Ben Telfer: 

Hello, everyone, and welcome back to webinar number four in our week of reinsurance webinars. Again, great that so many have joined us today as we look at the new cyber risk landscape. It’s my pleasure to introduce and hand over to Matt Cullina and Tom Spier of CyberScout. Matt is Managing Director of Global Markets, and Tom’s Commercial Director of Global Markets. Matt, Tom, thank you for joining us today, and over to you guys. 

Matt Cullina: 

Thank you so much, Ben. Thank you to everybody in attendance. We’re really excited to be talking to you today. We’re proud to be a supporting member at ICMIF and just love the work that it does and interacting with you all.

Today we’re going to be going over global cyber risk in 2020, and boy, it has been quite an interesting year for all of us. So really, we’re going to get into some various topics around what’s happening in the market. We’re going to get into what’s happening with this new normal with this global quarantine that has been upon us for the last several months, and how that is impacting both insurance on the job processing, as well as just cyber risk in general. So first, going to get into some background and then going to get into some case studies. 

So it’s all about interaction. We have a series of planned questions that are multiple choice that are automated that we want to get your feedback on, but with that being said, we’d love any questions that you may have of us. We’re going to close by having some open ended discussions. So with all that being said, we have a lot to cover, so we’re just going to dive in. 

The ancient Chinese proverb says, “May you live in interesting times,” which is often viewed as both a blessing and a curse. I think that I can’t remember in my lifetime, times that have been more interesting than now when it comes to how we all have had to adapt, both for our personal life and for our business life as a result of COVID-19 and the resulting quarantines that have been a global prerogative. Really, what we’re seeing is this is also definitely increasing cyber risk, and impacting cyber risk in general. We’re going to be talking about case studies around how insurers around the world have started to solve through that, but also in its corollary round, how hackers have gotten even more sophisticated during this timeframe. 

We’re going to talk a little bit about the conditions we’re seeing in our operation centers. As you probably know, we support insurers around the globe with their cyber products, both for private lines, as well as for commercial lines. So we see all the case and claims activity coming in real time and can share some of those stories that we’ve seen as a result of basically scams that are resulting from the quarantine. Definitely getting more sophisticated and technically getting more sophisticated to solve, so going to talk a bit about that as well. 

So, we’re going to get to our first question. So really, just trying to warm up the audience a little bit and get your feedback. So the first question is, when it comes to offering cyber insurance, what stage is your company currently in? A, researching whether to offer cyber insurance. B, plan to launch a cyber offering in the next six to 12 months. C, have launched a commercial or personal cyber proposition. D, have launched both personal and commercial propositions. Or, E, have no plans to launch a cyber offering. So just going to give you a minute to respond to that question. 

All right, we’re already seeing early results. So far, researching is the top category. Followed by, have no plans. So the two extremes are the ones that are being voted on the most so far. Looking like there hasn’t been much change, so that’s interesting. We’ll keep discussing that.

All right, so I think that having worked in the insurance industry for a couple dozen years, the industry is built to respond in times of crisis. It’s what I’m most proud of, having worked in this market for so long is that time and time again when catastrophe strikes, insurers are the first to take a leadership position in communities and societies and help guide how to get through these crisis moments. 

I have never seen anything like I’ve seen over the last few months with our partners around the world and how quickly they were able to adapt from being a predominantly bricks and mortar setup, to going completely remote, literally not within weeks’ time but within days’ time. That productivity is still maintained at the level that it was before, it’s just amazing. So the industry steps up and this challenge has proved again, that the industry can step up in the most trying of times. So we’ve seen the largest of companies go fully remote within no time and not miss a beat. So it’s kudos to everyone the line for supporting their communities with remote access. The same plays true for CyberScout. We’ve had to step up as well, our operation centers went fully remote in about three days’ time. We were just astonished that the operations team could step up to deliver. 

The industry has also looked at how the risks are changing. For example, with folks driving less and offering rebates or discounts or waivers. We’ve seen the industry pop up in providing financial support to their customers. But also, education. The industry is known for being the educator around risk and I have seen such an outpouring of content from ICMIF, from ICMIF members, and from insurers all over the world, trying to help people who are now at a work from home situation. Guide them through what to look out for, what the new risks are, what the exposures are. So really, what we’ve seen is the industry again step up in this mega catastrophe, mega event, with the tools that they’ve always relied on to guide folks through these risk management challenges. 

