Cyber providing underwriters with plenty of food for thought

This week has seen warnings for insurers and businesses not to neglect the cyber threats which lurk in the global supply chain, in another week where cyber risk has captured much of the industry’s attention.

The International Underwriting Association (IUA) has produced a white paper that warns while individual events are hard top track there needed to be more focus in the wider implications for cyber insurers when it comes to the way in which the supply chain becomes ever more interconnected.

The report which was created in conjunction with cyber risk analytics firm CyberCube, urges underwriters to carefully review client business continuity plans.

“As our world becomes more highly interconnected, cyber risk is an ever-growing problem,” the report states. “With any supply chain, digital or physical, there will be entities that specialise in providing niche services to many elements within that chain.

“This specialisation means that the theoretically independent supply chains of unrelated businesses may rely on a handful of providers perceived as “best-in-class” for their specialties. The net result is that an outage at one of these providers becomes a Single Point of Failure (SPoF) that could disrupt large swaths of companies that rely on them for their business operations.

“While SPoFs cannot be eliminated from (re)insurers’ portfolios, understanding their concentration is critical to managing risk accumulations and minimizing cyber catastrophe losses across all coverage types. Reinsurers can also distinguish which cedants are better at managing cyber risk concentration.”

It adds whilst companies are more and more reliant on digital support from third parties, supply chain perils have so far received far less attention than other major cyber threats like war risks. An improved focus on risk management is urged to help insurers, brokers and clients agree on appropriate levels of cover capable of responding effectively to any claims.

Thomas Clayton, chair of the IUA’s Cyber Underwriting Group and Head of Cyber at Zurich Insurance, explained: “Most organisations rely on a complex array of external vendors, technologies and suppliers to achieve their business goals. But these relationships come with inherent risks.

“For insurers, there is an urgent need to pay close attention to single points of failure within digital supply chains. Often, theoretically independent supply chains of unrelated businesses can rely on a handful of leading, specialist providers. An outage at one of these providers could disrupt large swaths of industry.”

Indeed the report warns: “It is no longer a matter of whether, but when operators of critical infrastructure will be attacked. Such organisations should prioritise incident response planning to allow for the increasing possibility that they will face a double-extortion ransomware attack.”

It continues that the issue remains insurers are still reliant on clients understanding their IT infrastructure and supply chain and how any failure in the supply chain impacts their business. It also means that those third-party suppliers also need to understand their own infrastructure and supply chain to understand the risk to their clients.

“It is difficult for insurers to capture a client’s whole exposure to supply chain as it is unlikely that they will have access to the data to assess the risk,” it adds. “In many cases, clients themselves have not mapped their exposure to third-party supply chains and therefore cannot share this with underwriters. Sometimes efficiency in supply chains is gained at the expense of resilience. Another factor to consider is the interconnectivity of supply chains and reliance on common technology, this can concentrate risk and aggregate losses.”

The report cites the issues that comes with the use of technology in the supply and may well serve as a reason for some underwriters to shy away from the cyber (re)insurance classes.

Given the dynamic nature of the risks, and the fact this week Lloyd’s issued a model on the global economic impact of a hypothetical but plausible cyber-attack on a major financial services payments system, resulting in widespread disruption to global business, would have a potential global economic losses of $3.5 trillion, the industry’s efforts to provide a sustainable and widespread solution to cyber risks has a long way to go.

Jon Guy, Editor,

Emerging Risks