Matthew Cullina and Tom Spier talk to Gemma Gregson about cyber-insurance, mobile technology and hacking
Matthew Cullina, chief executive officer of IDT911, a US-based cyber-security, data and identity theft protection firm, and Tom Spier, director of business development for the UK and European markets at IDT911, speak to The Actuary, and provide an overview of cyber-insurance while also sharing their thoughts on some of the issues facing the cyber-insurance industry across the globe.
What does cyber-insurance cover?
Tom Spier (TS)
Cyber-insurance policies cover losses caused by an attack on a company's computer systems, including remediation for investigations into a data breach, project management, and forensic and legal analysis from a data privacy perspective. A policy may also cover notifications to third parties who may have been affected by the breach and pay for services such as credit monitoring and identity theft resolution. In offering these services to third parties affected by a data breach, companies can minimise the reputational damage caused by such a breach.
In terms of coverage, how do companies deal with the overlap between physical and cyber-risks?
(TS) There is no standard definition and there are grey areas. For example, some companies have previously thought of cyber as loss of data, and crime as loss of money, but what if someone manipulates data to steal money? It is likely that insurers will start bringing cyber into general commercial combined policies as a different head of loss.
Matthew Cullina (MC)
It is an area that is likely to develop as technologies evolve. Take small start-ups - an area of the market that has been under-represented so far - but there are policies out there for small companies who just want basic coverage. They need something that gets them in the game, otherwise it is not on their radar. If anything should happen, they haven't got the expertise and resources to deal with it, so cyber-insurance is the missing piece for them, and cyber-coverage as part of an existing policy is attractive.
How is cyber-insurance priced?
(TS) The biggest factor affecting price at the moment tends to be the number of records that a business holds, but it can be difficult to get hold of that figure, so turnover is often used as a proxy.
(MC) Underwriters will consider factors such as what type of data is held by a company, the number of records held and for how long, and also how data is destroyed.
Do policies come with attaching terms and conditions requiring companies to take action to mitigate cyber-risk?
(MC) Any cyber-product will come with conditions.
The larger the product, the more onerous the conditions. They generally revolve around best practice for data security and protecting the ecosystem rather than specific conditions. For example, there will be guidelines on passwords, firewalls and encrypting documents in transit.
Is that educational aspect an important feature of cyber-insurance?
(MC) Absolutely. Providing risk management ahead of time, or crisis management if events should happen, can be beneficial. We are also seeing some insurers getting excited about how to motivate. For example, some policies will offer no deductible if the customer uses suggested experts. They are trying to create an environment that gets to the right behaviours.
(TS) There is so little data that the easiest way of understanding the issues is to give people an education piece so that they can understand the risks. Adoption rates for cyber-insurance are low, but the recent changes to EU legislation have been a catalyst for increasing that.
Can you tell us more about the recent legislative changes, in particular the General Data Protection Regulation (GDPR), which aims to strengthen online privacy rights and boost the digital economy?
(TS) The GDPR is a reform of the EU's 1995 data protection rules. It was agreed in December 2015 and came into force in May across all EU member states. Countries have two years in which to enforce the regulation. The old rules were about how the people holding the data should behave, whereas the new act is all about the data subject and what they have the right to and can expect from companies holding their data. As an example, under the old rules, a photo on Facebook was not classed as personal data, but under the new rules it is.
The new rules also bring in changes for businesses. From May 2018, companies that fail to notify a data breach within 72 hours could be fined a significant sum.
(MC) It is important that people don't become a victim of fraud as a result of a data breach, so disclosure is important.
What impact do you think Brexit might have for the UK in terms of the GDPR regs?
(MC) In effect, there is no short-term impact. The UK remains part of the EU and will be so past the imposition of the GDPR. In the medium term, with the UK economy intertwined with Europe's, privacy legislation being fairly uncontroversial and UK companies needing to conform with GDPR in order to harbour Europeans' data, it is overwhelmingly likely that the UK will either adopt the regulation permanently, or pass something almost identical through its own parliamentary system.
How do the laws surrounding data privacy in Europe compare to those in the US?
(TS) The attitude of a right to privacy is amplified in Europe compared to the US.
(MC) In the US, privacy is connected to people's wallets and all laws speak to that. It's all about financial harm rather than privacy violation.
Does the constant evolution of mobile technology and initiatives such as 'bring your own device' to work present challenges?
(TS) Hackers are becoming more advanced, and we are seeing different trends, such as social engineering, where people are tricked into divulging confidential information, and malware, which disrupts or damages a system.
(MC) There isn't a high proliferation of mobile malware yet, but, to me, that is just a matter of time. The use of mobile devices is reaching ubiquity and businesses that offer privacy and data security give a company an advantage. Mobile devices are our most intimate things; they know our contacts, our internet searches and what we buy. People see the value of apps that provide extra privacy protection against a backdrop of being watched by governments. Take the cases of when Facebook-owned WhatsApp announced end-to-end encryption, and Apple took a stand against the FBI - these make their reputation stronger for regular users.
Have you seen any changes in the nature of cyber-crime?
(MC) These days the motivation for cyber-crime has gone beyond just stealing identities. The Panama Papers data leak, where journalists around the world secretly analysed financial information on offshore entities before going public, shows that there are lots of different motivations, including politics and terrorism.
Even for identity theft, cases are becoming more complex, and the use of crypto-currencies such as Bitcoin mean that transactions are not trackable, so it can be very hard to trace behaviour to the source.
(TS) The issue of cyber-crime can be a challenge for insurers. Take ransomware - malicious software that blocks access to a system until money is paid - insurers have to consider whether it should be covered under a cyber-policy. While it is clearly a cyber issue, there is a moral risk because the money could be funding crime or terrorism.
What role is there for actuaries in cyber-insurance?
(MC) Actuaries are under-represented in the area of pricing cyber-risk. Insurance companies are also hungry for data and there could be a role for actuaries in that area as we see an increased use of predictive analytics to understand risk better.