The SolarWinds attack which affected as many as 18,000 enterprises brings new challenges to the cyber insurance industry. Capgemini notes that the ‘supply chain attack’ aspect brings particular challenges to insurance as instead of distinct events, many enterprises are hit at once, and the SolarWinds breach lays down a roadmap for commercially minded hackers to follow. The long time period between exploit and detection means that other similar breaches may already be ongoing.
To adapt to these tactics and risk, insurers need to ‘consider the evolution of cyber insurance products to include more risk management and protection type features as opposed to strictly focusing on risk transfer’, and that cyber insurance policies may need to be underwritten in a more precise and exact manner than other forms of insurance. Government involvement along the lines of the ‘Terrorism Risk Insurance Program’ may be necessary as well.
The evolving nature of cyber-attacks brings huge challenges to the cyber insurance industry as it grapples to appropriately build and evolve risk models. Other forms of insurance such as property, vehicle, and life use actuarial tables built using input data which has been relatively steady over many decades with very few if any outlier events, making those risk calculations straightforward.
And even lumpier insurance categories such as catastrophe insurance which have payout events that vary in timing and severity have some guiderails that the market has grown comfortable with and an understanding that outlier events (such as particularly severe Hurricanes) will occur.
But cyber presents new challenges from systemic events such as a widespread supply chain attack like the one triggered by the SolarWinds breach. The SolarWinds breach also illuminates a framework that could be used for a more commercial attack, such as a larger scale ransomware attack that encompasses dozens or hundreds of firms at once. The cyber security industry speaks of ‘zero-day exploits’. A systemic, commercially minded ransomware attack could be a ‘Zero-day event’ for the cybersecurity insurance industry, which has no direct precedent to draw from to help model and prepare for such an event. Such an event could be akin to the first time the insurance industry covered a large weather event or earthquake.
But unlike weather events which cannot be stopped, the likelihood of becoming victim to cyber-attack can be reduced through improvements in cyber governance. Similar to how construction standards such as earthquake codes in California make seismic retrofitted buildings more secure, the stronger management of technology makes a company more resilient in the face of attacks and lessens the negative financial fallout if a breach occurs. How do we know this? Our ratings prove that poorly performing companies are much more likely to experience a breach than high performing ones.
SolarWinds illustrates why a systemic event should be addressed systemically. The solution includes several elements, including:
- C‑suites should recognize the necessity of better cyber governance and implement cost effective improvements to cybersecurity.
- Mandatory cyber risk disclosure by companies will help reduce the level of overall systemic risk, particularly related to companies that make-up critical infrastructure. And investors have a direct interest in demanding this from C‑suites and boards.
- The insurance industry needs more accurate cyber risk pricing models. Without these, the cyber insurance industry overall will continue to struggle to price the risk and supply the right type of coverage. Companies will be increasingly vulnerable to the ever-widening gap between the financial and economic damage caused by attacks and the existing insurance coverage that falls well short, undercutting its very utility as a risk management tool.