Managing the new paradigm of cyber risk

Prashant Pai, vice president of cyber solutions at Verisk, discusses how the cyber world has evolved since Covid-19 and what the company is doing to help insurers tackle new risks

Prashant PaiIn light of the Covid-19 pandemic and the subsequent shift in working practices, how important is the focus on cyber risk now?

We have already seen the short-term impacts of Covid-19. The implications of the change in working practices is that companies are looking to better manage attacks due to employees moving outside firewalls and virtual private networks. The uncertainty in how coronavirus will continue to spread and how companies and cities will reopen is creating uncertainties as people are more prone to clicking on links that offer any information.

The new normal in the mid-term is one in which many companies have planned their digital journey, moving to Zoom and the cloud, for example, and we will see that accelerate. In line with that, security measures that would have been planned will get sidestepped. In other words, there is increased digital reliance, but also an increased cyber risk. You have seen this with video conference technologies where you have had cyber concerns related to hacking. With no viable alternatives, companies have had to use these technologies, but the rush to embrace them means testing and validation may not be as robust.

Long-term, we anticipate an overall evolution in cyber security and cyber risk caused by the pandemic.

Outside of the coronavirus there has been a rush to get the Internet of Things technologies out into the market so compromises have been made on cyber security in this field too.

What expertise can Verisk offer insurers in managing their cyber risk?

We have established business units (ISO / AIR) working with clients for many years, so we have been at the forefront of the work on cyber. Two major areas we are currently involved with is in helping the industry to better understand risk and the issue of data. On the latter, we have partnered with the cyber industry and developed our own data sets. Information firmographics and technographics are key to understanding company cyber culture. It is important to understand a company over time and how driven it is from a cyber perspective.

We have also developed a data exchange. Insurers have been talking about sharing data as regards their claims experience for some time. That's where we have stepped up. We have offered this to enable companies to contribute data in a privacy preserving way. At the same time, we have got models to support all the insurance processes—ranging from pricing to underwriting, alternative risk transfer and portfolio risk management.

What features will you be adding to the product?

We are releasing version two of our cyber underwriting report soon.  It will have technographic data on any company with a web domain allowing for an increased breadth of information. We have also developed scores to help insurers interested in bringing risk onto their books. This will consider all the coverages offered by a cyber insurance policy and come up with ways you can help differentiate between risks.

The cyber data exchange also continues to see more adoption. We are providing enhanced views of data and augmented data to our data exchange customers. The next version of ARC, our cyber portfolio aggregation tool, is due in July. We are delivering a new web interface with that and have added systematic ransomware models. These simulate malware that can self-propagate and result in extortion, data and device destruction. 

Which key cyber risks are you working on to help insurers in the future?

The two main future cyber risks are malware and a technology service provider outage. We are continuing to expand the risk library to help with these. One of the things we see happening in the digital world is that you are getting organisations like Google, Amazon or Apple becoming too big to fail. They are providing the core products for the technology being used. We have been studying data on where points of aggregation are to mitigate risks with these providers.

We have also looked at other points of aggregation, such as surgical systems used by hospitals. We are finding the points of aggregation in those too. In terms of one-off losses you'll keep seeing instances of phishing and targeted ransomware. You're also seeing ransomware as a service - a new trend where they are threatening a data breach and demanding ransom payments.