Recent cyber regulations including the New York District of Financial Services (NYDFS) Cybersecurity Rule, the EU’s General Data Protection Regulation (GDPR), and the recently adopted NAIC Cybersecurity Model Law, have initiated the conversation regarding cybersecurity legislation. Organizations are finding that compliance with these prescriptive laws are much easier to transition towards, versus building from scratch. The Council is closely monitoring these key cybersecurity regulations, all with potential implications on the insurance industry. In fact, according to The Councils Q3 Property Casualty Market Survey, cyber risk was the number one concern from brokers’ clients in Q3 2017.
Not only can compliance for such prescriptive regulation become extremely expensive, but executive management teams and the boardroom alike are becoming increasingly responsible for their organizations’ cybersecurity decisions. Thus, liability is an increasing motivator for implementing and maintaining a sound information security program.
Brokers house personally identifiable information (PII), health records, proprietary information and financial records on external organizations, making them a high target for cybercrime. It is now more important than ever for insurance brokerages to adopt a holistic security program built around four key components: prevention, detection, eradication and containment. However, a lack of cyber-expertise among executives and in the boardroom, according to experts, makes it challenging for them to effectively oversee management’s cybersecurity activities.
Prescriptive regulations similar to the NYDFS Cybersecurity Rule will follow in other states, and executives must become familiar with liabilities associated with cyber-risk. While regulation is certainly an incentive for cyber-preparedness, it is equally imperative that organizations begin assessing their cyber-posture before compliance is necessary.
Arvind Parthasarithi, CEO, Cyence
We had the chance to sit down with Arvind Parthasarithi, CEO of cyber risk modeling firm, Cyence. Cyence is considered the insurance industry’s leading economic cyber risk modeling platform, which quantifies cyber risk in terms of dollars and probabilities. Cyence came out of stealth mode just a year ago with $40 million in funding and just recently announced that it will be acquired by property/casualty software provider, Guidewire, for $275 million. Listen to what Arvind has to say about cyber risk, and their role in the cyber insurance market.
2017 Survey of Cyber Insurance Market Trends: Advisen & PartnerRe
Respondents in a recent Advisen & PartnerRe joint study noted continued soft market conditions, less divergence in policy forms and very little impact from recent significant cyber events. While pricing was generally less consistent than last year, according to survey respondents, 62 percent of brokers agreed that cyber coverage is becoming more consistent, although it is still difficult to compare policies among different carriers. Results from the survey are consistent with The Council’s Cyber Market Watch Survey, which will be released after Thanksgiving.
What We’re Reading
A senior Securities and Exchange Commission regulator said last week that public companies will soon face new guidelines for how they report cybersecurity breaches to investors. The agency will probably update directions that it gave to companies over six years ago, in light of recent data breaches, including the SEC itself and Equifax Inc.
More rules may not be the best answer to protecting the financial system against cyber-attacks. After the industry and others involved in computer security discouraged regulators from creating a standard, they decided not to proceed.
Against a backdrop where cybersecurity is becoming top-level priority for insurance companies entering 2018, the National Association of Insurance Commissioners adopted a model law that lays out a defined set of terms and requirements for the insurance industry on Oct. 24.
Property underwriters are feeling the pressure as cyber has become an increasing source of risk within the property/casualty insurance industry, according to panelists at Advisen’s 2017 Cyber Risk Insights Conference, held last week in New York City. As more cyber events trigger action, cyber policies are expected to emerge that aren’t just financial loss policies, but contain elements of all-peril and all-risks policies.
Cyber insurance is expanding and shifting its focus. Where once the primary emphasis was on privacy protection, there is now increasing attention being paid to business interruption, contingent business interruption — for disruptions caused by vendors — internet-caused property damage and cyber crime policies, experts say.
United States Attorney Deirdre M. Daly and representatives of federal, state and local law enforcement recently announced the formation of the Connecticut Cyber Task Force to investigate complex crimes in cyberspace.
Diversification is essential for evolving the cyber insurance market, yet expanding the cyber remit beyond data confidentiality and further into areas such as operational technology risk, data availability and integrity, demands a common cyber risk currency.
Cloudflare and CrowdStrike CEOs recently debated whether the field is long-term business or instead will be blended into the array of services tech giants offer customers.