Cyber Risk Beyond Compliance

Cyber Risk Beyond Compliance

Aspirin, Antibiotics, Surgery or Real Prevention and Cyber Health?

By: Stephen M. Soble and Jack Dufrene

The risks are ponderous, the exposures beyond most calculation, and the responsibility unrelenting. With the advent of Cyber compliance regs, the insurance industry faces baseline standards and a host of off-the-shelf solutions to deal with the pain, but the profound goal may well be lost as C Suiters, GCs and brokers select aspirin or antibiotics or even surgery, but fall short of the real tests of cyber wellness—a sustained defense that won’t require ongoing, costly visits to the pharmacy or the emergency room. There is a solution that has been developed by the top guns of cyber protection, now in the private sector, having left the service of major government intel agencies. Here is their thinking. Steve Acunto for Insurance Advocate

Cyber-attacks ranging from the recent WannaCry ransomware worldwide incident to the infamous “Struts 2” attack which stole online banking credentials a few years ago, are only two of hundreds of documented cyber-attacks. Nearly daily, data breach incidents plague virtually every industry. And there are so many “alerts of a possible attack” from devices on the networks of major institutions that a new genre of tool has been developed to distill truth from fiction before the consequences occur.

And yet, when it comes to cyber risk insurance, despite years of trying to create a cyber insurance line which works for insurers and insureds alike, the insurance industry has been pursuing an insurance strategy for cyber risks, more akin to a trip to Las Vegas, than a traditional insurance model.

Lots of hype. Lots of “What Happens in Vegas, Stays in Vegas” thinking, but even serious thinking about risk identification, measurement and risk mitigation, heretofore, has been incomplete.

The essence of genuine insurance is missing. Insurance is financing the Digital Age. Only insurance links risk, loss, and recovery from damage. Bonds, stock, annuities and other instruments cannot do what insurance can.

Perhaps the reality that cyber-attacks cause permanent damage to reputation gives us some pause. We are all enamored with the fact that boards of directors, clients, and prospective clients are so confused, if not fearful, about cyber-attacks that they now sometimes clamber for a cyber insurance policy. And like a good Las Vegas stage show, we all want to give the customer what they want and we want them coming back for more.

How should cyber insurance work? We would like to empower the insurer and insured to understand objectively what their risks are, how to measure risk, how to mitigate those risks, and in the process, bring down the risk and the premiums for such insurance. If you can’t truly measure the risk, you can’t properly fix the premium. And from a customer satisfaction perspective, the insurance broker ought to be equipped with a tool which turns him or her into a key member of the trusted risk advisory team for the insured.

To date, this has not happened. But that is about to change.

Pre-breach chart showing the growth gap between insurance and cyber riskAssured Enterprises has innovated the winning formula to usher in this change. Assured Enterprises is a different breed of company. We ask tough questions and many more of them than others in the field. We believe in hard engineering and science. We find scalable answers and we rely on solid data. We are at the beginning of a new era for insurance in the Digital Age. What follows is not an advertisement for us, but a look at what needs to go into a meaningful, sustainable program.


The Digital Age has reached a crossroads. We have the technological means of exchanging a vast and specific array of zeroes and ones (the binary language of the digital world). Yet, hardly a day goes by without news of someone getting hacked. And, the hacks—with ransomware, data theft and data manipulation are, incontrovertibly, on the rise. In fact, the loss history attributed to cyber-attacks is about $500 Billion per year.

Sound cybersecurity is a sine qua non of the next phase of the Digital Age for the world of commerce. How can we allow autonomous vehicles without solid cybersecurity? How can auto insurance address this risk of loss? How can an auto insurer know whether the hack of IoT software or communications within the autonomous vehicle caused an accident?  How can we shop online? How can we allow drones to deliver packages to our door? How can we bank online? The true losses of online shopping, banking and the future risk of automated package delivery and autonomous vehicles are mind boggling losses, taken together.

How can we buy and sell stocks and bonds without securing those exchanges with exceptional cybersecurity? And, do we just trust the name brand of the provider? Major banks have been hacked—from PNC to JP Morgan to the Central Bank of Bangladesh. The entire economy and the cohesive feeling of connectedness which helps to define a vibrant polity is under siege. How can we invest in a new technology without knowing whether it is likely to be hacked? How can a company pursue a merger or acquisition without knowing whether their prospective partner is about to be hacked or worse, has been hacked and just doesn’t know it? Remember the Yahoo! cyber-attack and the impact which those revelations of an ongoing hack had on the purchase price from Verizon? Between the loss in purchase price and the cost of the hack probably a cool billion dollars was lost.

Can anyone name another industry in which society and the insurance industry would tolerate $500 billion in losses? We can’t. Improperly constructed aircraft never get off the assembly line. Defective power plants rarely get built. But when it comes to the assets which companies have built up over time—intellectual property, confidential business arrangements, plans for new product releases, operational efficiencies, and even money—we are all at risk in the new Digital Age.

Read the entire article at Insurance Advocate.