Idenhaus recently attended AIG and Axio’s Executive Risk Summit, which brought together a panel of insurance experts to discuss Cyber Risk management. Cyber exposures are expanding rapidly as businesses move their IT systems to the cloud and adopt the Internet of Things (IoT) and Bring Your Own Device (BYOD). These changes introduce fundamental new threats to businesses of all sizes and shapes. This half-day conference cited recent examples to identify these threats and shared how businesses can mitigate risk with technology, insurance, and training.
Broader questions that were discussed included:
- How is the insurance market responding?
- Are current policies providing adequate coverage? If not, where are the gaps?
- Have businesses considered the impact of a breach that causes significant business interruption?
- Have they considered the need to more closely evaluate their partners and vendors to ensure they are compliant with best practices?
The panel was moderated by Forrest Pace and featured the expertise of David White , Founder and Chief Operating Officer of Axio; Guenter Kryszon , Head of Large Limits & Terrorism Property, AIG; and Garin Pace , Cyber Product Leader – Financial Lines & Property, AIG.
Here are 6 insights from the Cyber Risk discussion at the Executive Risk Summit at TechSquare Labs in Atlanta, GA:
1. The number of cybersecurity intrusions and breaches has grown exponentially in the past year.
Equifax is a case in point. The breach affected at least 143 million consumers and is still making headlines with the former CIO being charged with selling $1 million in company stock prior to the breach announcement in September 2017.
TRITON/TRISIS represents the first-ever malware to infect safety-instrumented systems (SIS) equipment. Industrial sites such as oil, gas, and water utilities typically run multiple SISes to independently monitor critical systems to ensure they are operating within acceptable safety thresholds, and when they are not, the SIS automatically shuts them down. This malware was clearly designed to harm people and property and was not about making money, representing a new rationale for creating malware that raises the risk profile. Weaponized malware has created a new set of threats that organizations are just beginning to understand.
Losses like these may not be covered under traditional insurance programs because they may be classified as an act of terrorism, or fall under property coverage. Panelists discussed current ambiguity over property coverage for cyber-related risks and ways to find solutions that clarify appropriate coverage for buyers.
- Property programs are complementing cyber policies and are part of managing the business’ cyber exposure.
- GOAL: Stability in the insurance program so that rates do not fluctuate wildly and coverage is adequate.
- Look at 2017 from a threat perspective, particularly events such as Reaper , Petya (Eternal Blue), and WannaCry.
- How can companies quantify the risk?