Berea Group’s Founder & CEO, Aaron Yates speaks to Insurance Times lead researcher Savan Shah to discuss the hidden cyber challenges that lie ahead for brokers, policyholders and insurers.
Please tell us our readers about yourself and Berea as a company?
”I founded Berea back in August 2010. To this day we’re still based in the UK’s glorious heartland of Leicestershire. Early on we recognised that the formative cyber insurance market would need to work hand-in-glove with risk management if the class were to be successful for policyholders and the financial services industry. We also realised that expensive cybersecurity consultancy would become a barrier for businesses to access meaningful advice.
Our logical leap was that the insurance industry would require consistency in businesses approach to governing these risks, and that the solutions would need to be affordable, practical, and highly-scalable, whilst accessible in plain English. With our Cyber AMI and Cyber Safety at Work services, in partnership with insurance underwriters and brokers, this is now exactly what we do.”
The Insurance industry should now be aware of cyber risk, however with so much information and technical jargon some may feel puzzled and by it all. What major cyber challenges do you believe lie ahead for the following groups?
Major challenges for insurance brokers:
”There is an industry-wide education problem. Too few brokers understand what is hidden by the word “cyber” (i.e. the fields of Information Security and Data Protection). Without this critical foundation it is understandable that a broker cannot communicate a similar understanding to their client, thus preventing a meaningful discussion on their exposures.
If a client is receptive, determining covers and limits required, based on validated exposures, can be daunting. Trying to obtain a snapshot for assessing covers, especially with business technology and services being a constantly evolving smorgasboard, is a unique challenge for the broker with every client.
The distribution is hampered by a lack of standardisation in cyber insurance wordings. Understanding what is and isn’t covered, and in what circumstances, can be a very painful exercise.”
Major challenges for policyholders:
“Similar to brokers our biggest challenge is lack of understanding and internal expertise to protect the businesses from snake-oil salesmen. We no longer have an awareness problem. “Cyber” and “GDPR” are mentioned everywhere. The major challenges for most businesses is jargon and the potential for paralysis through information overload.
Fear-based selling, and an ever-swelling coterie of freshly-minted experts on LinkedIn, is making it increasingly difficult for a business to understand how to protect itself. Many other industries are trying to capitalise on fear, such as marketing agencies, are presenting themselves as offering a solution, as an effort to increase take-up of their traditional offerings.
The problem therefore for many businesses is simply who to trust to give them a journey that will result in their business being as secure as possible without over-commitment or being overcharged. If this hurdle can be overcome, the policyholder has no expertise internally to independently verify whether the advice their broker has provided on cyber insurance is accurate, or whether their policy if acquired is actually fit for their needs. Again, we have a knowledge problem.”
Major challenges for insurers:
”The cyber insurance market is forming swiftly, of that there is no doubt. GDPR will further expand the groundswell and drive purchases. I expect to see serious market growth over the next 2-5 years.
There will be increasing grass-roots demand for standardisation of wordings and covers, which will likely be resisted in the short term by insurers for proprietary differentiation during the GDPR gold rush period. Closer cooperation might arise when market growth steadies unless forced by regulator or government activity; differentiation for marketing appears to be preferred over standardisation and consistency that would, in my opinion, drive market growth and reduce issues advice and claims issues down the line.
Catastrophic risk, aggregation and “silent cyber” are of course major issues that insurers recognise. The unifying problem behind these is that there is currently no precise means to model risk and loss scenarios either for a policyholder individually, on a book of business, across an insurers business, or within a reinsurance scenario.”
What do you feel will be the grey areas of GDPR?
”As with most legislation, whilst responsibilities and consequences have been laid out for us, the practicalities of compliance have not. We know that:
● the Supervisory Authority (the Information Commissioner’s Office, or “ICO”) will be gaining new powers,
● private individuals will be obtaining new and stronger rights, and
● businesses will have increased obligations to be able to demonstrate their activity to comply with the regulation.
The concept of Privacy Seals (compliance frameworks that will be recognised by the ICO), and standardised icons signifying the consent being given, will be areas of interest. My view is that consistency through a harmonised approach to risk management will provide a strong foundation on which the insurance industry can build supportive retroactive financial products to address known gaps.
A grey area that concerns me is the potential for fraud and exploitation of unprepared businesses. The concepts of ‘cash-for-crash’ and ‘ambulance chasing’ are now well established. In my opinion, ‘Subject Access Requests’ may pose a threat to businesses in a similar manner. For example, an individual or group could overwhelm a company with such requests, seeking compensation if their rights are not upheld within a set timeframe. Businesses that are not ready to handle Subject Access Requests in a considered manner could find themselves facing spurious legal action on many fronts. Borrowing a concept, I expect to see at least one such “Denial of Service attack” on a British business within the next 12-18 months, perhaps most likely an easy target like a GP surgery or Dentist.
