# Opener

Six Cyber Risk Insights From AIG and Axio’s Executive Risk Summit

Published by Axio

Did you see our panel? AIG and Axio’s Executive Risk Summit brought together experienced insurance experts to discuss cyber risk management in the industry.

Sadly, as businesses move their IT systems to the cloud and adopt the “Internet of Things” (or IoT), cyber threat exposures are expanding rapidly, putting more and more data at risk. These changes introduce fundamental new threats to businesses of all sizes and shapes that don’t have the vital security infrastructure in place to protect themselves and their clients. This half-day conference covered both recent examples to identify these threats and also shared key insight into how businesses can mitigate risk with technology, insurance, and training.

Broader questions that were discussed included:

  1. How is the insurance market responding?
  2. Are current policies providing adequate coverage? If not, where are the gaps?
  3. Have businesses considered the impact of a breach that causes significant business interruption?
  4. Have they considered the need to more closely evaluate their partners and vendors to ensure they are compliant with best practices?

The panel was moderated by the amazing Forrest Pace, and also featured the expertise of Axio’s David White.

Here are 6 main insights to draw from our Cyber Risk discussion at the Executive Risk Summit at TechSquare Labs in Atlanta, GA:

1. The Number of Cybersecurity Intrusions and Breaches Has Grown Exponentially in the Past Year.

Equifax is just one example of how significant and harmful data breaches can be for hard-working, honest businesses as cyber attacks become both more advanced and increasingly intrusive. The breach affected at least 143 million consumers and is still making headlines – with the former CIO being charged with selling $1 million in company stock before the breach announcement in September 2017. 

Similarly, TRITON/TRISIS represents the first-ever malware to infect safety-instrumented systems (SIS) equipment, affecting vital industries that keep our country running. This has led to industrial sites (such as oil, gas, water utilities, and electricity plants) running multiple SISes to independently monitor critical systems, and ensure they are operating within acceptable safety thresholds. When they are not, the SIS automatically shuts them down. This malware was clearly designed to harm people and property and was not about making money, representing a new rationale for creating malware that raises the risk profile. 

Weaponized malware has created a new set of threats that organizations are just beginning to understand.

Losses like these may not be covered under traditional insurance programs because they may be classified as an act of terrorism, or fall under property coverage. 

Panelists discussed current ambiguity over property coverage for cyber-related risks and ways to find solutions that clarify appropriate coverage for buyers. “Property programs” complement cyber policies and are part of managing the business’ cyber exposure.

Goal: Stability in the insurance program so that rates do not fluctuate wildly and coverage is adequate.

Look at 2017 from a threat perspective, particularly events such as Reaper, Petya (Eternal Blue), and WannaCry.

How can companies quantify the risk?

“This is not an IT problem, it’s an enterprise problem.” – Garin Pace

When the losses are significant enough, they can be to the detriment of the company and affect their future. Evaluating the company’s cyber risks and how they may be vulnerable to attacks is integral for proper protection as cyber attacks become more advanced.

2. This is an Enterprise Issue – Not Just an IT Concern – and Insurance Underwriting Must Take This into Consideration. 

Every enterprise needs to understand the impact of security breaches and incorporate protections into the insurance underwriting for the business. This is best considered based on scenarios the enterprise faces. This includes concerns with:

  • Business continuity
  • Availability
  • Confidentiality
  • Integrity
  • Possible financial loss to the enterprise

3. The More Connected We Become, The More Risk We Introduce.

Electronic Medical Records are now being attacked. Something so personal, so valuable to the protection of our people, is at risk. Nothing is safe.

When the Internet of Things was designed, security-first was not considered. Programmers could not have predicted the malware and cyber breaches that would come forth from the rise of internet reliance. Our armor is half-formed, and there are chips in our defenses. 

We need to consider this: “What is the cost and time to restore business when continuity is interrupted?”

4. We Lack Clarity on the Long-Term Effects of Business Interruption. 

What happens when just-in-time manufacturing and supply chain is interrupted? 

In particular, just-in-time manufacturing has significant financial penalties for late/missed deliveries.

What is the restoration process?

How can the recovery be faster?

We need to understand the entire process by reviewing various scenarios and utilize stress tests to understand the bottom-line impact on our balance sheets.

5. Risk Managers Need to Make New Friends in the Business. 

Risk management has a broader scope than just physical and cybersecurity. Businesses need dedicated risk managers to cope with the potential for an emergency.

6. The Scope of Cyber Risk Insurance Must Plan for Attacks on a  “Never-Before-Seen” Magnitude. 

An area-wide event is possible, especially given the fragile US infrastructure, e.g. the power grid. This overwhelms insurers due to the scope and impact of the attack.

Terrorism will soon touch cybersecurity and must be accounted for in insurance programs.

Additionally, 60 nations are actively creating cyber weapons. Once these weapons are released they cannot be controlled and, once on the grid, they are there for anyone. What happens if they fall into the wrong hands?

Sophisticated malware released into the wild is now available for the average hacker to use for nefarious purposes. 

What happens when an irrational actor gains control of a cyber weapon, or when you pair a sophisticated tool with an irrational actor?

“This is a manageable risk with proper oversight and governance.” – Forrest Pace, Moderator

We continue to see major cybersecurity breaches impacting a wide variety of industries and become more severe and complex. 

Cybersecurity isn’t an option anymore and must be something that is a part of the foundation of the company. This is crucial to reduce the risk of significant loss and data breaches that can affect the operations of the company. It’s also important to maintain the trust of customers and clients. If a data breach occurs or hackers access sensitive data and information, it can lead to customers taking their business elsewhere. When addressing cybersecurity in your organization, here are three items to consider:

  1. This is an enterprise-wide problem and cannot be addressed in isolation by a standard risk approach. These risks go far beyond data breaches, where records are compromised or credit card information is stolen. Risks today include company safety systems, networks, supply chains, and business continuity. This is not limited to your organization but the organizations with which you do business, especially if you provide just-in-time materials or services.
  2. The best way to address risk today is with a holistic approach. Bring together the principal stakeholders and/or functions within your organization, such as Human Resources, Security, IT, Facilities, and Treasury. Consider bringing in your insurance broker or provider to conduct industry analysis and offer guidance on change risk issues. You may also want to include parts of your supply chain in this group.
  3. Scenario testing is the best way to understand the risk impact. Outline and define the different business scenarios that could compromise your organization and test them from end to end. This would include people, processes, and systems.

Working together with other departments and experts is the action that is necessary to formulate a plan and the right tools to protect your company. The steps that are taken need to continue to be adjusted in the future as the cyber risks change and evolve over time. 

Evaluating where you’re the most vulnerable is necessary and is an ongoing process to ensure you can continue to safeguard the establishment and have the right technology and malware in place. This can offer peace of mind to investors and customers to ensure your company can continue to grow and expand over time while minimizing the risk of cyberattacks.

To summarize, organizations must stress test their insurance portfolios, think holistically across cyber and physical security, look at the whole supply chain, and understand that cybersecurity is now a critical component of any business.