KEY TAKEAWAYS
- Several major cyber events caused by human error, rather than malicious actions, have disrupted businesses and industries.
- Outages originating from accidents can have a longer lasting impact than cyber attacks, since the latter are immediately addressed.
- The cyber insurance industry needs to recognize the impact of such events are having on commercial policyholders.
This article from Matt Cullina, head of global cyber insurance business at TransUnion, originally appeared on Forbes.com.
Many might only think of cyber insurance as protection against malicious attacks and scams. Yet, as some recent incidents illustrate, human error and bad computer code can cause significant issues too and may prompt policyholders to reconsider cyber coverage for accidental losses.
A software update from CrowdStrike in July affected computer systems globally, causing widespread disruption and costing insurers up to $1.5 billion. A misconfiguration of Google Cloud in May resulted in a week-long outage for the 620,000 members of UniSuper, an Australian retirement fund. These incidents are just the latest examples of how a few inadvertent bad keystrokes can impact modern business operations, which are deeply intertwined with technology.
As businesses and insurers assess the effects of these incidents, it’s important to understand how they might influence cyber insurance market dynamics for similar events in the future.
Claims will have a long tail
Business interruption claims stemming from non-cyberattack causes tend to have a long-tail effect. While the urgent nature of cyberattacks typically prompts businesses to seek fast remediation, the impact of full or partial system outages might not be immediately apparent. As businesses triage the effects of such outages, it takes time before their thoughts turn to cyber insurance claims and even longer before they can begin to quantify the losses.
The impact of business interruptions unrelated to cyberattacks can be significant, with losses manifesting over an extended period. As businesses recover, the extent of their operational disruptions and financial losses may be uncovered gradually. New losses may emerge, leading to incremental claims. The protracted claims process can present unique challenges for insurers in terms of loss assessment and claims handling.
Because of this expected trend, insurers may want to dial up efficiency improvements. By streamlining the claims process and enhancing adjustor training, cyber policy providers may be able to recapture some of the expense often associated with protracted claims.
Risk assessment models will evolve
Whether disruptions are caused by a cyberattack or software glitch, the interconnectedness of modern IT systems presents a major vulnerability. Software supply chains can lead to cascading failures with far-reaching consequences. This reality increases the complexity of cyber catastrophe modeling for both businesses and insurers.
To mitigate the impact of unforeseen disruptions, insurers and reinsurers will need to evolve their risk assessment methodologies. Advanced analytics and threat intelligence will be crucial for developing more sophisticated models that can identify and quantify a broader spectrum of risks. By gaining a deeper understanding of today’s complex business interrelationships, insurers can better assess risk, price policies accurately and develop effective risk management strategies. Ultimately, this shift toward more robust risk assessment is essential for building a resilient cyber insurance market capable of withstanding future shocks.
There will be opportunities for education
The nature of cyber threats is pervasive and evolving. Major aggregate incidents are becoming more common and complex. When they capture public attention, it can be a catalyst for important and necessary conversations with customers. Insurers should seize the opportunity to offer guidance in the complicated cyber landscape. Following a significant episode, a good place to start the conversation is, “Would you have been covered for this event?”
Small businesses, in particular, likely face substantial cyber coverage gaps, especially when it comes to “contingent business interruption.” They often rely on technology vendors and third-party solutions, which are more commonly the source of business disruptions than internal system failures. Problems arising from third parties are out of their control, but the consequences are no less devastating. Contingent coverage protects a business when another party causes the disruption.
Many small businesses rely on cyber insurance riders attached to their business policies and believe they’re covered for the spectrum of cyber issues. When the worst happens, they might discover they don’t have business interruption coverage or the coverage they have doesn’t cover contingencies. Agents and brokers should annually review the types of coverages needed with policyholders, including whether a separate, more comprehensive cyber policy would be prudent.
Cyber incidents are becoming more complex
These recent accidental outages remind us of the complexity of the digital world. The interconnected cyber risks that modern businesses face highlight the need for continual adaptation in policy design and risk assessment.
The learning curve is for insurers and customers alike, but it’s incumbent upon the insurance market to adapt quickly and be part of the solution. By learning from each incident and anticipating future challenges, insurance and reinsurance firms can better serve their clients and strengthen their market positions in an increasingly digital world.
