Republished with the kind permission of Insurance Day.
We’re paranoid about A.I. and, in particular, the technology that connects us to the machines. What the paranoia of Invasion of the Body Snatchers in the 1950s, Blade Runner in the 80s, or The Matrix in the 1990s shows is that human beings are uniquely susceptible to the fear of being destroyed from within, of being infiltrated in a constantly recurring story that goes back to the Trojan horse of mythology.
The explosion of IoT devices today provides fertile ground for such fears in a dramatically changing cyber risk landscape, creating new product vulnerabilities and system exposures for organisations that make or deploy them. In its Insight, “The Internet of Everything: Building Cyber Resilience in a Connected World,” global broker Marsh explored how internet-connected devices – from toys and refrigerators, to medical devices and industrial control systems – are introducing or increasing cyber risk for businesses that design, manufacture, service or use IoT products.
Smart technology that connects once-siloed computer systems and devices to the Internet can expose organisations to cyber threats they haven’t traditionally considered or mitigated. Cyber-attacks that interfere with IoT-device functions, such as vehicles or pacemakers, can pose a danger to human life and property.
In today’s COVID-19 environment, with many of us now working and socialising through virtual platforms, this fear of cyber invasion will likely move higher up the boardroom and government agenda.
It is no surprise to learn that there has been a steep and significant rise in insurance claims due to ransomware attacks. According to Coalition, a cyber insurance and security provider, over two-fifths of all insurance claims in North America (41%) in the second quarter of 2020 were due to ransomware attacks.
Similarly, there was a rise in claims from fund transfer losses (27%) and business email compromise (BEC) incidents (19%) too. Together, all three areas account for over 87% of all claims in the first six months of 2020.
This rise in claims is causing concern among (re)insurers as cyber has until recently fallen into a “grey” area in many policies. A significant concern is the rise of “silent cyber risks” which refer to exposures that many companies may have because of the lack of explicit cyber coverage in non-cyber risk policies, particular in the property and casualty portfolio.
Such thinking chimes with the recent comments by Stefan Golling, Chief Underwriter at Munich Re who said that COVID-19 highlighted the “potentially huge consequences of a cyber attack causing widespread business interruption, even without causing a high or any level of physical damage”.
Likewise, the European Insurance and Occupational Pensions Authority in a recent paper said that the pandemic has shown that there was a “significant protection gap” for non-damage Business Interruption. Golling also said that cyber attacks have “increased sharply” since lockdown measures were implemented with ransomware attacks increasing by 150%, phishing by almost 600% and cyber attacks on banks by 150% too.
However, the era of many policies being silent on cyber risk seems to be over after the PRA’s intervention in 2019 stating insurers needed to have “action plans to reduce the unintended exposure that can be caused by non-affirmative cyber cover”. This was followed up by Lloyd’s issuing a bulletin in 2019 requiring all Syndicates to provide clarity for cyber exposure in all policies.
Working from home has seen threat actors swarm to newly opened opportunities for exploitation. Phishing, smishing, vishing or watering holes are new phrases in the cyber lexicology. Cyber criminals working on people’s fears and insecurities around the virus, to good effect. The sudden eviction of staff from the office to the home sofa is a shock to the system. Some have even said that it undermines the founding layers of Maslow’s hierarchy of needs – a classification system, which reflects the universal needs of society - especially when it comes to safety and our physiological needs.
Maslow used the terms “physiological”, “safety”, “belonging and love”, “social needs” or “esteem”, and “self-actualisation” to describe the pattern through which human motivations generally move. Employees, for example, are desperately trying to regain a measure of control over their sense of personal and family security, even as they’ve become cut off from the huge source of belonging centred on their place of work. Cyber criminals can exploit these insecurities.
What is needed is a “better” cyber insurance market to induce firms to spend more on cyber security because, at the moment, the Information security field is suffering from a number of failures. It is unable to effectively assess which security controls are most effective, but the churn of losses often falls under the radar because most breaches don’t cause material loss.
The Russell mission is to identify a complete network of connections between firms. Cyber risk is no longer a theoretical loss problem. Increasingly outlandish scenarios that might have been confined to sci-fi fans a decade ago can no longer be discounted.