From Stephanie Lynch: Summary of New Cyber Insurance Study

In this post, Stephanie Lynch provides an excellent summary of the recent Guy Carpenter and CyberCube study “Looking Beyond the Clouds,” which looks at potential U.S. cyber insurance industry catastrophes and their financial fallout. You can download the study itself at here the Guy Carpenter website.

It is crucial that we, as the cyber insurance market, put in the work to understand the characteristics of catastrophic cyber events and the financial impact they could have on our industry. Guy Carpenter and CyberCube Analytics have collaborated on a study to quantify cyber risk, specifically looking at potential U.S. cyber industry catastrophic and systemic loss events.

The study is done on a synthetic cyber portfolio representing the U.S. standalone cyber market, informed by Guy Carpenter’s view of the market. GC started with a base portfolio of just over 6k policies with a combined premium of $285m, estimated to represent about 10% of the U.S. cyber market. It was tested and extrapolated out using a proportion of risk sizes seen in underlying exposure dataset, to create a total market view of $2.6b and about 55k policies. It’s important to note that this study does not contemplate endorsements, package policies or non-affirmative cyber within other lines of business, but exclusively looks at standalone cyber policies.

CyberCube had developed 23 catastrophic loss scenarios on their platform, ranging from attacks on critical infrastructure, to large scale cloud ransomware at a leading cloud service provider, to widespread theft from a major email service provider.  The unique characteristic about CyberCube is that they have access to data from both inside and outside the firewall, which builds a more unique and complete view of the risk, due to their exclusive access to information from Symantec, the world’s largest cybersecurity firm.

All modeled results are based on 10k simulations run on the synthetic portfolio through these 23 loss scenarios in the CyberCube platform. The analysis and results can be found in much more detail within the study itself, but a few key takeaways:

  • The costliest cyber catastrophe scenario modeled was widespread data loss due to zero-day vulnerabilities within a leading operating system, which caused a $23.8b insured loss to the market. The likelihood of this event is also the lowest (beyond the 1:300 year return period), but it is similar to what occurred with the NotPetya attack that was mostly uninsured.
  • The most likely loss scenario was widespread data theft from a major email service provider.
  • The second most likely was large-scale ransomware at a leading cloud services provider.
  • Companies with revenues greater than $1b, regardless of industry, represent about 75% of the insured loss.
  • Financial firms were most impacted by these systemic events, accounting for ~20% of the insured loss. This isn’t all too surprising due to the larger insurance takeup rate in the cyber market by these firms.
  • While the loss drivers of each of these scenarios are different, it is important to note that Business Interruption costs, caused often by supply chain delays, are a big part of these catastrophic loss costs. The BI component of cyber insurance has evolved rapidly over the last few years, and we have seen waiting periods and sublimits erode considerable over this time as well.

Rebecca Bole of CyberCube Analytics says, “Insurers and the organizations they insure need to be aware of these major scenarios, and understand the response plans necessary and the potential financial losses in each of these scenarios. The industry must invest in effectively assessing and managing aggregations, educating the business community to drive product adoption and quantifying cyber risk to promote the purchase of adequate insurance limits.”

Hopefully this study has got the conversation started within the businesses with these exposures, insurance carriers covering them, and reinsurers backing them. Since there hasn’t quite been a U.S. insured catastrophic, systemic cyber loss yet, it is a challenge for (re)insurers to estimate the size and scope of what such a loss would look like on their balance sheets. It is encouraged to read through the article and the details of the top 5 catastrophic loss drivers. It is important for us all to analyze our portfolios with these catastrophic scenarios in mind, and this study is a great place to start.

SLynch_HeadshotStephanie Lynch is a treaty reinsurance underwriter and account executive with 5+ years of full time industry experience. She is responsible for developing, growing, and managing treaty reinsurance broker and client relationships and underwriting proportional and non-proportional professional liability programs.

Her treaty reinsurance background began on the actuarial side of the business, working on the reserving team at Arch Reinsurance. After a few years, she made the transition to underwriting, working with the professional liability treaty reinsurance group. Stephanie joined the professional liability underwriting team at Safety National Re in September of 2017 working on both medical and non-medical professional liability.

Stephanie is a graduate of The College of New Jersey with a Bachelor’s degree in Mathematics and a minor in actuarial science. She has achieved the CPCU, RPLU, CYB, ARe, AINS designations and is a licensed NJ producer in property, casualty and surplus lines.


From Kurtis Suhs: Managing a Company’s Cyber Risk is a Team Effort

In the following guest post, Kurtis Suhs explains how general counsel is crucial in managing cyber risk before a cybersecurity breach occurs. This article was originally published in CyberInsecurity News in October, 2019. Thank you to Kurt for his insight on this important topic.

