Cyber risk jumps up the risk index

In its latest risk index Lloyds reports cyber risk is now the second-largest perceived risk for US businesses. We speak to Hank Watkins, president of Lloyds North America, about why cyber risk is becoming increasingly prominent.
By Sam Kerr sam. kerr@euromoneyny.com

Insurance is an industry used to dealing with a variety of new and complicated risks. One risk that has been gaining a lot of attention in recent months is cyber risk. Many companies are now coming to the realisation that they are unprepared to deal with the highly complex nature of modern cyber risks and that adequate insurance precautions now need to be taken against the potentially large expense that can be caused by a cyber breach. Cyber now seems to be coming to the attention of senior executives in all industries. In its recently-released biennial risk index, Lloyds found that cyber risk was the second -highest concern for senior executives in the US and Canada and was the third-highest risk concern internationally. This marks a notable change in thinking. Hank Watkins, president of Lloyds North America, tells Reactions that the prominence of cyber risk in this years survey mar ks a departure from previous years. If you go back to 2009 cyber risk was not in the top 15 concerns. We typically go out to about 500 -600 senior executives and they can be CIOs, CEOs, CFOs of several industries talking about all types of different risks, he says. Cyber really wasnt as much of a big deal in 2009 as it was in 2011, and more so this year as it leapt up to number three in the world and number two in North America. Cyber breaches have featured heavily in the news since the last risk index in 2011. Breaches like the one that occurred at internet corporate networking site Linkedin in 2012 can cause any company with access to vast amounts of personal data a lot of concern. Watkins feels that it may be the high-profile nature of these breaches and the fact that cyber attacks are featuring more heavily in the news that may have prompted the change in focus. He says: Clearly with all of the breaches that weve heard about and all the ones we havent, and have yet to be divulged until I guess legislation forces them to cyber is something that is at the top of everyones mind. The Lloyds report mentions that another primary concern for companies regarding cyber could originate from the changing natu re of the risk. In the past, cyber attacks have been traditionally limited to criminal financial activity, identity theft and the like. However, a new wave of political, ideological and sometimes anarchic attacks have begun to cause businesses grave concern as the scope of the damage has the potential to be far greater. Historically cyber attacks have been used to raid bank accounts or get credit card information and sell it, and so on, says Watkins. You see a lot more now of it being used as ideological warfare, people making a political statement, the Chinese against the US, for example, or interest groups against the government. Thats far more of a concern than the other. The risk index reports that the number of incid ents attributed to state-sponsored hacking and revenge attacks by so-called hacktivist networks is growing. So, too, are the costs of cyber breaches. A 2012 study by the Ponemon Institute found that the average annualised cost of cyber attacks for 56 benchmarked organisations was $8.9m a year, up from $8.4m in 2011, with a range from $1.4m to $46m per year, per company. The most costly cyber crimes involved malicious code, denial of service and web-based attacks, says Lloyds. The seemingly malicious nature of this new breed of cyber attacks and the damage that they can do makes the risk a far greater potential concern than financial fraud. Another problem that causes concern with cyber attacks is the complexity involved with mitigation. With cyber risk, I dont know that we are ever going to get to the point where we fully understand how to mitigate the losses, says Watkins. This is a fundamental difference between cyber and other specialty risks that the industr y has managed to insure effectively. Despite the progress made to combat cyber attacks the sophistication of hackers and the changing nature of cyber breaches makes modelling and claims mitigation a far more complex process then in the case of other emerging risks. Watkins comments that this makes cyber more complex than many of the risks that the industry has faced in the past, because it is constantly developing. This means that companies can still work to protect themselves from cyber attacks but it can never be certain whether they have done enough to prevent all potential breaches. On the cyber side I think whether you are an insurance company, a potential insured or a company that is already insured you really hope that youve got it right [on protection against cyber attacks], but you cant be sure, says Watkins. So thats a big conundrum that were all facing right now. Some of the more high profile international cyber breaches such as the Stuxnet Virus that attacked centrifuges in Iranian nuclear plants in 2010 proves that cyber attacks are getting more sophisticated. Watkins comments that examples such as this show how difficult it is for private companies to protect themselves against highly sophisticated attacks. Despite the problems that insurers and insureds face when dealing with claims mitigation, there has been an industry breakthrough concerning response to cyber breaches. Many companies have now assembled sophisticated breach response teams to deal with the immediate fallout from cyber risks. You look at Beazley, for example they are probably writing over $100m globally in cyber alone, Watkins comments. Theyve got a product called Beazley Breach Response and the beauty of that product is they put a lot of emphasis on the up front loss mitigation piece and will typically either bring insureds in to a seminar or meet with them one on one. They have typically hired companies such as Kroll, which is a private investigative firm previously owned by Marsh and McLennan, and they do a lot of pre-loss work to help prevent it in the first place. Watkins explains that breach response teams such as the one at Beazley handle all aspects of breach response alleviating pressure from insureds in regards to their responsibility following a breach. Watkins also mentions CNA and AIG as other companies that write standalone cyber policies. Breach response teams are a way in which insurers can provide effective cover for companies. Watkins feels that this kind of policy shows what the industry is capable of achieving when it gets creative. [The cyber breach response teams] are an example that when our industry gets creative it can do wonderful things. In Europe new legislation has added an extra element to the nature of cyber attacks, he says. One aspect of the new law is that it is now essential for all companies who are victims of cyber attacks to immediately notify all those involved of the breach. This is a big change because previously it did not apply to all companies that kept large amounts of public data. Data breach notification can be expensive. Various fines are being discussed for companies that do not comply with it or any other aspect of the new legislation. One such punishment for non-compliance is a potential fine of 2% of all global turnover, which for a large multinational, could be highly damaging.

