Recently, Advisen’s Cyber Risk Network took a close look at the risk of cyber-related physical damage. We spoke with Rick Welsh, head of cyber insurance at AEGIS London to delve further into this nascent field and examine the challenges faced by insurers writing the coverage.
Are organizations devoting the proper attention and resources to the risk of damage to equipment, property, supply chains and other assets due to cyber-attacks?
Rick Welsh – Enterprise risk management has not yet evolved to the extent that security is as central to ERM as it should be.
Those companies, however, that have conjoined security and risk management more closely have a more sophisticated view of overall risk and it is this that the SEC, FTC and industry-specific regulators, are looking for. Risk managers have been avoiding this “scare-mongering” as part of their efforts to address cybersecurity [in attempting to convince boards of the need for action].
Much of what boards are looking is not more anecdotal scare-mongering but rather, risk and exposure-based analysis which can illuminate scenarios against which risk-modeling and insurance can be set. This scare-mongering is one of the reasons some of the larger companies, who in fact do have a very lucid grasp of security and ERM, harbor a cynical view of the coverage cyber insurance offers. It is this cynicism that we and others are trying to arrest.
Can a closer alliance with the security consulting industry assist the insurance industry in measuring the risk of cyber-related physical damage? In our previous piece, a representative of the SANS Institute suggested that security firms can’t necessarily estimate whether physical damage is likely to result from a cyber attack.
Rick Welsh– The security industry do not hold themselves out as evaluators of risk; they understand security and yet as SANS suggests, cyber risk is evolving to the extent that penetration tests do not measure risk or exposure. Equally, some security practitioners, particularly those with ex-government backgrounds, are selling expensive yet limited compliance-based assessments to brokers and insurers as an instant panacea to risk modeling.
However, that is an auditing approach and does not provide any contextualized analysis to security. Does PCI [Payment Card Industry]-compliant or NERC-CIP [North American Electric Reliability Corporation Critical Infrastructure Protection]-compliant entity provide anything but a straight-line comparison of all companies in those sectors?
A plethora of breaches against PCI-compliant companies and (albeit fewer) NERC-CIP-compliant energy companies would suggest otherwise. Lastly, actuaries are openly positing that deterministic models cannot price, define or model risk. And without the right type of contextualized security expertise, they would be right.
Are insurers unable to assess their clients’ security?
Rick Welsh – This statement is perhaps true for those insurers that do not have dedicated in-house security expertise; we and others can verify for ourselves the efficacy of our clients’ security; security is not denominated by the prevalence or otherwise of “data.”
How does AEGIS approach the physical damage cyber risk component?
Rick Welsh – We at AEGIS (via the AEGIS London syndicate which writes all cyber globally on behalf of the AEGIS group) provides difference in conditions/difference in limits (DIC/DIL) and an alternative that offers a complete first- and third-party wrap for all property and casualty covers including environmental and terrorism.