In this episode of the podcast (#117), we go deep on one of the hottest sectors around: cyber insurance. In the first segment, we talk with Thomas Harvey of the firm RMS about the problem of “silent cyber” risk to insurers and how better modeling of cyber incidents is helping to address that threat. In part II, we invite Chip Block of the firm Evolver back into the studio to talk about the challenge that “converged” cyber physical systems pose to insurance carriers as they try to wrap their arms around their exposure to cyber risk.
Editor’s note: as an experiment this week, we’re posting each interview as a separate download, to see if that makes it easier for listeners to jump to the content they’re most interested in. Use the comments section or Twitter (@securityledger) to let us know what you think or whether you prefer the single download!
Part I: not ransom…ransomware!
You’re a mid-sized corporation with a few thousand employees and offices around the world. A million years ago, you purchased Kidnap and Ransom insurance (or K&R in insurance industry lingo). The idea was to protect your company in the event that one or more of your executives was kidnapped in some distant, shady location. Sure, that seemed like an unlikely (though not unprecedented) risk. But what the heck? The insurance was dirt cheap.
Fast forward a decade. You’re still paying for your K&R, and now your company is facing a ransom demand…from faceless cyber criminals who have planted ransomware software on your network, locking down key IT assets and data. The question your board and executives are asking is obvious: does that K&R insurance also cover the cost of paying ransom to free encrypted data from the grasp of cyber criminals?
That question – and a thousand others like it are one of the main questions for insurance carriers and their customers. The so called “Silent Cyber” risk – the degree to which existing insurance protections can be invoked to cover damages resulting from cyber incidents – is lurking on millions of policies. It was a major topic of conversation at the recent Cyber Risk Summit* in Santa Monica.
One way insurance companies are responding is by improving their modeling of cyber risk. To understand more about how they’re doing that and how the output of those risk models might effect the kinds of cyber insurance that is offered to companies an area of expertise for our first guest: Thomas Harvey, a senior Product Manger at RMS, who I caught up with at the Cyber Risk Summit.
In our first segment, we speak with Thomas about the fast growing silent cyber risk problem and the equally fast-evolving cyber security marketplace. We look at how insurers are using data analysis and sophisticated modeling to better understand their exposure to cyber risk, including the risk posed by the Internet of Things.
Part II: Cyber physical risk is real. Are insurers ready?
When a buffer overflow problem causes an infusion pump to malfunction, who’s job is it to address the problem? Nurses and doctors don’t have the training to patch hardware. Hospital IT staff are overwhelmed and lack clinical training. Medical device manufacturers often take a hands off approach to lifecycle management of their devices.
What’s needed, according to our next guest, is converged security that takes both IT and operational issues seriously. There’s plenty of evidence that converged cyber and physical threats are going to be the new normal. Recent incidents like the
Just a year or two ago, most business executives thought of cyber attacks as a problem of data theft, Block observes. NotPetya and WannaCry changed that: impacting not just company data, but also the entire businesses operations: manufacturing lines, supply chains and more.
Insurance companies are doing one of two things, Block notes. One is to expand their cyber offerings to address the new risks. The other is to update existing products – like Directors and Officers (or D&O) insurance to include cyber and cyber physical risk alongside more traditional types of risk, like floods and storms.
The challenge, he says, is to take advantage of new opportunities to insure cyber risk while also being wary of “aggregate risk” – unforseen exposure via multiple clients to a single event. (Think: Hurricane Andrew in Southern Florida.)
Chip is a vice president at Evolver, which is now part of Converged Security Solutions. In this conversation, we talk about the growing scope of cyber attacks and the increasing operational impact of cyber incidents, as evidenced by threats like NotPetya and WannaCry. You can also hear him on podcast Episode #86 talking about the SEC’s guidance on cyber incidents.
(*) Security Ledger was a media sponsor of The Cyber Risk Summit and received subsidized travel to and from the event.