This has now brought more companies to the attention of cyber regulators and means that cyber preparation is now a necessity rather than a luxury. Essentially [data notification legislation] raises everybodys profile when you have regulation you have regulators looking for violators, says Watkins. You hope you dont have something happen to you but you know when you do and you dont report it immediately, and w hether you go to your attorney or your insurance company first, the regulation piece clearly raises the bar for everybody. One of the more intriguing aspects of cyber risk for insurers is that it is a risk not only faced by their insureds but by themselves as well. Insurers have access to vast amounts of data that could be extremely damaging if it were hacked. Health insurance companies in particular must be careful about protecting data that can be extremely sensitive. If I were a health insurer and you have all the HIPAA laws in the US and all the other laws around the world youre biggest nightmare is someone getting into your health records and splashing them around or threatening to. Thats why we see hospitals as one of the biggest potential growth areas for cyber insurance because theyre scared to death of a breach that gets the information out there, says Watkins. Insurers must be prepared to take every precaution to protect their own data if they are going to be able to underwrite cyber risk effectively. It is also from a reputational aspect vital for insurers selling cyber insurance to have their own house in order. Watkins verifies that cyber is now a board level concern. However, he does cast some doubt on whether it is still fully appreciated at the CEO level. Cyber is certainly understood by CIOs and also CFOs because theyre so close to it, he says. Im certain CEOs are more aware of the risk because around the boardroom table youre talking about it every month. But are they specifically clued in to how theyre com pany is responding to it? Im not sure thats necessarily the case. However, Watkins does say that it is unsurprising that CEOs are not focusing totally on cyber risk because there are still other areas that they need to focus on. I still think its a risk watched closely at the CIO level of big compani es and at owner level in small companies but in the current economic climate there is only so much people can do. Especially when youre focus is on the bottom line and making sure your company is producing quarterly results, Watkins adds. In the risk survey high taxation and retention of customers still rank as the two most pressing concerns for global business so it is understandable that CEOs are not completely focused on the complexities associated with cyber risks. l

Changes in international risk ranking Loss of customers/cancelled orders Talent and skills shortage Reputational risk Currency fluctuation Changing legislation Cost and availability of credit Price of material inputs Inflation Corporate liability Excessively strict regulation Source: Lloyds Risk Index 2011 1 2 3 4 5 6 7 8 9 10 2013 1 2 3 4 5 6 7 8 9 10 High taxation Loss of customers/cancelled orders Cyber risk Price of material inputs Excessively strict regulation Changing legislation Inflation Cost and availability of credit Rapid technological changes Interest rate change

Cyber really wasnt as much of a big deal in 2009 Reactions