(Top) Matt Prevost, Senior Vice President, Cyber Product Line Manager, Chubb; Siegfried Rasthofer, Senior Cyber Security Expert, Munich Re; Catharina Richter, Global Head, Cyber Center of Competence, Allianz. (Bottom) Stuart McKenzie, Senior Vice President of Mandiant, FireEye; Jad Ariss, Managing Director, The Geneva Association.
Participants discussed how to manage media hype around cyber events and ensure the information provided to the insurance industry – on the characteristics of the event and corresponding losses – is accurate. This will better enable the industry to assess their appetite to cover similar future events and help improve projections of future losses, both economic and insured, using realistic disaster scenarios. Information about the interconnectivity of insurance policies covering cyber risks within a portfolio and the potential for accumulation losses, of particular relevance for the industry, can guide future decisions concerning capital requirements and risk appetite and inform the underwriting process.
Working more closely with technical experts will be key in addressing software supply chain events, particularly in the areas of cyber underwriting and claims. Because victims often trust their software supply chain vendors, they may become complacent in believing their security is fully taken care of. Instead, insurance customers and society at large should increase their awareness of the risks and possible safeguarding measures, with an emphasis on more actively monitoring one’s own systems. Insurers should continue to take an active educational role in providing guidance on cybersecurity and measures to reduce risks. However, reaching a point where there are no vulnerabilities is unlikely; mitigation and containment of cyber events will be key.
Although many organisations prioritise protection against cyber threats, cost, functionality and internal negotiations may be obstacles to purchasing the optimal security products. Furthermore, there will never be a single cyber safeguarding measure that will be universally applicable across all companies due to the complexities of internal cyber infrastructures within a company. As a starting point for enhanced cyber protection, software providers should ensure all of their customers meet a minimum standard of cybersecurity. Although this would not be the panacea of all cyber protections, it would create a good baseline for setting higher standards.
The insurance industry should also focus on removing monetary incentives to carrying out cyberattacks. It will first need to analyse how cyber criminals make money and seek to regulate the use of digital currency – the most common method of payment to cyber criminals. Effectively regulating digital currency to enable authorities to follow money trails and identify cyber perpetrators may, for example, disincentivise ransomware attackers. In future, the insurance industry may engage with regulators on the potential suitability of regulation for digital currency.
Members can view the password-protected recording here.