An unprecedented and massive ransomware attack spread across the globe on 12th May 2017, locking up thousands of hospital, telecommunications, and utilities systems in nearly 100 countries. The attack used data stolen from the NSA to exploit vulnerabilities in Microsoft Windows and deliver the WanaCrypt0r ransomware. The demand was for $300 per PC.

Hacking and cyber-attacks seem to be front and center of the news these days. Whether it is Russia, China, North Korea who are hacking US based computer networks of whether it is the likes of Target or PlayStation Network or Yahoo or the DNC who are suffering the attacks keep coming. There seems to be constant recognition of the threats but still they continue to develop.

Electronic communication is fundamental to almost every business these days. Whether it is email, the cloud, skype or the like the way organizations operate is ever more reliant upon electronic devices and networks.

Whilst these electronic devices are subject to the more usual physical threats such as fire, flood, theft etc. they are also exposed to a myriad of cyber threats that are seemingly increasing daily. These cyber threats can be more difficult to understand than normal physical hazards and they have the potential to be devastating to a company.

In a modern business management must know what to do to protect your business and what to do should a cyber incident occur. But how many conduct regular reviews of systems security or have a business contingency plan should a loss occur?

Systemic Risk

In December 2016 AIG conducted a survey of cyber security experts. The primary question was if they considered that cyber risk was systemic i.e. if a cyber risk has the potential to impact many companies at the same time. 90% of respondents sad that they considered that cyber risk was systemic.

More than half of survey respondents say a simultaneous attack on 5–10 companies is highly likely in the next year. More than one-third estimate the likelihood of a simultaneous attack on as many as 50 companies at greater than 50 percent. Twenty percent see an even greater threat, predicting a better than even chance that as many as 100 companies will be attacked.

The experts seem to have underestimated the potential. The WanaCrypt0r ransomware affected 75,000 computers in 100 different countries. At one stage 5 million emails were spreading the malware every hour.

External Risks

A company must look further than their own four walls when considering the risks faced. For example, what would a company do if a key supplier has cyber incident that leads to a delay in the provision of products? How about the an interruption to the banking system? What about power generation companies being disabled for a prolonged period because of a hack? In this connected world companies need to consider external exposures as well as internal risks.

In the case of the WannaCrypt0r ransomware details are still quite limited. However, information from the UK suggests that the National Healthcare Service relied upon outdated systems that increased vulnerability.

Outdated systems are not restricted to the UK. In May 2016 the U.S. Government Accountability Office issued a report that found that some U.S. government agencies are using IT systems running Windows 3.1, the decades-old COBOL and Fortran programming languages, or computers from the 1970s.

A backup nuclear control messaging system at the U.S. Department of Defense runs on an IBM Series 1 computer, first introduced in 1976, and uses eight-inch floppy disks, while the Internal Revenue Service's master file of taxpayer data is written in assembly language code that's more than five decades old.

If one cannot seemingly trust governments to be fully protected how may one rely on others that your business depends upon to be protected.

Commercial Cyber Insurance - Beware the Small Print!

Whilst commercial policies differ the mainstays of coverage are usually:-

• Breach of data liability

• Electronic media liability

• Network security liability

• Crisis management

• Network interruption and extra expenses

• Data loss

• Cyber extortion

How many companies look at the actual terms of their commercial insurance policies? Whilst this seems wide ranging the devil is in the detail and there is generally a lot of detail. Policy can run upwards of 20 pages and include several limitations. For example, on one policy reviewed the following exclusion applied: -

Loss arising from “any actual or alleged uploading, downloading, piracy or file-sharing of digitized media, music, photos, movies, software or video games”.

How many employees download photos that are sent via email on a company’s computer system? File sharing was not a defined term within the policy so seemingly any file emailed from one person to another on the company system may be considered file sharing. Should a loss ensure for example the WaanaCrypt03 ransomware then coverage is invalidated by this clause.

The policy also included the following exclusion:-

Loss arising from “actual or alleged material deficiency in Insured Entity’s Security of which any Insured was aware prior to the effective date of this Policy or any prior Policy of which this Policy is a renewal or a replacement;

Whilst this may seem reasonable for deliberate acts the “or alleged deficiency” provides cause for concern. Imagine this exclusion in light of the deficiencies apparent in the Government Accountability Office report mentioned above; it can be easy to highlight deficiencies in hindsight.

