Cyber Risk and Sanctions – known unknowns
Today’s world is digitally driven, and the odds of facing a cyber-attack are at their highest levels. It’s not a matter of if, but when a company will face a security breach. The number of cyber-attacks is steadily growing with 2018 marking a watershed moment. One report shows that in 2018, 765 million people were affected by data breaches and cyber-attacks – in the months of April, May and June alone.
The cost of cybercrime is increasing dramatically and can potentially be crippling to companies who don’t have adequate security measures in place. The Department of Health revealed that the WannaCry ransomware cyber attack cost the NHS almost $100m and led to the cancellation of 19,000 appointments.
The demand for cyber insurance is growing, but some insurers have kept out of the market, deterred by the complex nature of underwriting cyber insurance. Underwriters face significant challenges in pricing and monitoring cyber risk, especially when the attack techniques are constantly changing. No cyber-attack is the same as the other, which makes it challenging for underwriters to determine risk-adequate pricing and apply standard actuarial methods. Moreover, cyber risk is relatively new when compared to other mature risks such as marine risk and natural catastrophes, which means that underwriters have little historical data to inform their underwriting decisions.
EY’s Global Information Security Survey showed that 77% of organisations are still operating with limited cyber security and resilience measures in place, while 87% or organisations warn that they do not yet have sufficient budget to provide the levels of cybersecurity and resilience they want. Sobering stats indeed considering insured organisations increasingly connect with other parties, leading to the risk extending throughout those parties and all their connections. So, how do you understand a complex and highly dynamic set of risks across a web of interconnected organisations?
Pricing risk in cyber insurance is not without its challenges. Not only do cyber-attack techniques evolve after each breach, but compounding the issue is the vast amount and variety of data points that must be considered when pricing cyber risk.
In the digital economy, the boundaries between organisations are many and permeable, increasing the odds of vulnerable links dotting the entire chain. To stay competitive and efficient, organisations depend on the ability to exchange digital information quickly and seamlessly with customers, partners and suppliers.
This web of growing integration with third parties that stretches out across multiple degrees of separation between organisations significantly increases the chance of exposure to attacks along these vulnerable links.
Underwriters are already vexed when trying to analyse data from potential policy holders and obtain crystal-clear information about their own systems, users, policies and practices, especially as these can significantly change during the lifetime of a policy. This challenge expands and is compounded when the potential risk from all the connected systems in the web of third-parties is added to the mix, and critically, the systems to which those systems are connected. As many businesses work with the same third-party systems, the homogeneous landscape is fertile ground for attacks to mushroom along the entire ecosystem.
Allianz projects that the cyber insurance market could reach $20 billion by 2025. As cyber insurance coverage continues to be one of the fastest growing segments, it’s no surprise that many insurers are keen to get a piece of the pie. However, entering the cyber insurance market is not without its own risk given the scant availability of historical data, the constantly morphing attack techniques, the challenge in sourcing reliable information on each applicant’s security profile, and the extended network of their digital connections and beyond. Underwriters are well aware of the third-, fourth-, fifth- (and so on) party risks. The challenge lies in understanding what those risks are.
In the interconnected web of third-parties, there is the risk that one of those parties is a sanctioned entity. Sanctions can impact an institution’s information technology systems and operation, which increases the likelihood of data breaches. The regulatory authorities are increasingly investigating companies, specifically financial and technology service institutions who violate sanctions and embargoes, and the insurance sector is no exception. Since 2010, UK and U.S. enforcement agencies have issued over $U.S. 14 billion worth of fines against financial services companies.
In the U.S., the Treasury’s Office of Foreign Assets Control (OFAC) Cyber-Related Sanctions Program, clearly states that if an organisation continues to use products or services from a sanctioned entity, whether directly or indirectly through a service provider, it may result in violations of law, civil money penalties, enforcement actions, and reputational damage.
That’s why AdvantageGo partners with Northdoor to provide clients with the Sanctions Checker solution. Designed to ensure adherence to sanctions regulations, the partnership allows AdvantageGo’s clients to automate the process of checking names for potential hits against the designated lists that may require further compliance investigation or due diligence checks.
The solution is available through AdvantageGo’s cloud-based Microservices platform as a system-agnostic microservice that can be integrated into any platform or system. It is also available as a fully integrated service within Navigator, AdvantageGo’s underwriting, policy and claims administration solution.
Don’t be caught out. Compliance is not an option. Understanding and ensuring your business is compliance should now be part of any responsible insurer’s fiduciary responsibilities.
Find out more about AdvantageGo’s Sanctions Checker service
Find out more about Northdoor
Office of Financial Sanctions Implementation, HM Treasury