Furthermore, insurers need to look to their own cyber security to mitigate data breach risks

Cyber insurance. Everyone in the insurance industry has heard of it. The emerging risk that large corporates and maybe even some SMEs are now taking out cover for, having heard of the risk of 2017’s WannaCry ransomware attack and other high profile cyber threats.

But away from this, and possibly flying slightly under the radar, cyber risks are also beginning to have profound effects on the risk profiles underpinning other business lines too.

In home insurance, the rise of the Internet of Things (IoT) and smart home devices is creating new risks for insurers to face.

Smart locks, which take the simple door lock and connect it to apps and other smart devices, are just one example of this.

But CGI head of cyber security services Richard Holmes said insurers have not yet fully woken up to the threat coming from this new technology, therefore the assurance systems common to more traditional locks are not yet in place to help insurers underwrite these risks.

“For many years there has been a well-established mechanism where insurers incentivise people to protect themselves against burglary by installing approved and police-assured locks,” he explained.

“One of the consequences of the connected revolution and IoT is the emergence of the smart lock, which is connected to the owner’s internal network. While they are becoming increasingly popular, there is no system in place for systematically testing the security of the locks nor the apps they are connected to.

“This is an area that is ripe for some attention and I do think over the next year or two, there should be moves to establish some sort of standardised regime for testing of these types of products.”

Holmes added that such a system could then be rolled out across other types of IoT devices, helping insurers to better understand these items as they become increasingly common and providing price benefits for individuals that represent a safer risk as a result of the devices they have installed in their properties.

Data surge

One of the areas where this is already having benefits for insurers is around escape of water claims.

IoT sensors are now able to detect water leaks before they are noticed, whether that is in a commercial property or private home, meaning that the problem can be fixed before it causes extensive damage to the property and its contents.

Of course, this creates great financial savings for the insurer by avoiding a large claim, but it is also creating an issue for insurers as they have to deal with much larger volumes of data - something that will only be exacerbated as the uptake of connected devices, and their use to insurers, picks up pace.

“Insurers are holding increasing volumes of data on their insureds and with cyber becoming an increasingly popular product, that could commonly start to include data on vulnerabilities within their policyholders’ systems,” Holmes said.

“Imagine a scenario where a bad actor comes in and breaches the insurance company, takes that data and uses it to gain access to policyholders – that’s a nightmare scenario for the insurance industry.”

This means that insurers themselves need to make sure they are adequately protecting themselves against any breach, as well as having processes in place should the worst happen.

Proactive planning

Holmes said CGI is starting to have more conversations with insurers about how they can help protect their own businesses.

“We already offer incident response services to insurers to include as an added service on their policies, but we are increasingly getting traction on conversations we are having with insurers about offering these services to them on a retainer-basis too,” he explained.

“The benefit of this type of arrangement is that it gives you access to a set of specialist skills in a more cost-effective way than having to employ highly trained personnel for a service that you don’t need all the time because you aren’t constantly faced with breaches.”

Those insurers that offer in-house breach response services to their clients may decide to also carry out this service for themselves should they suffer a breach, but for those that don’t, Holmes said a retainer service could prove invaluable, particularly given the speed at which cyber attacks often develop once detected.

“It is a bit like not knowing which plumber you’re going to call before you start having a flood,” Holmes said.

“Trying to decide which plumber to call once the water is pouring out is quite a stressful thing to go through and it is the same with cyber. Already having a relationship with that provider speeds up the response side and reduces stress levels.

“The other benefit with cyber response teams is that we can also come in ahead of any breach and provide advice about how to better protect yourselves against a breach occurring in the first place. We can also provide guidance around how best to respond in the event of a cyber incident taking place, so you can mitigate any losses or damage before you have had time to contact us.

“This means you will be in a much better position, with the right information and the right data logs, so that the incident response team can come in and work out the solution much quicker than they otherwise would have been able to.”

And, with the Covid-19 pandemic accelerating the shift to homeworking, the threat insurers and their policyholders are facing is greater now more than ever.

But while this may present a much greater risk to the industry, it is also creating an opportunity for insurers to reach out to the market and sell the benefits of cyber insurance for all types of organisations, as well as individuals.