CFC Cyber: Being BolderThu 24 Nov 2016
Speech by Inga Beale at CFC on Cyber and Being Bolder
Speech by Inga Beale at CFC on Cyber and Being Bolder
Good morning everyone,
I don’t think there is a more pressing topic the insurance industry needs to get its head around today than the cyber threat.
It’s one of the most high-profile risks businesses are facing at the moment and yet CEOs seem to be in denial about its impacts and their ability to deal with it.
This suggests that cyber risk should be a big business opportunity for insurers.
I say “should be” because I don’t think that, as a sector, we are doing enough to promote the benefits of cyber insurance and make it accessible to businesses. Unless we get our act together, the opportunity could pass us by.
I’ll come on to what I think we could do to take this opportunity in a moment.
But first I want to look in more detail at the cyber threat landscape and how it is impacting businesses.
Businesses today are very different to what they were 40 years ago.
In 1975, the split of assets of the S&P500 market value was 83% tangible and 17% intangible. Today this has completely reversed to 16% tangible and 84% intangible.
Many of today’s best-known businesses own no physical infrastructure.
For example, Skype, the world’s largest phone company, owns no physical telco network; Netflix, the world’s largest movie house owns no cinemas.
The assets of these sorts of companies are digital and data-rich. Their value is based on their IT systems, their intellectual property and their reputation.
On the plus side this means they are less vulnerable to natural catastrophes, which predominantly damage physical infrastructure. But digital assets are more exposed to new threats such as cyber-attacks.
These new threats are evolving fast.
In the 1980s, computer hacking was the hobby of a few enthusiasts in their bedrooms. Today it is a global criminal enterprise and state-sanctioned weapon that can wipe millions of a company’s share price or shut down a nuclear facility.
It is a threat that is growing as digitisation spreads around the world. The internet of things is connecting millions of devices such as lightbulbs, fridges and security cameras to the internet, increasing network vulnerability.
The recent ‘denial of service’ attacks last month exploited these sorts of connected devices to attack the websites of companies including Twitter, SoundCloud and Spotify.
According to one report, 82% of IoT adopters have experienced a denial of service attack this year.
What does this mean for businesses?
In pure financial terms the numbers are pretty frightening.
Cyber-crime costs quadrupled to about $450m worldwide between 2013 and 2015.
Recent research suggests this could hit about $2 trillion by 2019.
Lloyd’s Business Blackout report, published last year, looked at the business and insurance impacts of a cyber-attack on the power grid in north-eastern America and estimated the total cost to the US economy at between $240bn and $1 trillion.
Last year, cyber-attacks in the UK alone cost businesses £34bn.
And that’s just the attacks we know about.
Looking at the costs in more detail, we can split them into two broad categories: visible costs and hidden costs.
Visible costs include things like forensic investigation, legal and customer notification costs.
Hidden costs are often harder to quantify but include things like loss of customers, reputational damage and share-price impact.
It’s hard to find definitive numbers for visible and hidden costs – understandably, businesses are pretty reluctant to share information about cyber-attack costs.
But we can see from the data for the 2013 cyber-attack on the retailer Target what these numbers can look like at an individual company level.
The visible costs incurred by the theft and sale of more than 40m credit card details from Target totalled about $60m; the hidden costs were more than three times as much with almost $100m spent on litigation and a similar amount on upgrading the company’s retail systems.
So it’s a complicated picture and one that businesses are struggling with right now. They understand tangible risks well enough but evaluating threats like business interruption and reputational loss is more difficult.
At the same time, the pressure on companies to deal with the cyber threat is intensifying.
For example, there’s growing evidence that rating agencies are prepared to adjust credit ratings downward based on knowledge of damaging cyber incidents, including loss or theft of data.
While it is unclear what elements would contribute to a downgrade, one rating agency has said it would take into account a cyber incident’s impact on cash flow, especially in relation to the cost of recovery, the upgrading of security measures, increased insurance premiums and fines.
More stringent regulations are being put in place, such as the EU’s General Data Protection Regulation – or GDPR - which will force companies to manage cyber threats better.