Fundamentally, without case law to inform decision making similar to the development of Health & Safety advice over the last 40 years, to avoid grey areas the default stance of all parties will have to be the strictest compliance regime imaginable.”
The nature of cyber security makes assessing and managing risk uniquely difficult, why is modelling in the cyber insurance market so important?
”Modelling is a crucial activity to ensure that product pricing is appropriate, whilst remaining attractive, by testing a wide variety of loss scenarios. The key consideration as always being the profitable running of a book by safeguarding loss ratio.
To paint a picture of cyber modelling we must cover some foundational concepts.
First, we must accept the premise that every business, even within the same industry, is unique in its composition of people, process and technology. In concert we must also accept that these variables are an incredibly fast-changing moveable feast. (A property risk might not vary much in 10 years. The technology and people within the property might change substantially every single month.)
Secondly, we must appreciate that every business is near entirely dependent on its technology, thus defining our understanding of what now constitutes “normal business operations”.
Thirdly we must contemplate that business does happen in isolation. Business is the interaction of process in exchange for remuneration between many different organisations and consumers, presenting our concept of ‘supply chains’. Should a single cog break, the potential exists for the entire engine to stutter or fail.
With this picture of modern business reality, we can begin to overlay an understanding, from a financial services perspective, of cyber insurance and “silent cyber”. (N.B. Silent cyber being the concept of an insurer being exposed to cyber claims in classes not originally envisaged for such losses, for example Solicitors All Risks Professional Indemnity, or a broadening of risks under D&O, or a clever interpretation of BI within a property cover.)
To the best of my knowledge, modelling is currently impossible in any truly meaningfully scientific form. Using my statements above I believe this is for five reasons:
● We do not have “live” (i.e. “up-to-the second”), real world data on which to accurately model the activity and interaction of businesses. Without this any model can only be based on speculation of genericisms, or assumed averages, thus preventing vitally important precision.
● We do not have a clear picture of how insurance arrangements relate to policyholders, within a single provider, let alone overlaying the next superset of complexity - supply chains,
● We do not have aligned, complementary true real-world threat intelligence, in a manner useable against the non-existent records.
● We do not have a shared, reliable actuarial record, let alone a common actuarial framework, on which to model loss scenarios, which with an evolving risk would be in a constant state of flux in and of itself.
● And finally, we do not have a common, central application on which this data can be regularly and reliably compiled and modelled from. The creation, maintenance and operation of such a tool would be incredibly complex and resource-hungry.””
Which cyber event would you say has caused the greatest ramifications for the Insurance industry?
”In my opinion the “NotPetya” attack in June 2017 has been the biggest wake up call. Where previously theoretical, NotPetya verified the systemic nature of the risk, the dangers of aggregation, the under preparedness of supply chains to mitigate the risk, and further the inability of all involved to swiftly respond to such an incident on a global scale.
Whilst large firms such as Merck, TNT and FedEx experienced hefty losses, these were further compounded by serious onwards disruption of the operations of their suppliers. The domino effect was swift. I’m of the opinion that, had all affect parties held cyber cover in the format provided today, we would have seen the first “perfect storm” catastrophic loss event on the still-formative cyber insurance industry.
I believe this event has given interest parties a necessary shock to stop and take stock. The potential exists that we could soon live in a world where many similar incidents could happen in the timeframe of a single working day. There is much that needs to collaboratively be accomplished in the distribution chain and policyholders in general to be better prepared for similar future events, and this really helped identify gaps.”
How will the cyber solutions you offer improve underwriting performance?
”Berea’s solutions improve the risk management profile of policyholders, consistent through a book of business, against recognised frameworks. To this end Berea is trying to standardise how cyber risk management is delivered and assessed by the insurance industry.
A prime example is that users of Berea’s “Cyber AMI” service will reduce their risk from common threats from the Internet by 70-80%, which can only serve to protect loss ratio.
Also, and most importantly, Berea’s solutions are designed to be accessible to the parties least able to protect themselves, and those who are the backbone our economy - the SME community.
We believe that standardisation is a good thing. It provides a necessary constant that can be relied on in risk modelling. In turn, insurers can better manage their own book, portfolio and business exposure to standalone and silent cyber. Standardisation is also helpful for brokers. Rather than learning proprietary, shifting risk management frameworks for each insurer partner, a single standard can make their job easier in engaging and directing clients.
Standardisation also benefits the ultimate beneficiary, the policyholder. Harmony on recommended activity reduces confusion and frustration. There is one, single course of action. This makes life simple.
In summary, our solutions improve underwriting performance by providing assurance on consistency in policyholder risk management, against recognised risk management frameworks, translated to plain English for those who need the help most.”
You have substantial experience working with brokers, please tell us the typical brokerage journey whilst working with Berea?
