Cyber may need Hurricane Andrew moment to evolve

The cyber insurance sector is still struggling to come to terms with the risks it is being asked to assume but may need a major event to drive a proper defensive response.

Alistair Speare-Cole former CEO at broker JLT Towers and now President and General Manager of the Insurance Division of QOMPLX, was speaking to the Insurance Institute of London on the future of cyber defence. He warned that lessons of the past needed to be learned.

He cited the Sultana disaster, the worse maritime human loss in US history, where a Mississippi steam boat carrying over 2,500 recently released Union troops in 1865 sank following the explosion of two of the vessel’s boilers killing over 1500 passengers and crew.

It prompted a nationwide review  of the issue of boiler explosions leading to the formation of the Hartford Steam Boiler Inspection and Insurance Company a year later.

Moving closer in time he highlighted the impact of Hurricane Andrew in 1992 which caused damaged that at today’s prices would have provided insurers with a $30 billion bill.

It resulted in a move to better understand the tail wind risk.

“It prompted a realisation from all sectors that there was more to be done, physically and financially, to protect against extreme weather events and as such we saw the birth of the catastrophe model,” explained Mr Speare-Cole.  “In my view the cyber insurance industry has yet to get to its Sultana moment. Despite those who say otherwise when it comes to cyber tail wind, analysis is still rudimentary.

“Cyber has sought to follow a similar path property underwriting.”

There has been a reliance for some insurers on access to open source intelligence, that allows the insurer to think like the cyber attacker.

However, there can be a significant differences in the quality of the data provided to the companies.

He added the fact remained that  it is highly likely that the cyber-criminal will gain access to a system and as such the defences had to be within the system rather than simply looking to keep the hacker or virus out.

Mr Speare-Coal said the use of telematics was seen as a legitimate defence. The system identifies when a breach has been made and will then move to expel the hacker and create a patch to mend the access point. As such it would limit the amount of impact any attack could have.

“The longer the criminal spends inside the system then the more damage it can cause,” he explained.

Mr Speare-Cole said the industry needed to look to how its mounted a defence with greater urgency.

“It will not stop attacks  but it will limit  thew success of the attack. In effect failure will be graceful.

“Insurers need to  increase risk management, and work with the client to understand what risks can be tackled, at what cost and what risk need to be transferred to the insurance industry.”

“Cyber is in a pre-Hurricane Andrew  state of blissful ignorance,” he explained. “At present it can place tail wind risks with the reinsurers, where currently there is little impact to the reinsurers’ bottom lines.”

Mr Speare-Cole explained: “Let’s hope  the cyber market won’t need the equivalent of an Andrew or a Sultana to drive change.”