At CyberScout, what we definitely have seen is a co-mingling of commercial and personal exposures. We work on the commercial lines side and on the personal lines side. We’ve seen really the cases coming in. They have started out as a commercial exposure, maybe from somebody’s business laptop but as a result and in a personal identity theft or fraud scan, or vice versa. So we’ve seen basically the lines get blurred between commercial lines and personal lines. Really, it comes down to, how are you going to support and equip people through these crisis moments regardless of how the events were caused. So we decided early on to expand our offering and remove any business restrictions on our personal products and expand our commercial offerings to be able to support communities that were being impacted as a result of being targeted at home because the vulnerabilities were showing. 

In addition to that, we’ve seen a great increase in overall researching, as showed up on the last question. Insurers looking at personal, cyber, and commercial offerings, especially for SME businesses. We’ve seen a major increase just in the last three months in insurers looking to expand their traditional business package policies or private lines policies to include cyber. That has been literally in every continent. We haven’t seen like in the past where the United States was a leader in offering cyber insurance and other countries were slower to catch up. We’ve seen personal cyber in SME launches across all continents. So it really has become a global trend. I think that global quarantine helped spur that along where insurers were finally realizing that they needed to respond to this risk. This risk was now not in the future, it was right in front of them. So that’s what Tom’s going to be talking about and covering in a minute. 

But before we get to the next section, I want to get to the next question. So the next question is, what is the biggest challenge or impediment you’re facing in launching a cyber offering? A, executive concern over cyber aggregation or catastrophes. B, lack of internal expertise to develop and launch a cyber program. C, competing priorities with other initiatives. D, lack of customer or agent demand, or E, other. Give it a minute to get your responses in. 

Great, just another 30 seconds, we should have the responses popping up. Oh wow, this is an overwhelming one. So it looks like lack of internal expertise is definitely the top issue that’s holding back launching cyber programs. So thank you so much for your responses. 

Now let’s get into where the risks are at. Google reports just last week that they block over 100 million phishing emails a day. They just reported that 18 million of those are currently COVID related. So as we all have been adapting to this quarantine and to this new normal of working from outside any given office, basically the scammers and hackers have not slept. I think the global quarantine has inspired them to be even more productive in this time. In my lifetime, in my career here at CyberScout, I haven’t seen so many new scams popping up so quickly across the gamut of both financial harm, hacking, and ransomware attacks, et cetera. The COVID theme has become the scam theme of today. 

Really, it runs the gamut from impersonating sites that you’re commonly visiting, your banking sites, government sites. Government fraud is at an all-time high. We’re seeing the US governments basically working with UK governments and other governments to try to put out notices and information around all the scams that are happening. We’ve seen unemployment fraud, COVID relief fraud. We’ve seen mortgage and tax fraud, the cases are getting even more complex to handle because they’re usually intermingled with social engineering scamming. So people get credentials from you and then they’re literally trying to monetize that in a variety of ways. Unfortunately, government relief are a soft target. Governments are trying to get the funds out there to people and the qualifying information can be maneuvered, can be manipulated. 

We’ve seen cases, for example, basically accountancies that were hacked and their customer data was exfiltrated or taken out of the systems. Under the accountancy’s name, false tax filings being made so they could get returns before the accountancies found out about it. We’ve seen consumer issues, we had a case a few weeks ago of an avid bicyclist, enthusiast who bought new biking gear and he opened up his laptop to start work the next day and the laptop was moving at a snail’s pace. He couldn’t process anything. So he called in for support and what we found is that where he had purchased this biking material, they impacted his system with malware and his computer was turned into a botnet. So his computing power was being used to hack other people’s systems. So just all sorts of cases that show the vulnerability for people at home. 

The COVID relief is one aspect of it from a financial standpoint, but there’s also all sorts of scams around cure-alls for COVID, blood and saliva samples from COVID survivors are being sold falsely. So trying to give people false inspiration that they can solve this crisis with one quick purchase. Really, that’s what hackers and scammers tend to do. They catch you at your weakest moments, they catch you when you’re off guard. They try to create a sense of immediacy. You have to respond immediately. Scare Ware is a good example of that where they’re saying you’re infected, your systems are going to be destroyed, you need to act now. We all let our guards down and just act without really thinking about, is this real or not. That’s what scammers really play on is that potential of catching you off guard. 

