Cyber claims: What does the future hold?
Cyber insurance is not a new concept. The first cyber policies were being written in the late 1990s/early 2000s, but the environment in which this line of business operates continues to develop and grow far beyond that which might have been contemplated 20 or 25 years ago.
It is with that background in mind that Zurich in the UK took the decision to establish a new cyber claims team to operate within the wider Specialty Claims department. I was appointed to the role of Cyber Claims Team Leader around 6 months ago, having previously been the team leader for Professional Indemnity, Legal Indemnities and Cyber. Cyber insurance is not a new concept to me, but the discussions I have had and the things I have read in the last 5 or 6 months have really opened my eyes to what a fast paced and ever developing line of business this is. There is no time for any of us to rest on our laurels. Every day is different and there will always be plenty to learn, whether you are a claims professional, an underwriter, or a member of a company board. Against this, the threats and risks faced by individuals and companies are growing. The challenge is how the market, insurers and insureds, acknowledge and respond to this reality.
As we all continue to wrestle with this challenge, now seems a natural time to look ahead and consider what issues need to be at the forefront of our minds as we move towards 2023.
What follows are some ‘headlines’ in terms of what I would venture to suggest are likely to be key talking points (and challenges) as we move into next year and beyond. Each issue could, alone, form the basis of its own article. However, in the interests of brevity, the points which follow (in no particular order) are simply highlighted here with the intention of sparking further thought and discussion.
The geopolitical and economic environment
In many ways, 2022 has been a year like no other (as was 2021, 2020). With global conflicts, unstable economic environments and an increasingly urgent need to take steps to protect the world in which we live, the need to adapt and mitigate has never been more vital or, perhaps, difficult. Inaction is not a viable business model and decisions taken can in turn enhance, or hinder, companies’ risk profiles.
With recession looming, ongoing conflict in Europe (and elsewhere) and with a growing urgency to reduce damaging environmental impacts, taking out or maintaining a cyber policy may seem like one of any number of ‘luxuries’ to be sacrificed in challenging times. Difficult decisions and compromises may need to be taken, but the cyber market has grown to face a new and growing peril. A peril that will not diminish as we move into a new year.
Ransomware
No article about cyber would be complete without a mention of ransomware attacks. Some anecdotal reports suggest we have seen fewer attacks during 2022. If true this is good news, but no one involved in the cyber market should be fooled. According to data from the Department for Digital, Culture, Media and Sport 39% of UK businesses suffered a cyber attack across a 12 month period and, of the 39%, around 1 in 5 attacks involved either denial of service, malware or ransomware.
Although these statistics may seem modest, the impacts can be significant. Threat actors are constantly changing their tactics and developing ever more sophisticated means by which to exert pressure on victims (see - double, triple, quadruple extortion for example). In turn, and with a growing reality of data theft as part of an attack the risks of third party claims, regulatory issues and penalties also grows.
Sanctions
Perhaps little to be said on this. The sanctions regime is as complex and hard hitting as it has ever been. This creates a further complicating factor to be accounted for when dealing with any kind of cyber incident. With the ever-present difficulty around attribution of incidents, a company’s commercial decision to engage with threat actors become even more complex and risky.
Alternative risk areas/threats
And whilst there will always be ransomware attacks, as noted above, such attacks are just one means by which a cyber incident can arise.
Data breaches, and the regulatory issues and third party issues (whether because of a ransomware event or otherwise), will, I predict, come into ever sharper focus in 2023. Cyber can be seen as a short tail, primarily first party line of business, but the impacts and potentially significant third party liabilities which can arise from data breaches must not be overlooked. Neither can the impacts of potentially long and exacting regulatory investigations and penalties.
By way of further example around alternative threats, distributed denial of service attacks (“DDoS” attacks), remain a concern and could, perhaps, be something we see increase as the attention and rhetoric remains focussed on ransomware and its consequences. It must be remembered that not all threat actors are interested in pure financial gain. There are groups out there whose main drivers are disruption, information and publicity (e.g. so called hacktivists). In challenging times it is no surprise feelings of difference, inequality and unfairness perpetuate and feed perceptions that disruptive and headline grabbing action needs to be taken.
Complacency
Perhaps the biggest risk faced by the market as we look ahead to next year is a sense of complacency or over confidence. To consider risk mitigation strategies, training, incident response plans, experience or even insurance as absolute protections is simply unrealistic. Planning, preparation and training around cyber risks are key actions (as to which see below), but rarely, if ever, will any of these measures make an organisation ‘bullet proof’. Even where external threats are managed and minimised, they will remain. So too, will the more internal, inward facing risks of human error, mechanical breakdown and supply chain problems.
Providing support
Zurich Resilience Solutions (ZRS) is the Risk Engineering Services division of Zurich Insurance. Zurich, being one of the largest insurance providers in the world, brings in a wealth of experience to the risk management space. ZRS combines its expertise and utilises data to share best practices, providing specialist risk management services to both our insured and non-insured customers.
Cyber is one of the key risk areas where we have internal capabilities, complemented by external partnerships with security firms. We are able to provide a holistic and comprehensive cyber resilience risk advisory service for customers to help them tackle the present cyber threat landscape and help navigate the present hard market for insurance. For further information contact zrs.enquiries@uk.zurich.com or visit our ZRS website.
Beyond this, and in the event the worst happens, the Zurich cyber claims team is on hand to provide support and guidance, directly and via our panel partners across multiple fields of specialism. Collaboration, engagement, flexibility and pragmatism are key to navigating cyber incidents, tackling the multiple issues that can arise and working towards restoring and resolving them.
Concluding remarks
It is fair to say that the above points interrelate and have multiple points of cross over. I make no apology for this. The issues noted, and any number of others, are simply a part of a bigger whole which demonstrate the need for business and the insurance market (cyber and other lines) to keep thinking, talking and adapting.
The opportunities offered by technology are incredible and continue to grow, but so do the threats created by our evolving world, our new ways of working and our increasingly logged in lives. There is no sign that the fast pace of change will diminish and insurers and insureds alike need to work together to try to keep pace whilst educating themselves and taking steps to plan, mitigate and minimise vulnerabilities. I predict there will be plenty to keep the cyber conversation going into 2023!