Cybersecurity is the top technology concern of advisors and broker-dealers, according to polls done by the Investment Adviser Association and Investment Advisor magazine.
Addressing this issue are cyber insurers, who work in a market that could grow to $17.6 billion in 2023 from about $4.5 billion today, Orbis Research says. Driving this growth are factors like data breaches and the growing use of cloud-based services.
To look at the risks facing cyber insurers today and the limitations of this coverage for financial and other firms, ThinkAdvisor spoke at length with Sid Yenamandra, the co-founder and CEO of cybersecurity firm Entreda.
Yenamandra, who is well-versed in the potential causes of a major cybersecurity-related disruption, addresses the overall threat posed to the financial industry by cyber attacks in an earlier interview. In a third (and final) interview, he explains what actions financial firms are and should be taking to improve their cybersecurity.
ThinkAdvisor: What level of cyber risks do large insurance companies have?
Yenamandra: This is a question that goes to the core of what we do as an organization. At Entrada, we work with independent broker-dealers and insurance firms to help them manage cybersecurity risk for their firms. We try to assess the risk holistically within organizations like AIG.
[Insurance companies do] run the risk of being susceptible to a cyberattack, but are they overextended? In the event of a major attack, I might be overstating it a bit, but I definitely think that big insurance companies have risks.
There are two points that this brings up. AIG is an underwriter of cybersecurity risk insurance policies for a lot of organizations. Are they overextended in terms of their risk model? Do they have a good way of assessing the risk of an organization before writing a cyber insurance policy for that firm?
The answer is that today insurance companies are struggling, because there isn’t a lot of actuarial science in the area of cyber insurance. And that’s actually a problem the industry is grappling with.
When it comes to auto insurance or home insurance, there are years and years of data that you can use to build risk models around. But when it comes to cyber, it’s been an issue [only] in the last five to seven years.
There just isn’t a lot of actuarial science around this to help firms make better risk decisions, so they’re writing insurance policies based on self-adaptation from a lot of firms.
TA: Could you tell more about the risks involved today in cyber insurance?
Yenamandra: Firms like AIG are at risk from a risk-modelling standpoint. Internally, firms like AIG have a network of insurance agents that are writing policies for their clients.
There’s also a cyber risk … at a corporate level from having a network of agents who are independent contractors … in many cases, agents that are running their own business and have their own office locations. They have their own devices, they have their own networks.
It’s like the Wild Wild West, because AIG and other firms struggle to manage or supervise cybersecurity risk on the part of those 1099 contractors. A large insurance firm might have 5,000- plus reps out in the field.
They might be spending a fortune on cybersecurity at the home office or the corporate office, but what are they doing at the fringes? How are they helping the small advisor, small insurance agents or the agency that has five employees, their own devices, their own networks, their own apps in many cases?
It’s unregulated alright.
There are risks that firms have both from an operational standpoint of corporate risk, but also from a product-risk standpoint around their insurance policy. We think that there is a considerable amount of risk — we might not use the phrase overextended — but I would say they’re operating at a high level of risk as a business.
There are also a lot of bad policies out there. Read the fine print of the exclusions list!
Firms think, “Yep, we’ve got insurance, so if we get attacked and we’re a victim of cyberterrorism, we’re going to get paid out and we’re protected.”
But if you read the fine print, it will say you needed to do the following seven things [to be fully insured]. So the burden of proof falls on the organization to [show] that it’s doing the basic things when it comes to protecting itself.
In other words, you can’t walk around and have open networks and hope that your insurance policy will cover you. The insurance policy is only going to cover you as long as you’ve taken the necessary steps to protect yourself.
And you still may fall victim [to cyberattacks], because things happen outside your control. For example, if you get caught up in a larger cyberterrorism issue — will your policy pay out in that case? Again, depends on the policy.
My point is that cyber insurance or cyber coverage doesn’t always protect you. You’ve got to pay close attention to the fine print and work with insurance agents who understand cybersecurity, because then you’ll get better advice when it comes to it what the policy actually covers.
TA: Could insurance policies be written without first ensuring that clients are compliant ?
Yenamandra: It depends totally depend on the insurance agency.
A lot of insurance agencies only focus on cybersecurity, and they probably would do a very good job of making sure they educate the insureds on what they need to pay attention to.
But I’ve seen insurance agencies that are more generalists. They write a lot of insurance policies, but cyber’s just another thing they do. They may not be as educated in that area and therefore may not be able to provide all of the expertise that a firm has to have.
The industry is struggling at a much higher scale with the way insurance is currently being written. Today, insurance agents will send a prospective insured a multi-page application. That application will have a bunch of questions on it, things like: Do you have antivirus software on your devices? Do you have backups? Do you have a firewall?
How do you think a firm is going to respond? If it is trying to get a good policy and a low premium, it’s not going to say ‘no.’ Or [the potential insured] sends it to its [outside] IT firm, which will probably say ‘yes,’ because it’s getting paid to do so.
The problem is that the industry is very much based on self adaptation.
The insurance firm gets the self-adaptation model application form back from the prospective insured and then it plugs that into a model, and that model is based on some broad-brush assumptions.
For example, …. 30% of firms that provide some of that data aren’t going to [provide] correct [information], so they assume that only 70% of firms are protected. The insurance firm then writes a policy based on that [assumption].
If the organization is as protected as Fort Knox and spends all this money to protect itself, it’s still getting the same policy as a firm that has nothing in place. … The industry today is struggling with this.
In the next four or five years, we’ll see massive change [with] trust-but-verify models. The insurance agent will have to make sure that a firm is compliant before it gets insurance.
TA: Could regulators force companies to be insured and to be liable?
Yenamandra: We’re already seeing that if you are an organization that has a lot of power, with power comes responsibility.
For example, let’s talk about an organization that has [many individuals’] Social Security numbers and is operating at a level that could put all these people and that data at risk.
It’s certainly within the realm of reason to assume that if [the firm] does not follow the basics when it comes to cyber risk, that the corporate umbrella may be pierced and the CISO may be personally liable.
There is a lot of discussions around [the case of] Equifax. I don’t know if anybody personally was prosecuted, but that case could be a precedent for a lot of future issues because that attack was so unprecedented.
Certain states are mandating that firms have cybersecurity insurance. And there’s been a lot of discussion about holding the CISO of certain organizations personally liable if they’re found negligent of their fiduciary responsibility.