In addition to the stimulus check, people trying to steal stimulus checks, we’ve seen tech support scams. So basically, people going out and saying, “We can help fix your systems.” They’re trying to gain access to credit card information, et cetera. We’ve seen sextortion scams, so people say… you get an alert to your computer saying your camera has been impacted. Now we can see everything your doing. We’ve seen investment scams, so basically people saying, “Invest now in this new scheme. Act now or you’re going to lose out on this great opportunity.” 

All of this comes down to the fact that more and more of our time is being spent in front of a screen. Prior to quarantine, the average number of hours a person was on their phone per day was about five. The average number of hours that people were in front of a screen in general was about nine and a half hours per day. All of the studies I’ve seen since the quarantine hit shows that that’s increased at about 40% or more. It’s hard to predict exactly but the surveys I’ve seen have said at least a 40% increase in that. I think now that there’s no sports and no entertainment to go to, we’re using these screens and these devices for all, everything. Business related and personal related entertainment. So really, it’s the hackers, the thieves go to where the people are and really are able to make hay in this environment where there’s such a just a huge portion of people being online. 

The other thing, it hasn’t abated, but it has evolved, are just general cyber risk events. So the number one risk event over the last two, two and a half years across all cyber insurance, the number one claims type have been ransomware. So ransomware has gotten more and more adaptive over time. Really, these are not just individuals, these are black market enterprises. We’re talking about sophisticated businesses. Starting towards the end of last year, so if you’re familiar with ransomware, it’s literally just locking up your screen and you get a demand saying, “If you don’t pay this ransom in bitcoin with the next period of time, all of your data will be destroyed.” So that’s usually the entry point to the crisis moment of a ransomware attack. 

But what’s happening now starting late last year is what’s called double extortion. So what we’re finding is not only is that first stage happening where they’re ransoming your data, your information. They’re also threatening to publish your data now. So the second tier is that now they’re saying they’re going to exfiltrate your data, they’re going to expose all your most sensitive information to the public, and asking for higher demands because of it. 

The highest profile event was with Travelex, so if you’re familiar with Travelex when you traveled in the past. They had to pay $2.3 million in bitcoin for a ransomware demand because the attackers were threatening to post sensitive customer and client data up on a website. It’s gotten so bad that now every major strain of ransomware has a public site that is publishing all of this data. So if you don’t pay that ransom, now they’re going to be publishing customer data, IP data, anything that would be considered to be either financially harm or simply just embarrassing. 

One of the major ransomware firms out there has their site, it’s called the Happy Blog. So it just shows you that they’re not just doing, that they’re making fun and monetizing all of this information more and more every day. So we’ve seen ransomware continue to rise, and then this double extortion component, it’s just another component that we have to address. It impacts other aspects of the cyber insurance in response because not only are you doing the forensic investigation, now you have to deal with a privacy event, most often if your customers or employee’s data has been exposed. So the sophistication, the amplification of cyber events is definitely on the rise and definitely being fueled by quarantine and more than likely post-quarantine lifestyle. As work from home becomes more common than ever and bricks and mortar approaches to staffing maybe become less common over time. I think we all become more vulnerable to cyber events because we’re now viewed as a target not just for our personal exposures but for our business exposures. 

One example of that is, we just handled a case for a major broker that you all know the name of. Two of their partners were both impacted with an unemployment fraud scheme. So basically somehow through social engineering scamming, what have you, they got access to those two executive’s personal data. A range of employment filings were made in their name. So now they were basically a full-blown identity theft situation arose stemming from that business data exposure. 

That’s some background material. I’m going to switch over to Tom in just a minute to get into the heart of, what is the insurance industry doing about it? What private lines or personal lines offerings are out there? What commercial lines offerings are out there? We’re going to start with some case studies too to tell you about what’s really happening in the world during this time around insurers that are stepping up to expand their offerings to now include cyber protection. Tom, I’m going to turn it over to you. 

Tom Spier: 

That’s great, Thanks Matt. My name is Tom Spier, thank you guys for having me. My job title is Commercial Director for Global Markets at CyberScout, but a big part of my job when I’m out there is working with insurance companies in an outsources product development capacity. So I was looking at this survey question that you guys answered before. Your answers that you gave today, I really see as really reflective of what we’re seeing from the industry as a whole at the moment. So we’re seeing cyber risk be really, really associated with this new way of working. We have post-pandemic and probably to last a long way into the future. That’s meant the other competing priorities the insurance companies had when it came to product development, are starting to fall away and cyber is becoming more and more of a priority when it comes to a product development timeline. The second thing that I took away from your survey answers was that the biggest gap that insurers have to following through on that is the expertise gap. 