The general counsel’s role in managing cyber risk should start well before a cyber incident. From projects that may range from compliance work, third-party contract reviews and vendor due diligence to employee training and tabletop exercises, in-house counsel can be prime contributors to cyber risk readiness.

As the threats of significant financial loss and reputational damage continue to grow, lawyers can help drive the process to elevate their organization’s cyber risk readiness. In the past three years, the role of in-house counsel has greatly expanded in response to increased civil litigation, regulatory scrutiny and a steady stream of new international, federal and state laws.

General counsel are often well positioned to help coordinate the efforts of their colleagues. That is because cybersecurity is not just an IT issue, but a business strategy that may create legal obligations for the organization. And no one group can build cybersecurity alone. This is definitely a team sport, and it requires a roster that is wide and deep. Let’s review some of the players.

Board of Directors

Boards of directors are ultimately liable for a company’s missteps and responsible for its survival, and in today’s interconnected world, cyber resilience is a big part of that responsibility. General counsel today are seen as trusted board advisers who wield influence over their companies’ legal and business strategy. Instead of reactively analyzing an issue from a purely legal perspective, GCs help remove obstacles and foster business objectives in a proactive manner. Meanwhile, they are expected to ensure that the organization maintains the highest standards of legal and ethical behavior, adroitly balancing the dual imperatives of company performance and corporate integrity.

The importance of the law department is reflected in the second of five principles listed below, which spell out what all corporate boards should consider as they seek to enhance their oversight of cyber risks. These appeared in the Director’s Handbook on Cyber-Risk Oversight, published by the National Association of Corporate Directors (NACD).

  • Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT
  • Directors should understand the legal and regulatory implications of cyber risks as they relate to their company’s specific
  • Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the Board meeting
  • Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and
  • Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

Outside Counsel

In-house counsel should have a relationship with a law firm that has expertise and experience with data breaches, privacy laws and regulations. One of the most difficult challenges in responding to an incident is deciding whether it triggers statutory or contractual notification obligations that involve employees, customers, vendors, insurers, regulators and law enforcement.

But just as important, outside counsel should be hired by the company that has suffered the potential attack to retain the third-party vendors it will need to work with. This could ensure that discussions and work product are subject to attorney-client privilege. Without this attorney-client privilege, any third-party work product may be subject to discovery by the plaintiffs bar for use against the entity or the organization’s directors and officers.

Information Security

In conjunction with their information security teams and other personnel, the general counsel can help develop key aspects of a cybersecurity program. These should include data inventories, risk assessments, compliance strategies and incident response plan testing through tabletop exercises and breach simulations. With guidance from the information security team, in-house counsel should ensure that the written information security plan is achievable and has a buy-in from all stakeholders. Furthermore, general counsel should ensure that it complies with and meets the minimum standards required by relevant states.

Risk Management

In-house counsel should work closely with their organization’s risk management team to protect the company in the event of an attack. Insurance brokers and outside counsel should also be consulted to best match the types of coverage and policy terms that the organization needs. They can also help risk management evaluate cyber risk within each property and casualty insurance policy, examining for affirmative coverage, excluded coverage, sub-limited coverage or silent coverage (where cyber risk is neither affirmed nor excluded).

Human Resources

Given that a number of cyber incidents emerge due to the actions of an organization’s own workforce, in-house counsel can play a crucial role in managing those risks. The lawyers can assist the human resources department to ensure that an organization’s policies are not only drafted but followed, and that disciplinary measures are taken in the event of a violation. The areas covered should include cybersecurity, physical security, data security, security training and employee conduct.

Facilities Management

Physical security is a vital part of any written information security plan. Getting the right people involved will save valuable time and effort as plans and strategies are developed for new and existing resources. From the initial point of physical entry to the protection of an asset, general counsel can take an active role by offering oversight, marshaling resources and serving as an advocate for key stakeholders.

Law Enforcement

Organizations should also develop relationships with law enforcement before a cyber incident. General counsel can often serve as the initial point of contact and help agents access documents and witnesses. Time is of the essence, particularly with business email compromise through hacking and phishing attacks. If victims contact their local FBI field office within 48 hours of a loss, the FBI’s Recovery Asset Team has a 75 percent chance of recovering those funds.

The Bottom Line

Just as technology, advanced persistent threats, litigation, legislation and the regulatory landscape are rapidly changing, so is counsel’s role within the organization. By actively managing decision-making throughout the risk assessment and compliance process, counsel can help prepare their organizations to detect risk and effectively respond when threats arise.

Kurt SuhsKurtis Suhs is the Managing Director of Cyber Special Ops, LLC, a Georgia-based company that he founded to advance cybersecurity by using specialized teams and risk management techniques to prepare for and respond to a cyber event. He has over 33 years of experience in the insurance and financial services sectors, and helped launch the first cyber insurance product in 1997.

Using the concierge medicine model, Cyber Special Ops provides guaranteed access to highly credentialed third-party providers for a modest annual membership fee.