The Cyber Risk Insurance Series – Part 1 of 2
Our CTO, Cameron Fairbairn shares his view of cyber risk insurance from the front line.
On May 4th 2000 I was working as an IT support analyst for a small telecommunications company. My day-to-day job was to look after the billing department’s systems. On this particular day, I’d spent the morning in the tech room building laptop computers for staff members. I walked out into our large open plan office and unlocked my computer. Something was wrong.
Cyber Risk Insurance – the first virus was ILOVEYOU
There were around 20 emails in Microsoft Outlook – and they all had the same subject line: ILOVEYOU. Each had a vbscript attachment. Two more arrived as I stood there, trying to comprehend what was happening.
What followed was a gruelling week of lost data and productivity the world over, as what became known as the ILOVEYOU virus worked its way through global IT systems.
By May 10th the worst was over. And having worked some very long hours and pulled off a few high-pressure IT manoeuvres that I’m still proud of to this day, I was called in to talk with company’s Executive team to explain what had happened.
By this time, the ILOVEYOU virus was a fixture on both the morning and evening news for every outlet on the planet. Yet reliable technical information was hard to find.
Panic in the Executive team followed. “This has cost us millions, how do we stop this happening again?”
This was the first time I heard an Executive talk about obtaining insurance to mitigate the risk of cyber attack.
What followed was the introduction of the first cyber risk insurance policies. And although there were a few notable cybersecurity events prior to May 2000, the ILOVEYOU virus and the ensuing economic damage was what led to the beginning of the cyber risk insurance industry.
The cyber risk insurance journey began with primitive protection levels
In the early years of cybersecurity insurance, coverage was often limited and focused on a narrow range of risks. Many insurers were hesitant to offer coverage for cyber security incidents at all. The risk associated with cyber-attacks was relatively unknown and difficult to quantify. In addition, there was little actuarial data available to inform pricing and risk assessments. Many insurers were concerned that providing coverage for cyber security incidents would create a moral hazard, encouraging businesses to be lax in their security measures.
Despite these concerns, the demand for cyber security insurance grew rapidly in the 2000s. As more businesses became reliant on technology for their operations, the frequency and severity of cyber-attacks increased. As a result, insurers began to offer broader and more comprehensive coverage for cyber security incidents. This included coverage for data breaches, cyber extortion, and other types of cybercrime.
The public face of cybersecurity breaches
In the mid-2000s, several high-profile data breaches brought the issue of cyber security to the forefront of public attention. These incidents, including the 2005 breach of ChoicePoint and the 2007 breach of TJX, resulted in significant financial losses for the affected businesses and their customers. In response, many businesses began to view cyber risk insurance as a critical component of their risk management strategies.
At this stage, I was engaged in consulting with major corporations as an IT architect, often participating in meetings with executives for whom cyber risk insurance was a frequent subject of discussion. Whenever we discussed mitigating cybersecurity risks through system design, the idea of using insurance as the ultimate risk mitigation strategy was always a consideration.
The executive cyber insurance awakening
What happened next was an awakening among Executives – was cyber risk insurance really the comprehensive solution to fixing all of the cybersecurity issues an organisation could have?
Gradually, I began to encounter situations where executives – for whom cost reduction was the highest priority – compelled me to compromise on security measures in our designs. After all, who needs security controls when a cyber risk insurance policy is the most effective security measure an organisation can have? I soon observed a swift increase in systems lacking adequate security controls.
Welcome to the moral hazard of cyber risk insurance
As I moved from being an IT architect focussed on security to being a dedicated cybersecurity architect, I never stopped encountering the moral hazards. But the transition from large enterprise to the SME market really opened by eyes to the extent of the problem.
This made me ask the question Is your business cyber-protected? Or simply insured? Tomorrow I’ll share a real life case to answer this question….
Follow us to read more in our next blog in the cyber insurance series ….>>>