Often, insurance companies are using CyberScout to fill that expertise gap. So I just wanted to start today by highlighting a few examples. There’s just three examples that we have of where we’ve worked with mutual and cooperative insurers over the last three months on putting a program in place, that either addressed a risk specially associated with the pandemic or is an acceleration of a program that was already in the works. 

The first one that I want to go through is a program that’s being launched by a mutual incorporative insurer. Essentially, this insurer had bene in the research phase for personal line cyber insurance for quite a long time. It’s always been on their agenda on their product development pipeline. They really saw the pandemic and the way that people are changed, their working styles and working routines, as an incentive to accelerate that program and make sure that program could come to market as quickly as possible. The way that they brought that program to market is by embedding personal line cyber insurance into their high net worth personal lines portfolios. So they have a high net worth household insurance package, and they’ve built cyber insurance into that as standard. They’re effectively saying that cyber risk is out there as a risk, alongside fire or theft or any of the other perils that will be really a top priority for these risks. 

What they’ve realized though as they’ve begun to implement this is that they also have this large, small, and medium sized business book, a commercial lines book. They didn’t feel that they could launch a program for their personal lines customers and ignore their commercial lines customers, particularly their small business customers. As Matt was saying earlier, it’s becoming more and more common for these events to blur the borders between personal events and commercial events. We’ve made moves over the course of the first half of this year to try and make sure that our services are all-encompassing so that if somebody has a personal lines program that we support, we’re able to support some business exposures that they may have, and vice versa. 

This mutual insurer decided that they were going to launch a cyber risk help line for their small business customers. It meant that it was something that they could put in place very, very quickly. They could roll out immediately, and meant that there was some assistance being provided to their small business customers, as well as their personal lines, high net worth customers that had a program that had been in the works for quite a long time. What’s great about the help line concept is that it’s completely free to access, there’s no cost, no risk of those customers having to make a claim as a result. It’s in place for a limited period of time. So it helps to show that they’re supporting their small business customers during this time. 

Matt Cullina: 

Actually, Tom, if I can interrupt. I think we’re ready for another question. All right, so we’re going to go to our third question of the day. Here’s a looking forward question. By 2023, what percentage of the global mutual insurance market will offer SME cyber insurance to its policy holders? A, less than 15%. B, 15% to 25%. C, 25% to 50%. D, 50%, or E, 75%. 

So this commercial lines exposures and additions to cyber. All right, so it’s looking like 15% to 25%. So we’re roughly a fifth to a quarter of the market, everybody’s thinking, will have some sort of cyber offering for their SME cyber insurance. So let’s quickly get to the next question, which gets into personal lines. Same question, by 2023, what percentage of the global mutual insurance market will offer personal cyber insurance to its policy holders? A, less than 15%. B, 15% to 25%. C, between 25% and 50%. D, over 50%, or E, over 75%. Again, we’ll give you a minute to respond. 

All right, so it’s a little bit more hopeful on the personal cyber side. Again, it’s to the next category, 25% to 50%. So a lot more bullish on personal cyber than SME cyber. So, good insight. Back to you, Tom. 

Tom Spier: 

That’s interesting. So moving onto the second program. Really, this insurer that we were working with wanted to enhance all of their products that they had to encompass both their personal lines and their commercial lines customers. So this was a major project to embed. A personal cyber insurance offering into their personal lines household portfolio, and then a commercial lines cyber insurance proposition across their small business portfolio. Now, it was a major project, over 1.5 million insurance policies that we’re talking about there. It was a real concerted effort to launch this over a period of time. The launch date was coming up this summer anyway, and as a result of the pandemic, this insurer saw an opportunity to really respond and use this planned rollout as a way of really trying to help people during a difficult time and address this emerging concern. 

They completely switched their rollout strategy. So whenever you develop a new insurance proposition, I’m sure you know, if you add it to an existing product, it’s normally added at the renewal of each policy. So it takes a year to roll everybody onto the program. Now, they didn’t think it was particularly fair they were enhancing all of their products to include cyber insurance. Potentially, that some of those customers that weren’t going to see the benefit of that until May, June, July, 2021. By which time a lot of that crunch, a lot of that immediate danger that people are suffering because of the pandemic and the way that they’ve moved online, would’ve passed because they’ve had time to adapt their businesses to a new way of working. 

