6 Cyber Risk Insights from AIG and Axio’s Executive Risk Summit

Idenhaus recently attended AIG and Axio’s Executive Risk Summit, which brought together a panel of insurance experts to discuss Cyber Risk management. Cyber exposures are expanding rapidly as businesses move their IT systems to the cloud and adopt the Internet of Things (IoT) and Bring Your Own Device (BYOD). These changes introduce fundamental new threats to businesses of all sizes and shapes. This half-day conference cited recent examples to identify these threats and shared how businesses can mitigate risk with technology, insurance, and training.

Broader questions that were discussed included:

• How is the insurance market responding?
• Are current policies providing adequate coverage? If not, where are the gaps?
• Have businesses considered the impact of a breach that causes significant business interruption?
• Have they considered the need to more closely evaluate their partners and vendors to ensure they are compliant with best practices?

The panel was moderated by Forrest Pace and featured the expertise of David White, Founder and Chief Operating Officer of Axio; Guenter Kryszon, Head of Large Limits & Terrorism Property, AIG; and Garin Pace, Cyber Product Leader – Financial Lines & Property, AIG. 

Here are 6 insights from the Cyber Risk discussion at the Executive Risk Summit at TechSquare Labs in Atlanta, GA. 

1. The number of cybersecurity intrusions and breaches has grown exponentially in the past year.

Equifax is a case in point. The breach affected at least 143 million consumers and is still making headlines with the former CIO being charged with selling $1 million in company stock prior to the breach announcement in September 2017.  

TRITON/TRISIS represents the first-ever malware to infect safety-instrumented systems (SIS) equipment. Industrial sites such as oil, gas, and water utilities typically run multiple SISes to independently monitor critical systems to ensure they are operating within acceptable safety thresholds, and when they are not, the SIS automatically shuts them down. This malware was clearly designed to harm people and property and was not about making money, representing a new rationale for creating malware that raises the risk profile. Weaponized malware has created a new set of threats that organizations are just beginning to understand.

Losses like these may not be covered under traditional insurance programs because they may be classified as an act of terrorism, or fall under property coverage. Panelists discussed current ambiguity over property coverage for cyber-related risks and ways to find solutions that clarify appropriate coverage for buyers.

• Property programs are complementing cyber policies and are part of managing the business’ cyber exposure.
• GOAL: Stability in the insurance program so that rates do not fluctuate wildly and coverage is adequate.
• Look at 2017 from a threat perspective, particularly events such as Reaper, Petya (Eternal Blue), and WannaCry.
• How can companies quantify the risk?

“This is not an IT problem, it’s an enterprise problem.”  – Garin Pace

2. This is an enterprise issue, not just an IT concern, and insurance underwriting must take this into consideration.

The enterprise needs to understand the impact as it is incorporated into the insurance underwriting for the business. This is best considered based on scenarios the enterprise faces. This includes concerns with:

• Business continuity
• Availability
• Confidentiality
• Integrity
• Possible financial loss to the enterprise

 3. The more connected we become, the more risk we introduce.

• Electronic Medical Records are now being attacked.
• The Internet of Things was not designed with a security-first mentality.
• There are chips in everything.
• What is the cost and time to restore business when continuity is interrupted?

4. We lack clarity on the long-term effects of business interruption.

What happens when just-in-time manufacturing and supply chain is interrupted? In particular, just-in-time manufacturing has significant financial penalties for late/missed deliveries. What is the restoration process? How can the recovery be faster? We need to understand the entire process by reviewing various scenarios and utilize stress tests to understand the bottom-line impact to the balance sheet.

5. Risk managers need to make new friends in the business.

Risk management has a broader scope than just physical and cyber security.

6. The scope of cyber risk insurance must plan for attacks of never-before-seen magnitude.

• An area-wide event is possible, especially given the fragile US infrastructure, e.g. the power grid. This overwhelms insurers due to the scope and impact of the attack.
• Terrorism will touch cybersecurity and must be accounted for in insurance programs.
• 60 nations are actively creating cyber weapons. Once these weapons are released they cannot be controlled and, once on the grid, they are there for anyone. What happens if they fall into the wrong hands? 
• Sophisticated malware released into the wild is now available for the average hacker to use for nefarious purposes. What happens when an irrational actor gains control of a cyber weapon, or when you pair a sophisticated tool with an irrational actor?

“This is a manageable risk with proper oversight and governance.”  – Forrest Pace, Moderator

We continue to see major cybersecurity breaches impacting a wide variety of industries. When addressing cybersecurity in your organization, here are three items to consider.

1. This is an enterprise-wide problem and cannot be addressed in isolation by a standard risk approach. These risks go far beyond data breaches, where records are compromised or credit card information is stolen. Risks today include company safety systems, networks, supply chains, and business continuity. This is not limited to your organization but the organizations with which you do business, especially if you provide just-in-time materials or services.
2. The best way to address risk today is with a holistic approach. Bring together the principal stakeholders and/or functions within your organization, such as Human Resources, Security, IT, Facilities, and Treasury. Consider bringing in your insurance broker or provider to conduct industry analysis and offer guidance on change risk issues. You may also want to include parts of your supply chain in this group.
3. Scenario testing is the best way to understand the risk impact. Outline and define the different business scenarios that could compromise your organization and test them from end-to-end. This would include people, process, and systems.

To summarize, organizations must stress test their insurance portfolios, think holistically across cyber and physical security, look at the whole supply chain, and understand that cyber is now a critical component of the business. 

This article was co-authored by Hanno Ekdahl and Jeff Luther.

Download my new, FREE digital book entitled Reimagining Identity Management: How To Design, Choose And Implement The Right IAM Solution For Your Business.

Follow @Idenhaus on Twitter and subscribe to our biweekly newsletter.

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us