”On top of a desire to place cyber, brokers have three basic needs:
1. They need education to understand the topic matter of Information Security and Data Protection, often simply referred to as “cyber”. This education is necessary to engage and inform a client, and to interpret available insurance products.
2. They need a service that a client can take up and use easily, and that will take the client through a process of introspection. This should help the client identify and manage exposures, opening the door to a proper discussion on insurance. For example, a broker can’t often afford to spend two weeks providing risk management advice to an SME client for the commission available.
3. They need confidence in a panel of providers whose products align well the vast majority of the broker’s common client industries and exposures. Working from a well understood panel, rather than the whole market, can shorten the timeline from conversation to quote.
Berea’s experience is in educating brokers and providing them with the tools to engage and guide their clients. We estimate that, since 2011, we have provided some form of ‘cyber’ training to over 1,000 individuals in the insurance industry. We’ve worked closely with around 50 brokerages, ranging from regional independents to large nationals. We’ve spoken at CII events in most corners of the UK.
As the industry has continued to develop, we’ve realised the best way to help brokers is by embedding support for their clients ‘at source’ in commercial insurance products their clients are already likely to own. This removes all barriers to client activity, making the broker’s discussion with their client on cyber vastly easier.”
Certain brokers feel reluctant to trade cyber insurance at their brokerage, how can brokers better prepare and educate themselves that will alleviate this reluctance?
”The only answer to this question is education, starting with the understanding that ‘cyber’ is a meaningless word. Frustratingly we are obfuscating very important meaning for the sake of a popular marketing phrase that has gained traction in the public consciousness due to repetition.
Brokers should do all they can to familiarise themselves with the topics of Information Security and Data Protection, which are what we actually mean when we say ‘cyber’. A solid understanding of these domains, coupled with an understanding of threat actors, business vulnerabilities and consequences of an incident, will prepare a broker for most conversations. There are many decent books available on these topics, and the fundamentals are very straightforward.
Unfortunately, often for brevity, too much is being condensed in marketing terms or poorly understood and widely-repeated technical jargon. Brokers need the confidence and ability to dig behind terms such as “cyber” and “data breach” - the entire topic becomes much clearer when expressed in full and at length.
Also, and very importantly, we quickly need to dispel the myth that I.T., i.e., “Information Technology”, is the domain of “Information Security”. Whilst technology is facilitating many of the problems that we’re now seeing, the resultant business risks and solution are not the sole domain of the IT Manager. The perpetuation of this association makes it easy for many individuals to hide from the problems by making it possible to consider them someone else’s issues.”
The use of automation and emerging technologies is transforming the insurance industry; will this lead to greater cyber exposure for companies?
Advancements in technology are being consumerised at a rapid rate. It is relatively easy to deploy and cheap off-the-shelf. Where historically it’s taken a while for advanced technology to enter the typical workplace, we’re now seeing things like “IoT” (Internet of Things - constantly connected computer devices of all sorts and sizes) and AI smart assistants quickly entering the workplace.
Knowing how carefree many businesses are with current technology, this frightens me with the new super tools quickly becoming available. For example, we are now adopting at incredible speed technologies that interact with our physical environment and have the potential for physical damage and danger to human life.
Let’s look at ‘drones’ (a.k.a. Unmanned Aerial Vehicles, or ‘UAVs’). These are being purchased by all kinds of businesses for use cases including security, photography and surveying, to name but a few. We are also seeing an increasing number of ‘near misses’ by commercial and private aircraft with such machines. This is a very simple, obvious example.
For the most part, new technology creates new risk. Technology is evolving quicker than ever, and it is being made available to consumers quicker than ever. The danger here is, for the most part, businesses barely have a handle on the exposure by the ‘tame’ existing technologies we currently have access to. We are building on very shaky governance foundations. The net result is that new technology carries new risk, and the interaction of such devices with other tools and the physical world is creating new scenarios at a pace we are struggling to maintain a handle on.”
What are future research directions in cyber risk and cyber insurance?
”There are many, some I believe will be key are:
● We need to figure out how to develop a form of real-time telematics of business interaction with technology and the interaction of supply chains. Without this information our scenario modelling will always be inaccurate.
● On the above, we may need to start to consider the idea of an annual premium as incompatible with cyber risk. Telematics in motor policies is in my opinion a better analogy. Business risk from technology is shifting constantly, much like a new driver at the wheel of a car.
● Now more than ever we need to see increased cooperation and the design of standards for the interaction of technologies to provide consistency in risk management.
● For this vital class of insurance to safely develop at pace we need to start to see closer cooperation on standardised product wordings. This is an imperative short-term need to make the class easier to write and place.
● We need greater involvement of Government in legislating for the safe use of technology by businesses. I feel that between the Health & Safety Executive, Information Commissioner’s Office and GCHQ, we are missing a vital department to harmonise and harness the safe potential of technology in British businesses.”