empty containers available for exports. The ship’s owners and the Egyptian government remain locked in negotiations over compensation for the disruption, and the ship is still impounded.
Spurred in part by this event, the Japanese shipping community is considering alternative freight routes to Europe, both reliant on Russia: the Trans-Siberian Railway and the Northern Sea Route. Neither option is devoid of risks.
In an increasingly interconnected world, there is no bright line distinguishing man-made from natural disasters. After all, the Ever Given grounding was caused, at least in part, by a sandstorm. April’s power and water disruptions that left dozens of Texans dead and could end up being the costliest disaster in state history were initiated by a severe winter storm.
A resilience mindset focused on pre-emptive mitigation and rapid recovery is called for in both cases. There is no “either/or.”