"The creativity behind cyber-attacks is endless"

Marek Stanislawski: As far as cyberattacks go, malicious actors are being far more targeted and specialized in their actions. The ransomware attack on Norsk Hydro, for example, was combined with an attack on its user- and log-in systems. And, they don’t stop getting ever more creative: Recently, there was a campaign of malware injection into LinkedIn invites! Social engineering and phishing scams are getting more bold. Luckily, there hasn’t been a major global campaign since WannaCry and NotPetya in 2017. But, that doesn’t mean the next one isn’t around the corner.

Another trend, especially in Europe, is disclosure. Many companies used to be highly secretive about their cyber exposures and try to avoid going public when they suffer an incident. However, the Danish shipping company Maersk, for example, was extremely forthcoming with information in 2017 about its problems following the NotPetya attack. Norsk Hydro also handled the crisis pro-actively with regular updates on their website. These companies put themselves in the spotlight and really set the standard for disclosure—to the benefit of all, because information sharing is a key strategy to combat cyber risks.

 

Emy Donavan: A further trend we’re seeing is the recognition of the importance of both business interruption and data breaches as key cyber risks—not just one or the other. Up until the last few years, the US focused almost exclusively on data breaches. Given that most cyber-insurance is written in the US that really influenced the direction of the industry. Europe had been more focused on business interruption, but since the run-up to and introduction of the EU’s General Data Protection Regulation (GDPR), data breaches have become more relevant, because the financial stakes are now much higher in the event of an incident. Just look at the £183 million ($220 million) fine for British Airways which suffered a breach that resulted in the personal data of 500,000 customers being stolen. Similarly, the US has begun to recognize the issue of business interruption, due to some significant losses like the estimated $300 million that NotPetya cost FedEx by disrupting its operations. So, we’re seeing increased recognition on both sides of the Atlantic that BI and data breach are key cyber risks.

Emy: Cyber awareness has significantly increased among businesses. Many of our clients are more informed and, of course, as they know their own operations better than we do, they’re coming to us with very specific examples of what they’re concerned about. For example, if their server room gets flooded, they know their property insurance will replace the machines, but what about the data? Is it only covered if they get hacked? That allows us to have some really intelligent conversations with them, which in turn improves both our products and their customer experience. We’re seeing a lot of requests for enhancing coverage, for example by adding regulator actions, further business interruption triggers, and so on. However, at the same time, we as insurers have a list of risks we are currently comfortable to cover as cyber is still an emerging risk and challenging to model and predict. We will offer highly modularized cyber covers which can be adapted to a client’s specific cyber exposures. Overall, the cyber insurance market is growing, mostly in Europe. At AGCS expect to exceed the 100 million Euro threshold in global written premiums by end of this year. 

Marek: Cyber incidents can occur at any time with various potential impacts to an organization. Any cyber resilience plan should rely on robust security and effective incident response plans, along with rigorous training of all employees. Staff awareness is really key as the root cause of many cyber incidents is human behavior. More and more companies consider cyber insurance as an important component of an organization’s broader cyber resilience plan –  as always it’s about prevention and cure. There is no 100 percent security and if a company suffers a hacker attack or IT system outage, cyber insurance softens the financial blow and ensures a speedy response with support from IT forensic specialists, lawyers and communication professionals. We provide these crisis management services through our partner network, helping companies return to normal operations as soon as possible.

Marek: Basically, many traditional commercial insurance policies were written at a time when cyber wasn’t even considered as a risk. As such, the policies don’t explicitly include or exclude cyber risks—they’re ‘silent’ on cyber. That means we lack transparency in our portfolio and it could also lead to nasty surprises for customers once they suffer a loss and don’t know whether it’s covered or not. So, the Allianz Center of Competence for Cyber has been working with all Allianz Property & Casualty (P&C) entities to ensure that all policies are reviewed and updated in a clear and transparent way in regard to silent cyber exposures by beginning of 2020. AGCS as corporate insurance carrier already started implementing this new strategy in 2019. It’s been a very challenging project with over 240 enhancement ideas considered.

Emy: Generally speaking, stakeholder feedback has been very good, because there’s much more transparency on the risks covered and on our portfolio. So, it’s a big improvement for clients and us, but also for brokers, regulators, rating agencies, and others. All P&C wordings across all Lines of Business at AGCS have been updated, though there are still some filing requirements and regulations in certain markets slowing things down.

Emy: All of the Allianz Operating Entities (OEs) have now gotten to the point where they’re implementing updated cyber clauses where they can. There are certain OEs, for example Allianz Deutschland, where they have such a big portfolio that it’s going to take them a couple of years to get all the wordings migrated over, just on the sheer volume of the business that they transact. They’re not the only ones challenged in this way, but they are the largest one.

So, we are seeing differences in implementation from market to market, mostly based on the way that insurance is regulated locally, but also based on the particulars of the book make-up for any given OE. Most of the OEs are implementing as quickly as they can and we’re moving in the right direction, but there’s still plenty to do.

Emy: You know what’s cool about cyber insurance? It’s always changing and developing. You’ve got to have your finger on the pulse of what the risks are, what the impact of new developments is, and how we should best be approaching the risks. I don’t know if that’s reassuring or frightening to people, but from my point of view, it always keeps things interesting and fresh.

Marek: For me, it’s being in the middle of the greatest developments for humanity. Technology is changing our lives. It’s exciting to be at the forefront of these major developments—both good and bad, for example the endless possibilities of digitalization or creativity of new attacks—and being able to have an influence on the direction of where things are going. Cyber keeps our customers awake at night and we as an industry have to make sure that we effectively help mitigate this risk.