They decided that they were going to put the program in force immediately for their entire customer base. So it meant that the service was provided more as a benefit of being the customer of this mutual insurer. All of those customers got immediate access to expert support. It meant that from the day after the launch if anybody had any kind of problem, then they were able to immediately move and assist with that. 

The third program that we are talking about today is a situation where we’re not talking about the size of insurer that we were in the previous two examples. There are many, many mutual and cooperative insurance organizations that are very small. They serve in specific communities, specific industry sectors, and have really been developed to serve a bespoke community. They’re great because of the level of customer service that they can give. They can provide bespoke advice and coverage and really tailor their products to their customers. 

The downside of that is that they don’t have this enormous buying power. So they came out with an innovative pooling approach to developing a cyber insurance product. It meant that several small mutuals could get together, in some cases 20 or more, and they could develop a product under a single brand name that they could then roll out to their customers. That meant that they got interest from a re-insurer who could [back 00:32:28] the program. Use a single product brand to avoid confusion. It meant that they could share in marketing costs, creation of content, creating of collateral. They could design a product that fitted the vast majority of their customers. Now in this case, it was very low limit, very low premium, which could be embedded into existing package policies, personal lines or commercial lines, a very low technology list, very, very small investment in terms of building it into the portfolio. But it meant that they all got access to the same services as a much larger organization may be able to access. That meant that collectively, they could increase their reputation over a period of time. 

There’s a lot going on in the market and there’s many different initiatives that are being built, as I said. We just covered three there we’ve been in very, very recent conversations, very, very recent activities around. A lot of the activity that we’re seeing in the market is being driven based on the same conversations, the same principles that are beginning these conversations. So a lot of that, I believe, comes out of being a mutual insurance company. So the fact that you are owned by your members means that there is a different level of commitment, a different level of requirement to care about customers and to develop innovative products that really speak to emerging risks and stay one step ahead of where your customers need to be in the future. 

We’re seeing at the moment, an environment where the insurance industry is facing some reputational challenges with governments and around the world, in relation to their response. So we’re seeing some organizations scramble to produce positive stories, positive impacts from the pandemic. I don’t think the mutual and cooperative insurers fall into that bucket and that description. I think that the mutuals and cooperatives around the world, we’ve seen from the updates that have been going around from ICMIF, we’ve seen from various different initiatives that are being launched. They really have their customers, their members, at the core of what they’re trying to achieve. So that means that they’re doing the right thing in terms of keeping up with emerging risks, staying ahead of product trends. Everything that they produce is of particularly high quality, that the benefits can be shared equally amongst all of the members. So everybody receives a really similar standard of product. 

That fits in really well with a cyber insurance proposition. A cyber insurance proposition isn’t all about the coverage. That’s probably the first thing that we say when we walk into our first meeting with a product development hat on with any insurance company, is that there are several different components to building a cyber insurance proposition. Obviously, there’s financial risk transfer, financial risk transfer is important but this is about providing educational services to customers, helping to reduce their risk by providing access to information and guidance where they wouldn’t have had it before. Trying to offer them the knowledge that they need to prevent these events from happening. It’s offering proactive tools and access to technology that’s going to start to reduce that risk over time. 

Real prevention tools or early warning system tools that have an underlying benefit for the product? Yes, but more often than not, are very highly valued by these customers because they prevent bad things from happening in the first place. That provide proactive guidance, this is a confusing, difficult to navigate topic for a lot of people. People are not used to speaking to their insurance company just when they’re not sure about something. So making sure that there’s a service in place that’s going to have them looked after just when they need some advice, just when they have some questions, just when they’ve received that weird looking email and they don’t know whether it’s genuine or not and they just want to speak to somebody who knows a little bit more about these things than them, providing them access to those services. Then of course, providing them access to expert remediation services as and when an event needs to happen. 

Most of our customers, most of the industry, they really see and wrap up the benefits of having a cyber insurance solution, generally into four main areas. The first is retention. So they are better placed to retain their existing customer base, increase the level of customer loyalty that they’re experienced, through the fact that they are developing new products and they are addressing emerging risks. Customers feel like they have increased value from their insurance relationships when new products are being developed, when innovative covers are coming out. 

The other side of it is when these insurance covers proactively address some of their concerns. It’s all well and good selling somebody another piece of paper with a promise on it, but if you can tangibly provide them some risk management guidance, some proactive risk prevention tools, as well as the insurance standpoint, as well as the insurance element, then that’s all the more valuable. That helps to build customer loyalty and customer retention. 