This legislation, due to come into force in 2018, could fine companies up to Euros 20m or 4% of global turnover, whichever is higher, if they fail to comply with the new rules.
Then there’s the threat to reputation. This is harder to quantify. But although its precise consequences for the bottom line are unclear, it is certain there would be impacts.
Because in this eagle-eyed, multi-media world, reputation matters more than ever. A recent Ipsos Mori poll found that less than half – 47%- of those surveyed had confidence in large organisations to keep their personal data safe. And when asked if they might boycott a company after a hack, 56% said they might.
It is reasonable to expect that loss of reputation and trust will have more impact as increasing amounts of people fall foul of data breaches.
Given its importance to our customers, Lloyd’s has worked hard this year looking at cyber in more detail.
We commissioned research to look at EU businesses’ understanding of the cyber threat and assess their preparedness for the GDPR.
Several important themes emerged from the study:
It found there is a direct correlation between the quality of leadership and the effectiveness of cyber security. The study found that 9 out of 10 companies suffered a breach in the last five years, but less than half - 42% - thinks it could happen again.
It found that a majority of European business leaders - 57% - do not have much understanding of the GDPR.
And it exposed a serious lack of understanding among three quarters of business leaders about the important role insurance can play in mitigating the cyber threat and helping them resume trading as swiftly as possible after a cyber incident.
So the challenge for us as an industry is to help businesses understand the value of cyber insurance – both in terms of risk transfer and risk mitigation.
To help us do this, last month, Lloyd’s brought together senior risk managers from across Europe to find out what they need in terms of cyber insurance.
We listened and today, based on those conversations, I want to make five recommendations I think the insurance industry should adopt if it is to help protect its customers from cyber-attacks - and grow its cyber business.
First, we must work harder to build partnerships with businesses to help them understand the threat, what their exposure to cyber risk is, and how they can mitigate and protect themselves from it. By analysing their assets and vulnerabilities, we can work with them to establish and implement their cyber risk strategies. Insurers should strive to further develop the relationship with their clients, perhaps by pushing the boundaries of our traditional role by offering greater risk evaluation and mitigation services, and by building partnerships with all stakeholders, including IT, legal and the board.
Second, we need to simplify the cyber insurance-buying process: buying cyber cover can be complicated. While exposures can vary across different industries, establishing, where possible, a more standardised approach to risk assessment, would help eliminate duplicative underwriting evaluation by co-insurers. Language can be another barrier: insurers should try to introduce common terminologies and definitions where possible. This will provide greater transparency and understanding of cyber coverage for insureds.
Third, insurers need to keep reviewing and developing cyber insurance products. Cyber risk is evolving fast – insurance products need to keep up. To achieve this, we must create a culture in which innovation can thrive, and is recognised and rewarded. We must also stress-test our cyber risk models to ensure we are pricing risk correctly – Lloyd’s has been reviewing cyber scenarios in the market this year with this aim.
Fourth, we must ensure we attract the brightest talent into our industry to ensure we have people that can deliver the best products and services.
Finally, we must build trust with the business community and prove that insurance can play the role we say it can in mitigating and protecting against cyber risk. The most powerful way of demonstrating this is to show that when things do go wrong, we pay claims swiftly, allowing companies to get back on their feet. In that Target example I gave earlier, insurance covered about $90m of the total $250 cost – claims stories are good stories and ones we need to amplify.
Another way to build trust is to make sure we are explicit as to what cyber policies cover and what they don’t cover. Businesses will only buy cyber cover if they believe in its value.
So to wrap up: cyber is a present and real threat for our customers. It is a threat that is going to grow and change, more rapidly, perhaps, than any other business line.
However, businesses are either not looking for solutions, or if they are, they don’t know where to find them or understand the value of them.
As insurers we have the expertise, products and global reach companies need to mitigate their cyber threat.
But this business won’t come to us – we have to go and find it, and we have to get better at explaining our value proposition.
What’s in it for us?
One figure I have seen suggests the cyber insurance market will triple in size to $7.5 billion in annual premiums by 2020. I am sure we all would like a part of that.