Everything’s Coming Up Cyber
Being an IT professional in the insurance industry is a bit like being an engineer on an air base: in the air force, nobody listens to you unless you’re a pilot or a navigator. In an insurance company, the actuaries and underwriters get the attention, with claims breaking any ties. I wouldn’t dream of suggesting that pilots don’t earn their glory, so far be it from me to imply that underwriters, actuaries and claims adjusters aren’t critical to a successful insurance business. But when all they seem to talk about are issues rooted in technology – predictive analytics, mobile device connectivity, cyber crime, even vulnerability to solar flares – you have to wonder why, we IT managers have to struggle to get a C-level ear unless the C comes with an I and an O.
Take the other night, when I spent an evening listening to some senior executives at industry heavyweight firms (speaking to a reinsurance networking group and not for attribution, so no names) debating the emerging risks in insurance. The word of the day (okay, the prefix) was definitely “cyber”. It used to be senior management only used the cyber words to talk about new enterprise tools or nuisances like spam (often with the same tone of voice) but lately this vocabulary has appeared in more strategic discussions, because apparently cybersecurity is now an emerging risk.
Hackers stealing data is just one familiar example of a “cyber risk”. The Institute of Risk Management defines the term as “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.” That’s pretty broad: malware, data breaches, theft or malicious attacks, data corruption, digital misinformation, critical system failure, physical loss of systems, even liability for things others do and say on your servers. Since just about every business process is conducted through a connected device, then just about everything you do increases your exposure.
With all of this high-level attention, the term “emerging risk” may seem a little odd. You might wonder how the risk of someone breaching a company’s network and stealing personal identifiable information could be emerging since hackers have been doing it for decades. But compared to a car accident or even a malpractice lawsuit, the incidents are few, and the overall losses low so that it’s still hard to evaluate. There aren’t yet the statistics with which to gauge the risk and base a judgment. Worse, unlike most fires, floods, and hurricanes, these are criminal acts subject to the vagaries of human whims and social pressures in distant jurisdictions, and so it’s harder to build them into a robust model. Emerging risks are the things that the strategic-thinking insurance executive worries about because she lacks data and models. The things that are the most unpredictable are the least manageable.
And this is one of the reasons that cyber risks are so alarming. There’s a sense that we’re only just scratching the surface. Last year’s breach at Sony, and North Korea’s suspiciously coincident internet outage, hint at the scope of the potential losses. A simple data breach can remove enormous value from any company – and there are unanswerable actors capable of instigating service interruptions at their whim. The White House’s web site claims cybersecurity is “one of the most serious economic and national security challenges we face as a nation”. If you can shrug that off, consider that the U.S. Government Accountability Office issued a report in January that finds the Department of Homeland Security (into whose bailiwick this falls) has neither a strategy nor even properly identified the threat to government installations. The UK government feels much the same, with their National Security Strategy, published a few years ago, listing cyber attack as number two of the top four highest priority risks.
Even if you could trust in our benevolent political leaders to keep cyber defenses strong, the impact of a data breach isn’t limited to the loss of client confidence, reputation and perhaps regulatory fines. Financial institutions have been pretty reasonable about reimbursing clients for losses when credit card numbers are compromised, for instance; but that’s a very limited case when compared to the potential scale and scope of the overall cyber threat. If a breach results in identity theft – which could take place years from now and be hard to trace to the incident – will banks continue to be as helpful? And if that identity theft results in someone getting into the client’s apartment and starting a fire, would the bank be expected to cover the loss? Now suppose the customer actually had a personal umbrella policy that covered them for identity theft, would that cover them for the fire? What about liability for the damage to the rest of the building? The extent to which a cyber crime can expose you to other losses beggars the imagination, especially as we start to see applications for the Internet of Things get off the drawing board. It’s neat that the floor supervisor can adjust the thermostat from his phone, but who pays if someone hacks in and turns the furnace off so that the pipes in the warehouse freeze? Organizations, and their insurers, are going to have to learn about the risks, cover themselves appropriately, and start getting sticky about the fine print.
The pilots still run the air force even as they fly their planes from bunkers, and will soon enough be replaced altogether by robots; nor are underwriters likely to lose the reins of the insurance carriers just because the business is conducted in an atmosphere where IT is the oxygen. All the same, it’s gratifying that they are talking about the integral importance of technology in our business. But I do kind of wish it wasn’t because of the amount of damage it can cause.