The second is revenue. So obviously these offerings are normally rolled out across the board at the base level and provided to everybody as a product upgrade. But of course, there are always upsell opportunities that are related to those. You’re able to supply increased, enhanced coverages. Standalone programs for very sophisticated or high risk groups of customers. That helps to build premium base. Again, increases the range of products that a company can offer and therefore the number of products that one particular customer can have from an insurance organization. 

Third is relevance. So cyber risk is the big thing that a lot of people are talking about right now, the new way of working. There’s a lot of educational content out there, there’s a lot in the news and that’s going to remain the case for a long period of time. To be seen as a company that is responding to that news, and quite often at the moment honestly, being the first company in a particular market or in a particular country to respond to that news and these movements in the market, is an incredibly valuable thing. We always say once you’re the first in the market to do something, nobody can take that away from you. You’ve got that label forever. So it’s been very, very important to a lot of our customers, particularly our partners that we’re talking to of late, that they are first in their particular market to launch, or that they do go bigger than everybody else, or that they do have this strategy that enables them to set themselves apart in a messaging standpoint. 

The fourth element is risk reduction. So it’s really important that the insurance companies are able to offer a broad set of covers that really respond to the risks that their businesses are facing at the moment and increase the diversity of the portfolio that they have and the portfolio that they operate. So adding these cyber coverages helps to influence that overall product mix, and means that there’s premium income from different risks at one time, which does improve the overall risk profile of an insurance organization. 

I think though all of those elements are important all of the time, whether we’re in a pandemic or we’re not. I think there’s some additional things that have come out of our conversations recently that’s really caused insurance companies to act now, as opposed to, yes, we’re going to introduce a cyber insurance program. The very first question that we asked at the start of this conversation was, what stage are you at in cyber program development? Most organizations are in that research phase. I hazard to guess that if we asked that same question a year ago from now, that we would’ve gotten a similar answer. That research phase has been going on for quite some time and really now we’re seeing a step change in that and some additional pressure to get these programs to market. 

A part of that is around brand perception. So again, the insurance industry generally has taken a bit of a beating in some countries around their response to coronavirus. This is something that genuinely helps to address an emerging risk. So it can be very, very useful in making sure that you’re not put in the same bucket or tied with the same label as some of those insurance companies who are responsible for that perception. 

There’s a real support across the world that we’re seeing right now from regulators when it comes to product enhancements. So if normally in many, many countries around the world, you need to file product wordings with the regulator, get those approved. Right now what we’re seeing is that if your product is designed to respond to a risk that is rapidly increasing as a result of the environment that we’re living in today, that regulators are incredibly receptive to fast tracking these approvals and making sure that these products can roll down in short time to the customers. 

Balancing the books, we’re see a rapid change at the moment, in terms of which products are most profitable. So very, very profitable products in the past are now not very profitable at all. Some products that have been struggling to make a profit in the past are now making large profits. So as a nonprofit organization, that balance has been thrown out, and this is just a good way to diversify that portfolio. 

Obviously, you’re filling the gap that a lot of people have in terms of cyber protection. Many people see what we’re going through the moment as a crisis of many different types. It’s not only a medical process but there’s a cyber crisis, there is. These products are responding to people in the event of a crisis. People want to know, especially right now, that they’re not going to feel out of control in the future. This is one way to let them know that they’re going to be supported if something unexpected should happen. This is another worry that you as an insurance company, as a protection company, can take away from, from them. 

It’s immediately actionable, these things can be rolled out very quickly, in comparison to many other insurance products. We’ve really seen how fast insurance companies can move when they want to recently. So this is something that can be brought in in very short timescales. Again, it’s widely applicable, we’ve said, right, through this presentation. You’ve seen the examples that this is a risk that really applies to everybody. It’s no different to a fire risk or a theft risk. So it means that you can immediately roll something out to a large customer base and you know that everybody is going to equally feel that benefit. 

I’m going to stop there, hand back over to Matt. We’d love to hear from you guys around questions, comments, experiences. Really, try and open the floor and get a feeling of the specific challenges that you guys are experiencing. 

