Keith Stonell, Managing Director, EMEA, Guidewire Software.
Looking at the results of the 2018 Allianz Risk Barometer shows just how big an issue cybersecurity has become for businesses.
Cyber incidents rose from being the third greatest threat in 2017 to the second greatest in 2018, according to business owners.
The biggest threat according to this year’s barometer was business interruption, and can you guess what was considered the most feared caused of such interruption? A cyber incident.
With 2017 a year of record breaking damages resulting from natural disasters, it is pertinent to consider that large-scale cyber-attacks and so-called ‘cyber hurricanes’ threaten to match, if not exceed, these costs for businesses and insurers in the future.The Petya ransomware attack in June 2017 interrupted production of a vital vaccine and brought one of the world’s busiest ‘smart’ ports to a standstill, causing a potential $575m in damage for these two incidents alone. The economic losses attributed to WannaCry, which hit a month earlier, impacting thousands of companies globally, are forecast to reach $8bn.
Companies are becoming more concerned with the security of their data and the consequences they might face should they suffer a breach. The recent implementation of GDPR across Europe means that negligent businesses could soon be facing fines of up to four percent of turnover or €20m, whichever is greater, alongside the significant costs and damage that a cyber breach would cause.
Clearly, cyber risk protection and mitigation present an enormous business opportunity for insurance carriers. Indeed, over the past year many businesses have turned to cyber insurance to protect themselves from potential risks, with one insurer, Hiscox, seeing annual growth of 40% in cyber insurance business.
However, calculating cyber risk is far removed from calculating typical commercial risks and presents a unique set of challenges. Besides being a relatively new threat, the nature and potential of cyber risks are changing at such a rate that data needs to be collected in a dynamic, real-time manner for insurers to keep pace with ever-changing threat vectors. If underwriters are to keep ahead of these changes and price cyber risks accurately, they need to change from an approach based on hindsight to one based on foresight, grounded on the most up to date data available. To achieve this, and properly account for future risks, underwriting needs to be based on predictive models created by the intelligent use of data and machine learning technologies.
It is worth noting that cyber risk models cannot purely look at technology. Whether malicious or benign, human actions often play a part in cyber incidents and represent a risk that cannot be prevented by technology alone. Accordingly, a holistic, data driven approach that understands the nature of the cyber risk faced by companies should be employed to calculate cyber threats accurately.And for underwriters to have any chance of interpreting the vast number of potential data points and deriving actionable patterns from them that can predict risk, insurers need to employ platforms that use machine learning.
Underwriting requires turning data into an economic model. Doing this dynamically, and at the scale required to make it useful, necessitates having an analytics platform that leverages artificial intelligence to cope with all the relevant data sets. Compounding this, insurers are focused on performance across their business, so cyber risk models need to consider the economic impact of risk accumulations, aggregated events, and disaster scenarios.
The fact is that we now find ourselves at a point where there is no amount of cyber security software that can fully protect organisations from the evolving threat landscape. As such, cyber insurance has become an essential tool in a business’ arsenal; but there is work to do for insurers, too. If insurers do not have the right tools to price cyber risks accurately or competitively, this will result in a bad deal for customers and, more than likely, prove to be a critical blow for the insurers themselves.