2016 PLUS Cyber Symposium Takeaways

Three Takeaways from the 2016 PLUS Cyber Symposium

There’s an old saying that 90 percent of life is showing up. This expression is especially relevant in the emerging world of cyber insurance. Showing up at cyber-security conferences is the only way for underwriters of this kind of insurance coverage to gather accurate, timely data. This information is the lifeblood of all those in this profession. Underwriters need the latest intelligence to target customers, draw conclusions about different risks, determine appropriate attachment points and limits, and calculate the potential costs of various types of claims. Yet those in this emerging field of cyber security can’t log on to their equivalent of the Stanford Law School Securities Class Action Clearinghouse the way D&O underwriters can to scrutinize data pertinent to their area of the insurance industry.

The good news is the number and quality of cyber-security conferences is growing. This year, for just the second time, the PLUS Cyber Symposium held in New York City featured cyber security as the sole focus of a single-day event. The gathering drew not just underwriters, brokers and others, but also practitioners from other aspects of cyber security — lawyers, analysts, vendors, government officials, and executives from hospitals, communications providers and standards-setting agencies. In the spirit of information sharing that’s vital to cyber-security underwriters, here are the three main points of intelligence takeaways from the symposium:

Don’t dismiss writing cyber-security coverage for retailers; get smart about doing it.

Most people think of cyber security when they hear — from friends, family members and the news — about incidents in which people’s credit card information has been released inadvertently to the public or accessed illegally by hackers and sold. The same thinking goes for most underwriters. What you don’t hear about are the actions retailers take to safeguard personal information and the decisions the payment-card industry as a whole makes to penalize companies that experience data breaches.

Learning how retailers operate within the payment-card industry has enabled my team to write much more accurate and comprehensive policy forms.

The PLUS Cyber Symposium gave attendees deep insight into these actions and decisions. One panel discussion — dubbed “Dude, Who Swiped My Credit Card?” — was especially revealing. Participants from different areas of the payment-card industry explained how they define, assess and handle data breaches. Even more specifically, these experts detailed the risk implications of EMV (EuroPay, MasterCard, VISA) compliant terminals, end-to-end encryption and tokenization. These are the sorts of matters that underwriters rarely learn about in any thoughtful, meaningful way. The panelists then outlined how oversight authorities evaluate data breaches and quantify fines and penalties assessed to retailers in response to breaches.

Learning from experts exactly how retailers operate within the payment-card industry has enabled me to understand the variety of factors that go into writing policies: what to look for when considering cyber-security risks; which types of retail operations should make up your book profile or basket of risk; how the prospect of fines and penalties should be accounted for on policy forms; the dramatic influence emerging case law, regulations and standards is having on this nascent insurance sector. All of these insights mean you shouldn’t dismiss retailers as cyber-security customers. Instead, the symposium showed insurers ways they can be smart about providing coverage for these businesses.

Threats to cyber security extend far beyond personal data.

Cyber security is much more than safeguarding the personal data of credit card holders. Data breaches occur when people lose their laptops or have them stolen; or when personal and corporate communications systems are infected by malware and ransomware. Breaches also involve hospitals that gather and store the health information of patients. Most people have a glancing knowledge of these facts. What goes largely unnoticed are the effects cyber events can have on manufacturing facilities and large-scale energy-producing infrastructure such as power plants, pipelines and electricity grids.

Symposium panelists did an excellent job of quantifying the effects of these events on energy supply chains in North America. When hackers infiltrate and disrupt the workings of an element of these chains, the damage can be enormous to property, revenues lost to interruption of operations, and even workers, whose health and safety is jeopardized. Cyber events also have a cascading effect on businesses down-stream, such as manufacturers, whose plants and assembly lines are at risk of grinding to a halt. The financial losses associated with such disruptions can be substantial, meaning these companies require insurance coverage to protect them if and when disruptions to their operations occur because of cyber attacks. Not to mention the potentially catastrophic pollution that might result from a breakdown along the energy supply chain as a result of a cyber event.

Cyber events that affect the energy supply chain also have cascading impacts on businesses down-stream, including operational disruptions, revenue losses, pollution and injuries to workers.

Compounding this threat is the fact that cyber-security risk management and maturity in the energy and manufacturing industries lags far behind that of other sectors of the economy. More bad news: enterprises along the energy supply chain do a poor job of collecting the information that underwriters require to perform all the activities necessary to write fair and complete coverage for these businesses. Tools are available to model risks and associated coverage of them, but these are just models at the moment. Until risk-management plans mature and until more accurate and timely data becomes available to underwriters, this critical component of the continental economy will remain exposed to the potentially significant effects of cyber attacks.

Underwriters in cyber security have an obligation to build and share information.

Underwriters have a responsibility to help these and other enterprises identify and share this critical data, building up a repository of accurate and comprehensive information on which all players can draw. That’s why showing up at gatherings such as the PLUS Cyber Symposium is an essential part of your work. Until cyber-security underwriters can access data via something similar to the Stanford Law School Securities Class Action Clearinghouse, you need be present and visible at large gatherings to build relationships with vendors, lawyers, breach coaches, notification specialists and other professionals from across the world of cyber security. You need to show up in this way so that not only do underwriters ensure businesses have appropriate coverage, but also as insurance professionals you can help these enterprises limit the impact, assess the damage, and get their operations back to normal as soon as possible when cyber events occur.

Argo Pro, for example, has taken what was learned at the 2016 PLUS Cyber Symposium to take both immediate actions and long-term decisions. The actions include rewriting its cyber policy form. The long-term decisions involve answering questions surrounding the company’s cyber-insurance strategy — which enterprises it will target, how it will market to them, how it will write coverage for them and how big should the book of coverage grow to be.

At the same time, this strategy must and will remain fluid for the foreseeable future to account for new information and knowledge.