Cyber insurance is a new conversation in the boardroom, reflecting the growing digital maturity of senior executives and also an insurance industry that can recognise and quantify the impacts of cyber security events. Until recently, business and insurers both leant heavily on existing policies to insure against cyber calamity, bolting on clauses about data and computers to leverage products that were designed for business continuity.
“CISOs (chief information security officers) were saying only 2 years ago that they didn’t see the point of insurance”, says Dr Paul Dorey, visiting professor at the Royal Holloway College, University of London. He identifies the breach of Maersk shipping giant and other corporations by the NotPetya malware as a turning point. “Insurers said it was no ordinary business interruption but a cyber act of war conducted by a nation state.”
Cyber insurance is still playing catch-up with a business environment where 87 per cent of the S&P 500 companies’ market value is tied to intangible assets, according to researchers Ocean Tomo. But while insurance players have called out a new cyber risk market, requiring an insurance portfolio value point of view, some businesses and boardrooms are still living in the old world, says Dorey.
Dorey’s observations are confirmed by the findings of Marsh, a global insurance broker and risk management specialist that surveyed 1,300 risk professionals and senior executives across the globe. While By the Numbers: Global Cyber Risk Perception Survey found a growing willingness to invest in cyber insurance to mitigate the impacts of emerging technologies, one in five companies does not have any cover.
Over one third (34 per cent) of respondents to the 2017 survey had restructured cyber insurance and/or purchased further cover, while a further 38 per cent said they had increased cyber risk insurance in order to limit liability. Marsh authors interpreted this as a growing desire to protect against risk that accompanies evolving technologies, including artificial intelligence (AI) and the internet of things (IoT), as well as regulatory developments, including the European Union’s General Data Protection Regulation (GDPR).
Governments, including the United Kingdom, have already moved to clarify the insurance position of road accidents involving cars that use artificial intelligence and automation to be autonomous. The United Kingdom’s Automated and Electric Vehicles Act 2018 makes insurance underwriters liable for damage caused by such vehicles, leaving the insurance company to then chase other parties under product liability law.
But as Dorey points out, cars have always been a special case in insurance, since governments have legislated to protect bystanders and pedestrians caught up in car accidents. Under the UK legislation, passengers of autonomous cars — not only drivers — will need to take out insurance coverage. And determining who has responsibility for the car — passenger/driver or the AI — at different times remains a major task for policy writers.
Further complicating the picture for car insurers, cars will become fully autonomous only when they are connected to other devices on the roads. Cars need to be connected to — and use data transmitted from — road signs and other vehicles to make good decisions, Dorey points out, adding: “If the AI in your car is functioning but crashes because it receives bad data from another device, that’s an interesting legal conundrum.”
Cyber insurance has entered a new phase of its journey only recently, and the connected car is a test case for developing insurance products that cover algorithms in a connected world. And, as insurers get savvier about cyber risk, businesses in all sectors will have their work cut out to ensure that work practices, enhanced by automation and algorithms, can withstand digital decay and satisfy insurers.