Coverage, Breaches Highlighted at Advisen Cyber Conference

NEW YORK—Advisen’s Cyber Risk Insights Conference, held during Cyber Week, featured risk management professionals and more than 20 panels and sessions on Oct. 26. The keynote was delivered by former New York City Mayor Rudolph W. Giuliani, currently the chair of Greenberg Traurig LLP’s Cybersecurity, Privacy and Crisis Management practice. Giuliani used sports analogies to describe the cybersecurity industry, noting that, “the defense trails the offense by about five years.” Comparing the newest waves of protection software to a strong rookie pitcher, he said, “A new pitcher may come along and strike everybody out as he goes through the league a few times. But eventually he gets figured out and [hackers] figure it out,” he said. “It needs at least a year of being attacked for real,” to find the gaps in efficiency, and leads to the “the kind of experimentation that will yield better results.”

In the session, “SME: In A League of Their Own,” moderator John Mullen, CEO and founding partner of Mullen Coughlin, a cybersecurity and data privacy firm, discussed the growing importance of cyber insurance among small- and medium-sized companies. He asked panelists where they have seen productivity. Panelists agreed that growth among small law firms and accounting firms were strong contributors. Michael Bruemmer, vice president of Experian’s Data Breach Resolution Group, noted he is already seeing breaches of W2 tax forms, which he said is worrisome with tax season approaching. “With some of the recent, large incidents and all the information that was compromised, I think W2s are going to come roaring back again,” Bruemmer said.

As for a look into the future, Bruemmer noted that while startups show great potential for growth, they need to make cyber policy purchases while in their infancies. “Any startup needs cyber protection,” he said, adding that this is particularly crucial during the initial financing and hiring stages, as “You see too many of them go out [of business]. They’re great companies with great ideas but they don’t consider cyber.”

Andy Lea, CNA’s vice president of underwriting for E&O, cyber and media, echoed those sentiments, saying that with the thousands of businesses created each year, “there will always be new buyers and there will be opportunity for this industry to provide value.”

During an afternoon panel, Erica Davis, Zurich North America’s senior vice president, specialty products and E&O, highlighted results from the newly-released annual  Advisen Information Security and Cyber Risk Management Survey, which found that risk professionals view cyber-related business continuity risk less seriously than data integrity risk. This was surprising, she said, as business interruption costs have risen and high-profile business interruption attacks have taken center stage.

The survey also found that just 10% of respondents identified business interruption as the primary reason for purchasing cyber insurance and that purchase growth has gone stagnant after a steady six-year increase from 35% to 65%. Davis noted that the survey ended before the Equifax breach announcement in September.

“These findings may indicate that businesses are not up to speed on the magnitude of the impact that business interruption losses are beginning to have,” she said. “Annually, the survey results are critical for understanding how businesses are thinking about cyber risk and what we need to do to help them protect themselves as we watch this issue continue to evolve.”

The study found that corporate concerns about cyber may be waning, even as the nature of cyberattacks has evolved to include ransomware and malware

According to the study:

  • For the first time in the seven years of the survey, there has been a decline in how seriously C-Suite executives view cyber risk.

  • 60% of the risk professionals surveyed said executive management view cyber risk as a significant threat to their organization—down significantly from 85% in 2016.

  • Only 53% of respondents knew of any changes to their companies’ cyber security systems in response to the high-profile attacks that took place in early 2017.

Tom Ridge Tells Cyber Conference Insurance Should Incentivize Risk and Resilience Planning

tom ridge advisen cyber risk conference

More Americans worry about being hacked than they are of mugging, burglary, sexual assault, murder, or physical harm of a child, according to a new Gallup poll. While hacking concerns did increase with household income, they impacted a majority of Americans in every income and age bracket, while no other form of violent crime surpassed 45% of those polled.

A new survey from Advisen and Zurich found that this fear is nearly universal for companies as well. Across industries, 88% of businesses view cyber as at least a moderate risk – up to 93% among larger businesses and 81% among small. Despite this widespread recognition, however, fewer businesses have a breach response in place than just a year ago. In 2014, only 62% have a response place – a 10% decrease from 2013. Yet 66% now use cloud services, presenting a 20% jump from last year.

“Clearly, security concerns are being outweighed by the benefits of technology,” said Erica Davis, Zurich vice president and assistant national manager for E&O, while presenting the findings on Tuesday at Advisen’s Cyber Risk Insights Conference.

Throughout the conference, consensus was clear: the 69% of Americans and 88% of businesses are on the right track, as their fears are well-founded. “There are two types of banks today: those that have been breached, and those that will,” Roc Starks, senior vice president and director of corporate insurance at Citizens Bank, said at one of the day’s panels. “First response is the critical difference in how banks and customers will fare.”

Keynote speaker and former Director of Homeland Security Tom Ridge (now of Ridge Insurance Solutions) shared this outlook on cybersecurity across industries. “There are going to be breaches,” he said. “Resilient companies are the ones that are prepared to respond.”

Yet breach response without risk management and an eye toward mitigation is no longer sufficient. “Those prepared to organize around risk and resilience are those that will withstand and lead,” he added. “By the time we get here next year, the risks will be different – the digital sun will never set.”

The landscape of cyberrisk and hacking schemes is constantly evolving, and changing at a scale and speed unlike anything seen before, Ridge said. For attendees, there was little doubt about this insight, as panelists throughout the day detailed new phishing schemes seen, top areas of emerging vulnerability, and the myriad breaches they or their industry colleagues have navigated. More companies are investigating the most useful forms of coverage for their unique exposures and exploring what management structures and risk owners are most effective to monitor and mitigate cyber. The recognition is there, and so are some of the solutions, but the insurance landscape must still evolve, as must the strategies. “We’ve seen a mind-shift,” Ridge said. “CEOs get it, but they do not know what to do and who the threats come from.”

To that end, there is more the industry can do to help. Ridge lauded the idea of “intelligent insurance,” arguing that, in addition to devoting greater resources to investigating cyber threats, the insurance industry should turn its attention to incentivizing companies to manage cyberrisk more effectively.

Much as in insurance disciplines like kidnap and ransom, some of the greatest benefits of insuring cyberrisk may come from the processes of evaluation and contingency planning. According to Ridge and other conference speakers, finding out how to oversee and incentivize those processes may be the next adaptation for cybersecurity insurers.