Insurance industry must learn from global markets to meet challenge of huge rise in cyber-risk, Prof Ruth Taplin warns at IUA market briefing. By James Brewer
Under-reporting of cyber attacks on, and threats to, businesses globally has become a massive problem that is hampering attempts by the insurance market to provide the right coverage, a market briefing organised by the International Underwriting Association has heard.
Professor Ruth Taplin, director of the London-based Centre for Japanese and East Asian Studies, told the event in the City that cyber-theft of intellectual property was taking place on an enormous scale, but only “the tip of the iceberg” was showing.
She was elaborating the theme Managing Cyber Risk in the Insurance Industry – Lessons from Global Markets and said that while the volume of attacks had risen substantially – including in the financial sector, especially insurance – knowledge of what was going on was lagging seriously.
The changing methods of cyber criminals were outpacing the means to curb their activities, she warned.
Insurers were left in a difficult position because of the dearth of facts and detail. “We are dealing with a new phenomenon where people do not even know the language to use to describe cyber attack, and how can you deal with something when you do not share a common language?” asked the speaker.
In her presentation, Prof Taplin drew on research from Managing Cyber Risk in the Financial Sector: Lessons from Asia, Europe and the USA a new book which she has edited, and for which she wrote three chapters.
While she was preparing the book, “with everyone I spoke to, it was clear that at every bank and insurance company around the world, people are being attacked.” There was an enormous growth in attack, “yet where are the figures to show this? I found it surprising that [the problem] is massively under-reported. Without reporting it, you cannot derive the solutions, nor can you manage it.”
Some companies feared reporting the fact that they had become victims “because our customers will lose confidence in us.” But in the long term customers would be dissatisfied and face greater risk if the attacks – “there are just so many of them” – were not addressed. The challenge had to be dealt with by the insurance industry, building the potential cyber risk loss into the premium and cover.
Medical data has now become the biggest target for thieves, Prof Taplin highlighted. Crooks sought access to this rich source of records for blackmail and all sorts of fraudulent purposes. The aim was often to steal cash but that was just one of the goals.
The contributor to her book from Poland dealing with medical data, Dr Marcin Czech, described the extremely complex character of real-world data (the term often used in health economics interchangeably with big data). Dr Czech referred to the challenge to information technology posed by even simple medical data sources, writing of the opportunities of using such information beneficially, while addressing the question of the many “potential attack surfaces.”
Listing some of the many other perils, Prof Taplin said of the upsurge of impersonation and spoofing, “It is becoming a roaring business among cyber thieves.”
In some parts of the world, hackers tended not to go for pure financial gain. They wanted to cause damage to a computer, to a country, or to a particular industry – such as insurance. Some wrongdoers attempted to destroy physical infrastructure by hacking smart machines: “Loss of infrastructure – that is not often talked about as a risk, but it is an increasing risk, ” said Prof Taplin. In one such attack in Asia, there was both financial loss and business interruption with a bank’s automated cash machines. “Can you imagine how much the bank lost?”
Prof Taplin turned to methods of assessing internal and external risk in the insurance sector. She asserted that it was important for underwriters to develop better ways of evaluating loss, especially when dealing with intangible assets such as intellectual property. They needed to refine their methods of valuing customer intangible asset worth – “that is not an easy thing, of course, ” she said.
Some information was priceless, in the sense of a priceless painting. “How do you value loss of reputation, loss of goodwill?”
Enterprises often underestimated the value of intangible assets and overestimated their insurance coverage.
In managing risk, applying technological solutions alone could be both fallible and inadequate. Most effective was a multidisciplinary approach – one that was cross-departmental and interdepartmental .A company or organisation had to prepare its workforce, educate them, use human resources management, and the assistance of legal departments, to isolate threats.
Prof Taplin added: “To be quite honest, I find a lot of [risk] modelling useless, unworkable and not really getting to the empirical evidence you need to assess what is happening to your clients. Using analytical Big Data tools is much more effective.”
Prof Taplin urged practitioners to study the March 2015 report UK cyber security: the role of insurance in managing and mitigating the risk which stated that 81% of large businesses and 60% of small businesses were the target of cyber attack in 2014. It said that the rate was doubling (“and I believe now it is even more than that, ” added Prof Taplin). The report called for a more comprehensive insurance approach, claiming that the insurance industry was not addressing the issue or scale of attacks.
As attacks became more pervasive and increasingly lethal, said Prof Taplin, for the insurance industry “there has to be some kind of working with the government. Maybe through government there has to be an information store of attacks, and a variety of methods offered on how to deal with them. We need governments to work with us on this – in Japan that is already happening: the government has set up a lot of joint training programmes to combat cyber risk, linked to their strategies for dealing with natural catastrophe.”
At the start of a lively question-and-answer session at the well-attended meeting, one of the attendees asked: “Do you think there is enough information available in the market effectively to underwrite these risks?” Prof Taplin replied swiftly: “No! That is why I embarked on this book and this research. There is not the information, there is not enough familiarity with what kind of tools can be used [which are discussed in the book].”
She reiterated that insurers held considerable data but “a lot of people in the insurance industry do not even understand how much data they have stored on their computers.” Insurance companies were increasingly the object of cyber attacks which could defraud them of vast sums. Cyber criminals were striving to find out how much data such companies had, and in response “you have got to be able to manage your own data pool.”
Asked about employee collusion with hackers, she said this happened a lot in small and medium sized enterprises but also in large companies.
Another member of the audience took up an earlier reference by Prof Taplin to the Internet of Things, which could open commerce to further attacks. Prof Taplin said that this was a complex subject. On the positive side, this resource could support underwriting practices by being used for such purposes as monitoring the movement of trucks on the roads to check whether claims looked suspicious. Underwriters need to use the Internet of Things to help set premium levels accurately and fairly.
Big Data analytical tools were extremely important, to help find the risk exposure and liabilities and how to deal with it. It could for instance be another aid to see if what claimants were saying was true, and would be helpful to analyse what might be happening in a company and why it was not handling a cyber risk properly.
On implications for the maritime industry, Prof Taplin said that there was a lack of understanding about cyber valuation.
She further cited the menace to shipping of Somali pirates, who might be following a “fourth century ideology, but they are finding out all the ways of cyber attack, and are very modern in their approach to commercial ships and how to tap into complex navigational systems.”
Helen Dalziel, senior marketing services executive at the IUA, chaired the meeting. She said there had been a huge response to the invitation to attend Prof Taplin’s talk. The subject was increasingly important to UK businesses, policy-makers and insurers. The IUA now had three working groups dedicated to keeping up with developments in cyber risk, and “the issue continues to be raised at all our committees, ”
Managing Cyber Risk in the Financial Sector: Lessons from Asia, Europe and the USA is available to order at www.routledge.com