NEW YORK—Advisen’s Cyber Risk Insights Conference, held during Cyber Week, featured risk management professionals and more than 18 panels and sessions on Oct. 25. The keynote was delivered by Adm. Michael S. Rogers, former Navy commander of U.S. Cyber Command and Director of the National Security Agency (NSA), under the administrations of Presidents Obama and Trump. Rogers discussed rising cyber threats and offered advice to providers and consumers as they assess their cyber insurance policies.
“For insurers, you need to be prepared, because the list of actors is growing and the threat is growing,” Rogers said. “Don’t build on a strategy [where you believe] things are getting better.”
He also put a particular spotlight on the fact that there is no universally accepted guideline for cyber threats when considering acts of war. Cyber, he said, differs from traditional triggers because there’s typically no physical injury or loss of life.
“You have these wholly different international views, because nation-states in western democracies do not have ownership of the web,” he said. “They do not control their citizens and control the flow of data,” as opposed to countries with greater control of information.
“Because you have these broad, polar views it’s been difficult at times, on an international level, to get a consensus on what a framework be like to set a cybersecurity standard,” which Rogers added, could help define how a cyber attack might be considered an act of warfare. He proposed an approach that could start nations on a path to a universally accepted guideline: “Can get we get a smaller subset of issues to coalesce around a core group of principles, start small, and build from there? I think we’ll have success that way.”
Rogers noted that he is a proponent and believes incentivization may be the key to keeping businesses safer and maintaining lower premiums, using features of the automotive industry as an example.
“Automatic brakes and safer vehicles, for example, were an incentive for the buyer and the seller,” he said. “Production and consumption were all incentivized to make better decisions. I don’t know if it will work [with cyber insurance]. It’s all about risk.”
Rogers’ insight dovetailed along with the new information from the eighth annual Advisen cyber survey that Zurich Insurance released at the opening of the conference.
The percentage of companies that purchase cyber insurance, either via stand-alone policies or endorsements, has increased 40 points since 2011. This year’s results show a 10% increase from 2017, the largest year-over-year increase since its inception.
“Cyberrisks continue to change and businesses continue to look for ways to protect themselves from those risks,” said Paul Horgan, head of North America Commercial Insurance for Zurich North America. “These survey results provide a critical snapshot of the attitudes, concerns and actions of risk managers. It is our responsibility to respond to their needs and concerns with innovative services and solutions.”
Survey results show the two most influential factors driving cyber insurance purchases in the past year:
- regulatory changes such as the European Union’s (EU) General Data Protection Regulation (GDPR), and
- business continuity risks such as the Dyn distributed denial of servicer (DDoS) attack, WannaCry and NotPetya events. These caused significant losses to businesses around the world, shutting down network systems and in many cases slowing or actually halting business operations.
The Advisen data reflects a stark contrast to the feedback from last year’s survey, which found that just 10% of respondents identified business interruption as the primary reason for purchasing cyber insurance and that purchase growth had gone stagnant after a steady six-year increase from 35% to 65%.
These factors were two of the top emerging cyberrisks identified by Risk Management magazine in early 2018.