Cyber Conference 2024

Vincent Tizzio, President & CEO, AXIS

Cyber insurance plays a pivotal role in protecting the global economy amidst escalating cyber risks. Collaboration, innovation and enhanced underwriting capabilities are needed for insurers to navigate the rapidly evolving threat landscape.

Limited risk-absorbing capacity to respond to large-scale cyber events is a challenge facing the insurance sector. Leveraging data, analytics and AI will be critical to improving loss prevention and claims management. The debate is also ongoing – particularly in North America – on the potential need for government-sponsored financial backstops to address catastrophic cyber risks.

Insurance-linked securities (ILS) are emerging as a means to expand capacity, with AXIS recently launching the industry's first fully-securitised cyber-ILS transaction. This area is gaining increasing interest from capital market investors.

Anne Neuberger, Deputy National Security Advisor of the United States

Global cyber threats are increasing in complexity, shifting from espionage to disruptive (and sometimes destructive) attacks on critical infrastructure. Ransomware is also a continuing menace, predominantly driven by criminal groups. Robust cybersecurity practices are urgently needed to mitigate these risks.

Closer collaboration between governments and the private sector, particularly the insurance industry, is needed to incentivise risk-prevention measures such as data encryption, multi-factor authentication and incident-response planning. Avoiding ransom payments (including reimbursements by insurers) is also important as they only perpetuate attacks. Enhanced intelligence sharing can also bolster firms’ cyber defences.

Attribution challenges persist in cyber, especially given the blurring of lines between nation-state threat actors and cybercriminals/’hacktivists’. Insurance plays a critical role in fostering proactive cybersecurity and aiding recovery from incidents, but innovation is paramount to keeping pace with evolving threats. Ultimately, public-private partnerships will help to strengthen economies’ resilience in an increasingly interconnected cyber landscape.

Frank Schmid, Gen Re; Denis Mandich, Qrypt; Sasha Romanosky, RAND; David Stone, Google 

This panel discussed the complex interplay between advanced technologies, such as AI and quantum computing, in both enhancing and undermining cybersecurity. AI has emerged as a powerful tool for improving defences, such as detecting phishing attempts and securing endpoints, but it simultaneously lowers barriers of entry for attackers, enabling more targeted and frequent cyberattacks. While its potential for defending against threats is significant and continues to develop, attackers often outpace defenders in adopting new technologies to exploit known or latent vulnerabilities.

Quantum computing arguably poses an even greater challenge than AI, at least over the longer term. Its exponential power could ultimately break existing encryption standards like RSA which are vital for secure data transmission, raising the importance of a viable transition to post-quantum cryptography. However, this transition faces significant logistical and technical hurdles, with timelines spanning decades. The concept of crypto agility – quickly adapting to new encryption standards – is essential to mitigating this risk.

Social-engineering attacks, fuelled by ever more publicly available digital data, are becoming more sophisticated. Both technical defences and user education are needed to build resilience against such threats. A shift in cybersecurity priorities from pure defence to recovery and resilience is needed. Rapid recovery after cyber incidents is becoming a key focus area for organisations and insurers.

Safeguarding against risks from dual-use technologies requires a multi-faceted approach involving public-private collaboration, advancements in encryption and organisational emphasis on resilience. Proactive efforts to address vulnerabilities and adapt to evolving threats are critical in navigating rapidly changing technologies.

Danielle Roth, AXA XL; Terence Coates, Markovits, Stock & DeMarco; Al Saikali, Shook Hardy

This session explored growing third-party liabilities arising from cyber incidents, focusing on the legal and regulatory challenges faced by businesses in an era of increasing data breaches and privacy concerns. There is a rise in class-action lawsuits driven by data misuse, wrongful collection and emerging liabilities beyond traditional breaches, such as companies’ use of tracking technologies like pixels and cookies.

Plaintiff attorneys are leveraging new legal theories and evolving case law to target even small-scale breaches. Meanwhile, defendants face mounting legal costs due to the increasing volume and complexity of these cases, with procedural mechanisms, such as motions to dismiss and class certifications, becoming increasingly pivotal stages in litigation. Regulatory developments, particularly around privacy laws and enforcement by state attorneys general, add further complexity.

In order to mitigate risks and better understand the implications of rapidly changing legal landscapes, organisations should ensure transparency in data-collection practices, adopt robust cybersecurity measures and engage experienced legal and risk-management teams.

Brian Lewis, Lockton Re; Lori Bailey, AXIS; Gordon Malin, Elpha Secure; Rachel Patrizzo, HSB; Matt Prevost, Chubb 

This panel focused on the evolution of cyber-insurance products in response to the evolving risk landscape and increasing demand for innovative solutions. Cyber-insurance penetration is low among small and medium-sized enterprises (SMEs), despite their relatively high exposure to cyber risks. Offering value-added services, such as security-scanning tools, threat advisory and education, could incentivise insurance adoption. 

For larger organisations, the integration of technology, such as advanced risk engineering and real-time vulnerability scanning, is crucial for both underwriting precision and improving insureds' security postures.  Aligning premiums and coverage terms with security practices, like multi-factor authentication and endpoint detection, is also a way to promote better risk management.

The industry needs to differentiate between attritional losses and systemic risks. Solutions such as bifurcating the product or designing specific endorsements for catastrophic events can help manage capacity and ensure sustainable market growth. However, challenges remain in balancing innovation with the need for standardised policy language, particularly around exclusions for war, terrorism and critical infrastructure failure.

Overly broad policies that attempt to cover both first- and third-party risks are concerning: clearer terms are needed to improve transparency and policyholder understanding. Despite these challenges, the industry has the promising ability to innovate and adapt while fostering growth through collaboration, improved risk assessment and better education for buyers and brokers alike.

Simon DeJung, AXIS; Aidan Flynn, Beazley; Tom Johannesmeyer, University of Kent, Canterbury; Institute of Cyber Security for Society (iCSS); John Kelly, Envelop Risk Analytics; Joanna Syroka, Fermat Capital Management; Josephine Wolff, Tufts University

This session explored how to facilitate the transfer of catastrophic cyber risks to balance sheets best able to absorb them and examined institutional innovations that could overcome related challenges. There are gaps in market capacity for extreme cyber losses, and it is difficult to model and underwrite systemic cyber risks, such as nation-state attacks, critical infrastructure failures or widespread internet outages. Quantifying and pricing such risks is complex, and there is limited appetite for covering them in traditional re/insurance markets, particularly without governmental backstops or further innovation in risk-sharing mechanisms.

Reinsurance and ILS have a role to play in absorbing large-scale risks, with some stakeholders advocating for broader adoption of non-proportional (i.e. excess-of-loss) reinsurance solutions. However, a lack of industry consensus on event definitions, such as cyber war and critical infrastructure failure, and on the implications of policy exclusions hinders market growth.

Government backstops are part of a potential solution, though there are differing views on whether such intervention would stifle innovation or provide the necessary confidence among re/insurers to expand capacity. Examples from other lines of insurance, like terrorism or natural catastrophes, were referenced to illustrate possible frameworks for collaboration between the public and private sectors. It is important to foster greater market maturity and improve modelling capabilities to better understand catastrophic cyber events.

Overall, balanced approaches that enable risk sharing without discouraging innovation or creating unintended gaps in coverage are needed.