With the recent global WannaCrypt ransomware attack it seems the whole world is talking cyber and all things hacking... so if you can't beat them join them!
That said, the recent WannaCrypt pandemic has tested some of the thinking and hypotheses on cyber risk, the real exposure and potential remediation in response to large-scale attacks. In addition to the expected analysis of root cause and debate on the plausible technical prevention, the debate has expanded into other areas like corporate culture, human behaviour and also protection (e.g. Insurance).
This article in the Sydney Morning Herald makes an interesting point about the impact that such events have on both the demand for cyber insurance and the need for services regarding the prevention and non-financial remediation if there is a cyber event. This highlights the ongoing market pressures to shift from simply transferring a risk to another party (typically an insurance company) to managing the risk before, during and after an event.
One particularly interesting point is what does cyber insurance typically cover and is that really what matters to the insured.
When considering this it is fair to conclude that financial compensation for costs incurred as a result of a cyber attack is good, but in an era when data is a key business asset, and more so a differentiator, getting that data back and preserving its integrity is of more importance.
This is little difference to automotive insurance, where breakdown cover and a hire car helps during the event but ultimately the insured is looking for their car to be returned in working order or replaced with the same.
Given the complex nature cyber risks and changes in technology this raises the question on whether insurance companies now need strong technology services capabilities in order to provide cyber insurance. If so, insurers need to decide whether to invest in building an in-house capability (taking time and requiring capital investment) or as we have seen in the automotive insurance sector - with car rental and roadside assistance companies forming partnerships with insurance providers - will we see an emergence of partnerships between technology services companies and insurance providers to provide a complete end-to-end cyber insurance service...
If this is not led by the Insurance market, it feels like the technology industry will have the opportunity and incentive to start to offer enhanced cyber insurance service bundles in the shape of routine health checks, monitoring, data back-up, event management, post event restoration coupled with some "skin in the game" or commercial agreement to recompense clients for any impact to normal business operation (similar to other SLAs that IT service providers offer around critical business systems performance and availability).
There are already several tech companies and consultancies that offer a number of IT security support and advisory services, but there are an increasing number who have this technical expertise, the balance sheet and a pressure to find new markets that could now be incentivised to consider entering into what might be previously considered higher risk and out of sector market space. The recent high-profile hacking events confirms that there is certainly a market for these services. Although the ongoing challenge of how any organisation effectively rates and prices Cyber risks could present a barrier to entry, or at least a clear risk of entering the market, one could argue that tech companies have underlying data, books of business and expertise to be well placed to effectively rate cyber risks and identify key variables that heighten or mitigate cyber exposure between clients.
Could this be the emergence of the "TechInsurer" company that compliments the "InsurTech's" who are already driving change in the insurance landscape?
"Insurance is only part of the puzzle. The cost can be covered but if data is lost then that's where the problem is," said Dr Naveen Chilamkurti, cyber security program coordinator at La Trobe University. "It's a well known trick/vulnerability. It's just a matter of time before it happens again." As of Monday afternoon, the attack had netted nearly $US40,000 ($54,000) in bitcoin payments. Nearly nine out 10 cyber insurance policies in the world are in the United States, according to Kevin Kalinich, global head of Aon Plc's cyber risk practice. The annual premium market stands at $US2.5-$3 billion.