Four lessons from the US cyber experience

US$1m cyber ransom paid in South Korea
July 20, 2017
July 2017 Member Matters
July 27, 2017

Four lessons from the US cyber experience

Cyber security concept businessman Lock on digital screen, contrast, virtual screen with a consultant doing presentation in the background Closed Padlock on digital, cyber security, key

By Harry Rosenthal, Unimutual General Manager, Risk Management Services

Cyber insurance has been under development in both the US and Australia for the past several years. Members will recall we introduced protection for this risk, as a benefit of Membership, while it was still relatively unknown.  The US market is the world’s most advanced for cyber-risk cover and its development in has been driven by many factors, such as mandatory data breach reporting and credit protection. As a Mutual offering cyber-crime protection, we routinely update Members on the impact of such recent, high profile cyber-losses such as “Wannacry” and “Petya”, while trying to keep an eye on the international picture to date to better understand this risk.

Next year Australia will introduce mandatory data breach reporting, and although most University Members are exempt from this requirement, it may be prudent look at the US experience when similar legislation was passed, for lessons which emerged to better manage this risk. Key lessons would include:

  1. It’s not just an IT problem.

This is an important lesson from the US, as many universities in Australia still view the cyber-risk equation to be a balance between their IT Division and Insurance Division. The US experience illustrates th®at the causes and impacts of cyber losses are extremely diverse, often involving students, staff, stakeholders and contractors who use the university internet network(s). This is in addition to the hackers who are trying to commit mischief via the Internet.  Once a cyber-crime incident occurs, its impact is felt in more than just the IT and Insurance Divisions, they reverberate throughout the institution and reputation can be put at risk.  The experience in the US shows these loss events engage numerus internal divisions, including Legal, IT, Operations, Student Services Marketing and PR, etc. In other words, it is more common that planning for cyber events is not only done at the IT level anymore, but now includes numerous internal business units. Cyber is the classic “enterprise risk” even though current thought has it owned by IT.

  1. Premiums will increase.

A clear by-product of the increase in frequency and severity of US and global cyber-crime is an increase in the pricing of cyber-insurance products. The demand for cyber risk insurance has experienced significant growth over the past few years, as organisations seek greater financial support for this class of loss and as the potential exposure becomes better understood. Underwriters are struggling to develop appropriate cyber-risk pricing models as they continue to gather adequate data for this still developing risk. The inherent uncertainty is feeding price escalation. The US experience also shows that premiums may increase because of legislative changes, such as those coming into force in Australia next year; which are likely to lead to a higher number of reported incidents and, an increased frequency of disclosed losses.

  1. The need to impress underwriters also increases.

Underwriters understand that not all entities present the same risk profile for cyber-risk. They value and reward companies which can demonstrate better systems in place to lower the risk of cyber losses. In the US entities obtaining the best deals in premium costs are those who can clearly demonstrate robust systems and security. This can be difficult to do as cyber-events are like the mythical Hydra, as one head is cut off, others emerge. Once a cyber risk is mitigated, whether via software patch or adjustments to firewalls, new cyber-crimes are invented and committed which breach those precautions. As a result, we see examples in the US where both insurers and insureds are working more frequently with commercial cyber-risk experts and consultants, engaged to ensure systems are as resilient as possible. Such external experts are guiding insurers in the identification of potential clients who are better risks for underwriting purposes. Along the same line, other security experts are working with the cyber-insurance customer to present the organisation to commercial underwriters as a superior risk and worthy of a lower premium. It may be difficult for “in-house” IT staff to be across all the latest cyber threats, therefore, outside help is sought not only to improve the protection of systems but also to demonstrate to underwriters the quality of that protection.

  1. Board attention.

This brings us to the last lesson from the current US situation, and that is Boards now clearly recognise this is not just another operational risk exposure. There appears to be growing recognition that Boards want to be well informed on this risk, as they know they too, will become involved in a high-profile cyber loss event which affects their organisation. Boards not only want to be kept up to date on this state of vulnerability of their entity to a cyber threat, but also feel they are personally are well prepared to respond, on both an operational and Board level.

These are some of the lessons we are seeing today from the world’s largest and most mature cyber risk market, the US. While events overseas are not always a predictor of events in Australia, with the daily changing nature of cyber-risk, we encourage our Members to be aware of developments, even beyond the IT dimension of this risk. We know our Members will continue to receive questions from their Councils, Senates and stakeholders regarding the institution’s readiness in face of cyber-crime, and as a Mutual, we will continue to share information and experience amongst the Membership as this risk develops, whilst maintaining cover and for post event response and loss reimbursement.

Keep reading: Will you be affected by the incoming Notifiable Data Breaches Scheme? And what can you do to prepare?