Matt Cullina: 

Thanks, Tom. That’s exactly what we’d love to see. So you can verbally ask questions, if you want to type it in to go to, we can entertain the questions as well. As we’re waiting for our first question, I definitely say that there’s definitely relevancy to the re-insurance community here, in that all the programs we see be researched, developed, and launched, include frontline re-insurance components. All of these turnkey type solutions. So the re-insurance decision making is really integral to the product decision making for these cyber launches. There’s several re-insurers in market that offer really great cyber solutions for both private lines and SME. So there’s lots of options for you as a buyer on that front as well. 

Let me kick things off with a first open ended question. It is, in your opinion, name a top example of an insurer or re-insurer, that has launched the best cyber program. Again, if you want to take your phone off mute and respond or simply just type your question, we’d love to hear from you. Who’s at the top of their game on cyber programs? 

Ben Telfer: 

If somebody does want to say anything, they do have to raise their hand above than just enabling their mic. Perhaps while we wait for somebody to raise their hand, there has been quite a few questions in, Tom and Matt. So perhaps we’ll ask them and if anybody is brave enough to put their hand up, please do.  

A quick question for you guys. You mentioned the expansion in cyber products in the last three months. Could you perhaps explain this a bit more? Have you seen that from a certain side or type of insurer? Has that been more on the SME or personal side? Have you seen it in markets where there’s perhaps been a strict lockdown than others? 

Matt Cullina: 

Tom, I’ll turn that to you. 

Tom Spier: 

Yeah, I think it’s been pretty evenly spread across the board, in terms of where we’re seeing it from. It’s always been people who have had this in their mind for a year or so, right? So I’m not saying that there’s a company that hadn’t even contemplated introducing a cyber insurance program and then went from that to launching in the last 12 weeks. It’s always been someone that’s been somewhere along that development pipeline. Definitely there’s a strong skew towards the personal lines approaches, it’s probably 75% personal lines programs, 25% small commercial lines programs, that we’re seeing in development right now. So people have realized that there’s a need to address risks that individuals have. Individuals now have company laptops at home, they have laptops at home that they never had before. They’ve got their kids doing their schoolwork and their homework on the same computer that might be being used for work or to do their accounts or to their online banking. So there are fewer physical controls that you can put in place to that. So they’re looking for insurance and to help to transfer that risk. So it’s definitely skewed towards the personal side. 

I don’t think that government lockdown measures have particularly influenced the way that the general public have thought about this pandemic. I don’t think it matters how strong the lockdown has been in your particular country. You turn on the news and every day it’s story one, story two, story three, and story four, more than likely is related to the pandemic in some way. So we haven’t really seen more move towards cyber insurance solutions in countries that have had more stringent lockdowns to address that directly. 

What we have seen is more of an effort to introduce positive reputational programs in countries where the regulators have acted more strongly against insurance companies. So there’s a more active base of insurance companies trying to do the right thing where perhaps a government is being more critical of the insurance industry generally. But those are the broad trends. 

Ben Telfer: 

Thanks, Tom. Another question again related to that difference between personal and SME. Of course, you put up the slide and you asked the audience about whether they see the market in 2023, just asking what CyberScout’s opinion on that. Where do you see the trends and areas of growth in the cyber market and over the next three years and that difference between the personal and the SME? 

Tom Spier: 

I think everybody operates in closed loops, right? So one of the great things about ICMIF is it brings a set of insurance companies together that broadly speaking, don’t really compete with each other in a big way. They’re all very similar, have a very similar ethos, but that’s not how you’ll operate in your own markets. Each individual country market is incredibly competitive. So it’s really important that your product portfolio is up to scratch. 

So typically what we see is that the first company to launch gains all of that reputational advantage, that first mover, that we’re responding to the new threat, the new exposure. Then many of the other insurance companies, they’ll be fast to follow insurance that all want to make sure that they experience as much of that good will as possible. They want to be seen as being quick to innovate and to develop their product. Then you move to another stage where it becomes normal. Part of the checklist that a broker will tick off when they look at any package policy, part of the checklist that you see on a price comparison website when you go to buy your home insurance or your car insurance, will be that it contains protection against cyber risks. So at that point, absolutely everybody needs to move towards it. 

So I think by 2023, I think that we’ll see some larger numbers than the group said, if I had to stick my neck out. 

Matt Cullina: 

Yeah, usually for these development cycles, within a three to five year period for most markets that we’ve been involved, it gets upwards of 75% adoption rate amongst insurers. So there’s a tipping point within that year three period where the first movers and early adopters have so influenced the market that then it just becomes a me too approach, and everybody else feels that they need to launch something in response. 

