April 15, 2022
Why Do Insurers Need to Think Like Cybercriminals?
The short answer is, To protect insureds from cybersecurity risks.
Cybersecurity is no longer the emerging risk it was just a few years ago. Rather, it is a clear and present risk for organizations of all sizes, said panelists at the Insurance Information Institute’s (Triple-I) Joint Industry Forum (JIF). This is in large part because cybercriminals are increasingly thinking and behaving like businesspeople.
“We’ve seen a large increase in ransomware attacks for the sensible economic reason that they are lucrative,” said Milliman managing director Chris Beck. Cybercriminals also are becoming more sophisticated, adapting their techniques to anticipate every move made by insurers, insureds, and regulators to repel their attacks. “Because this is a lucrative area for cyber bad actors to be in, specialization is happening. The people behind these attacks are becoming better at their jobs.”
The challenges facing insurers and their customers are increasing and becoming more complex and costly. Cyber insurance purchase rates reflect the growing awareness of this risk, with one global insurance broker noting that the number of its client who purchase this coverage has increased from 26 percent in 2016 to 47 percent in 2020.
Are Cyber Risks Still Insurable?
One panelist asked whether the rapid growth of cyber risks has made it practically uninsurable now. Panelist Paul Miskovich of the Pango Group pointed out that so far, insurers have been able to managed the risk using greater underwriting controls, improved cybersecurity tools and better IT maintenance for employees. He also noted that cyber insurance has been profitable every year for most insurers.
Projections indicate that by 2026 insurers will be writing $28 million in gross written premium for cyber insurance, according to Miskovich. He said he believes all the pieces are in place for insurers to adapt to the challenges presented by cyber. He also noted that part of the industry’s evolution will rely on recruiting new talent.
“I think the first step is bringing more young people into the industry who are more facile with technology,” he said. “Where insurance companies can’t move fast enough, we need partnerships with managing general agents, with technology and data analytics, who are going to bring in data and new information.”
“Reinsurers are in the game,” said Catherine Mulligan, Aon’s global head of cyber, stressing that reinsurers have been doing a lot of work to advance their understanding of cyber issues. “The attack vectors have largely remained unchanged over the last few years, and that’s good news because underwriters can pay more attention to those particular exposures and can close that gap in cybersecurity.”
Mulligan said reinsurers are committed to writing reinsurance for cyber risks and believe they are insurable. “Let’s just keep refining our understanding of the risk,” she said.
It’s Time for Insurers to Think Like Criminals
When thinking about the future, Milliman’s Beck stressed the importance of understanding the business-driven logic of the cybercriminals.
If, for example, “insurance contracts will not pay if the insured pays the ransom, the logic for the bad actor is, ‘I need to come up with a ransom schema where I’m still making money’,” but the insured can pay without using the insurance contract.
This could lead to a scenario in which the ransom demands become smaller, but the frequency of attacks increases. Under such circumstances, insurers might have to respond to demand for a new kind of product.