When it comes to business interruption the insurance cover only applies if the cyber event affects the insured´s network system and then only whilst the system is being fixed plus an extra expense period 30 days thereafter. No coverage applies should a cyber-attack interrupt the business because it affects suppliers. No coverage is in place should the company continue to face consequential losses post the Extra Expense period.

It should be borne in mind also that, given the time it takes for development, a state of the art commercial insurance policy can be outdated by the time is comes to market given that technological advances can be rapid.

When security experts such as those in the AIG report underestimate the extent to which organizations are exposure should one rely on commercial insurers to fully protect the business,

Companies need to find a way to protect themselves for cyber risks without relying on commercial insurance to provide a panacea for all ills.

Managing Cyber Risk

How many companies fully consider the risks faced by the business relating to cyber threats? How many understand what commercial cyber insurance policies cover and moreover what they do not cover?

Whilst insurance can provide valuable protection it has its limitations. Insurance only helps after a loss has occurred and then only if such circumstances are covered. Given the potential for disruption and loss not provided for by insurance it would seems that an organization should examine its risks before a loss occurs, find a way to control exposures and have a good idea of how to fund for all losses should they occur.

ERM is a risk based approach to managing an enterprise that integrates internal control with strategic planning to increase overall stakeholder value.

A cyber risk is a fundamental exposure faced by an organization that can be addressed by ERM. This approach requires owners and managers to see cyber risk not just as an IT problem but an enterprise wide issue. ERM focuses on all aspects of the operation including external dependencies and customers with ways to control risk and exploit opportunities. It encourages the organization as a whole to consider control and response rather than just leaving it to an IT specialist to protect the business´s network and systems.

As part of an ERM response an organization may consider ways to fund for potential losses dovetails its approach with commercial insurance or a captive insurance product that can be more defined to the companies own specific needs.

Captive solution

Whilst there are many subtleties that are required to be addressed in a captive structure, in its most basic form a captive insurance company is an insurance company owned by an organization that insures the risk of the organization. Rather than using a commercial insurance company the operating entity places insurance risk with its wholly owned insurance company.

Alternative risk transfer mechanisms such as captive insurance companies have become more mainstream in the past 30 years. 95% of the S&P 1000 are thought to have their own captive insurance company. In the past 15-20 years, the middle market has seen a dramatic rise in captive products that focus on their needs.

There are many reasons why commercial insurance is an important tool to control the risks faced by an organization but the limitations mean that it is worth considering alternatives.

There are several benefits for an SME to operate its own captive, including: -

• Individually designed Insurance policies

• Control over claims handling

• Control of underwriting

• Retention of underwriting profit

• Encouraging a risk management focus

Working with risk professionals that can establish and manage a captive insurance company also provides a business with resources to identify, evaluate, design a response and monitor the insurance risks being transferred.

Unlike with commercial insurance there is no need to develop an industry wide approach to cyber policy coverage. The captive can design a cyber insurance policy so that it covers an individual company´s needs. The policy can be purposefully wide with minimal exclusions so that an employee inadvertently downloading a corrupted file does not invalidate the insurance should a loss ensue for example. Coverage can be tailored to indemnify for cyber incidents at suppliers or other external parties that affect the business. Because the captive insurance company controls the policy wording there is no small print. In an ever-changing risk environment, the ability to provide the widest possible coverage can provide significant stakeholder value to an insured.

Conclusion

Commercial cyber insurance is limited in its protection. Businesses are susceptible to significant loss due to events not provided for by commercial cyber insurance. A blended approach of enterprise risk management and captive insurance can provide a company with enhanced protection to cyber risks that adds to stakeholder value.

Working with risk professionals that can establish and manage a captive insurance company provides a company with resources to identify, evaluate, design a response and monitor their cyber risks and help them maintain the business should an event occur.

Speak with Albion Risk Consulting, S.A. to discuss how a captive insurance company can help.

Albion Risk Consulting, S.A.

13th May, 2017