Insurers should take advantage of a currently favourable position for cyber risks, as the landscape evolves, panellists said at the East Asian Insurance Congress in Hong Kong on Friday (Sep 27).
As new vulnerabilities around critical dependencies like cloud service providers, data processing businesses and connected systems crop up, client interest in cyber will grow as risk awareness is heightened.
High profile incidents, like the Crowdstrike outage, have made people more aware of cyber risk, said Joanie Ko, head of cyber & data privacy for APAC at Kennedys.
“There’s been so many high profile incidents in the news that people are generally more aware of cyber risk and the potential fallout that could happen in terms of both reputational damage and the costs involved,” Ko said.
But despite an increased awareness, there is also a bit of misplaced confidence, said Rory Young, vice president and cyber practice leader at Marsh McLennan in Hong Kong.
More than 70% of C-suite leaders were confident in cyber risk management protocols, but only 26% of firms quantified the financial impact of cyber risk exposure, according to a 2022 Marsh and Microsoft cyber risk report.
“If you think you’re confident in your risk management protocols, yet you don’t really understand if a cyber incident materalises adversely, that’s quite a scary place to be,” Young said.
The CrowdStrike outage in July, which hit 8.5 million Windows devices, has highlighted key trends around exclusions, Young said. “We’ve seen insurers over the last couple of years tease a little bit of language in policies to potentially limit or reduce aggregated capacity in respect to these types of events,” he said.
The Russian invasion of Ukraine in 2022 has also highlighted potential cyber risks in terms of warfare, with insurers having a key interest in the impacts a cyber war would have on commercial business, added Young. “I don’t think cyber insurers would be expecting to pick up those types of losses,” he said.
Trends that lower the barrier of entry to cyber attacks has also impacted business. “There are tools now that allow average criminals to upload the vulnerability scan of a network and give you the cheat code to actually taking advantage of them,” Young said.
Firms will have to look a bit broader to see where the trends are, said Ko, with threat actors also targeting vendors. “In the past 12 months, almost exclusively, all of the incidents that we’re dealing with are supply chain attacks,” Ko said. “If there’s no control over the vendors who have access your systems, it doesn’t matter how much you invest in your network security.”
“From our perspective, yes, there is confidence and there is investment, but you need to lokk a bit broader to see what the trends are in terms of incidents that are happening to companies,” Ko added.
A positive place
Despite adverse currents, buyers are now at a “really positive kind of place”, Young adds.
“I think we’re kind of in this precarious moment where, we’re seeing insurers offering very competitive terms, that we’re getting back to a position where limits can be accessed and capacity is no longer an issue,” said Young. “As a buyer, I would be sitting there taking advantage of the fact that I can get access to really, really good coverage now for a good price.”
Events like CrowdStrike have also helped in making policyholders realise that cyber resiliency doesn’t just relate to cyber attacks, Young said.
“We had a lot of clients leaning in and saying, the policy I have, does it cover for programming error if I have downtime? What if it’s a system failure of my own network? What happens if it’s a network that I rely on?” he added. “We got a lot of clients leaning in, that are currently buying asking those interesting questions, trying to understand exactly how a policy can help.”
But it’s “all going to change at some stage,” Young said.
Insurers were not ready for the costs of sophisticated ransomware incidents, leading to sharp premium increases during renewals in 2020, Young points out. But there are signs that they are getting more prepared now.
Insurers are now investing more into advisory consulting work to provide policyholders with risk management value beyond just claims payment, said Young. “It’s been great to see lots of insurers invest a little bit more in terms of this advisory, in this consulting work to make that policy maybe a bit easier to purchase.”
Marsh is focusing on preparing clients for eventualities, Young said, involving C-suite executives in tough scenarios like ransomware attacks to test their organisational readiness.
“Every client that we’re speaking to who’s interested in cyber insurance were also looking to implement or promote kind of preparedness sessions through simulations or workshops that simulate a ransomware attack,” he added. “You can do a lot in terms of investment in prevention, but really it’s that preparedness that we really, really try to promote.”