Ben Telfer: 

Thanks, Matt, thanks, Tom. Another question here. They’re just asking, can you say something about video conference and security? There’s obviously been quite publicized issues with one particular platform. Are you seeing a new type of risk emerging because of people using video conferencing a lot more? 

Tom Spier: 

Sure, well people always… if I’m being completely honest, the guy that logs onto the video conference and expects that to be secure is the guy who’s really the blame here. There is no such thing as secure video conferencing, there never has been. So I think it is slightly unfair to single out specific platforms as being more secure or less secure than others. The way that these platforms are built is they’re designed to be collaboration tools, and therefore they’re designed to be very, very easy to use and very, very easy for people outside of your organization to use. Therefore by definition, they’re not going to be incredible secure. I think therefore, it’s being slightly unfair in my mind to single out some of these companies and to subject them to scrutiny that perhaps other platform providers have not been subject to. 

The way I would always describe this risk is, it’s similar to many other risks that are out there. It’s about education, it’s about getting people to understand what steps they need to take to protect themselves and their data when they’re in these situations. So make sure the sensitive material is not discussed in an open forum. Make sure that you’re using a separate meeting invite for each individual meeting, that you’re not using a general meeting room or your personal meeting ID. Make sure that you’re setting passwords to enter meetings, make sure that you’re not recording meetings unnecessarily or if you are recording meetings that you make sure that everybody’s aware of that and express the consents to it. Make sure that chats are not being saved or they shouldn’t be saved, and the location if they are being, that that location is secure. It’s really about education of use as opposed to avoidance or usage of one particular platform or another. 

Matt Cullina: 

I do think it speaks to just, we’re using these tools so much now that it’s creating more worry, right? We’re over relying on these tools during this time, and I really think that that’s causing a lot of the anxiety. We see this question in many forums and have put out materials, similar to what Tom just described to best practice materials. But it just shows you that once you start to over rely on tools, the fears and risk just spark up. 

Ben Telfer: 

Thank you Matt, thank you, Tom. Just time for one very quick question. We seemed to have run out of time with these great discussions. The question is, we’ve obviously seen this mass move to companies all around the world to remote working. There must be gaps in cyber security. Are you anticipating an increase in attacks or breaches? What would the time lag be before these are discovered or reported? Has this happened already? 

Matt Cullina: 

Well, I definitely think we’ve seen the trend increasing as we talked about a little bit at the beginning of this session, for sure. What it comes down to is, social engineering scams are effective because they really catch you when you’re least resistant. I think in general, working from home creates that atmosphere more than being in a brick and mortar work environment. So I think that organizations are getting smart on the quick around these topics and are really trying to figure out how to improve their security over time, while making accessibility optimum. I think as we start to see what organizations do, once quarantines are lifted and things go back to a certain sense of normal, what’s going to be the new paradigm and what percentage of employees ultimately will be working in an office location versus working remote? 

In my mind, the trends are definitely going to increase in the short run from a cyber risk increasing, targeted attacks on people that have sensitive information that can be exploited, both business data, as well as personal data, is definitely what’s happening right now. I see that increasing well into the future, but I also see organizations getting smart about it and really trying to figure out how they’re going to design their systems, processes, and employee approach in this new normal. I’ve seen already that companies are definitely leaning towards continuing remote as a predominant type of work. So you’re also going to start seeing solutions that don’t exist today that are going to better the security environments. So I see improvements, technologies and software and really just getting smarter around this, happening over time to help combat the increase in risk exposure. 

Ben Telfer: 

Thank you very much, Matt. I think we’re going to have to close today’s webinar. Thank you, Matt, and Tom, so much for delivering an excellent presentation with some great insights into the future trends and also some really good practical advice as well. 

Matt Cullina: 

Thank you all, it’s our pleasure. 

Ben Telfer: 

If anybody has got any further questions for Matt or Tom, please do send those in. If you’re watching the recording, please email and I’m sure Matt, Tom, anybody at CyberScout would be happy to answer your question. A final thank you to Tom and Matt for joining us today.  

The above text has been produced by machine transcription from the webinar recording. ICMIF has made every effort to ensure that transcriptions are as accurate as possible, however, in some cases some text may be incomplete or inaccurate due to inaudible passages or transcription errors. Listening to or watching the webinar recording will allow you to hear the full text as delivered during the webinar but this is available in English only. Our transcriptions are provided to enable members to select the language of their choosing using the dropdown menu above.