The insurance industry has been shielding society from the unexpected for hundreds of years, but with the onward march of technology, new risks, such as cyber, are starting to challenge the resilience of the traditional insurance model.
But insurance has always been inherently adaptable and as Mike Palotay of Tokio Marine HCC (a member of the Tokio Marine Group) explains in the following article, that willingness to find new solutions to new problems, ensures the Tokio Marine Group will continue to thrive and support clients and communities across the globe.
Mike Palotay, President, Cyber & Professional Lines Group, Tokio Marine HCC
Insurance has never shirked from taking on the big risks, from earthquakes and cyclones to huge infrastructure projects and new medical developments. But there is one emerging risk that promises to test insurance to its limits – cybercrime.
While not a new phenomenon, the frequency and severity of cybercrime has increased exponentially in recent years, with Cyber Security Ventures estimating that cybercrime inflicted damages worth $6 trillion in 2021. If cybercrime were an economy, it would be the third largest in the world. What’s more, with the cost of cybercrime predicted to increase by 15% annually, it will reach $10.5 trillion by 2025, threatening to push China from the number two economic spot.
While the insurance industry has absorbed risk on behalf of society for centuries, losses on this scale start to beg the question as to whether insurance is the answer to the growing cyber risk or if some other mechanism is required.
Mike Palotay is President of Tokio Marine HCC’s Cyber & Professional Lines business, one of the largest international divisions of the wider Tokio Marine Group. For him, cyber insurance is a viable product, but perhaps not in its traditional risk transfer format. Such is the unique nature of the cyber risk, Mike believes that the industry has no choice but to come back with a unique response to this emerging threat, or clients may seek out an alternative approach.
“All business processes have been radically and rapidly transformed by technology,” he says.
“It started with software, then the internet, followed by cloud computing and now companies are more interconnected than ever, resulting in greater interdependency and increased risks. Just as Covid brought the ‘just in time’ supply chain system to its knees, there is a parallel here that small problems with certain key players in the technology supply chain, could cause a cybercrime ripple effect.”
As one of the world’s leading specialty insurers, Tokio Marine HCC is expert at dealing with complicated and emerging risks. A threat that is ever-changing and hard to pin down, cyber presents one of the most significant challenges the industry has ever faced.
“One of the big problems as a cyber insurer is figuring out which third party risks our insured are exposed to in their supply chain,” says Mike.
“We can do a great job of evaluating their cyber exposure, understanding the vulnerabilities in their network and putting in place controls to manage those, but if we don’t know about all the third parties they are working with, it can result in a large loss if one of those vendors goes down. It’s a very complex landscape.”
Traditionally, it has been the big financial institutions, healthcare providers and payment processing firms that have been the target of hackers due to the value of the data they hold. But the landscape has changed, and every business is seen as a valid and potentially lucrative target.
“Industries such as manufacturing, industrials and even infrastructure are not as well protected, as they weren’t being targeted in the past. But that has changed, nobody is safe,” Mike warns.
“You cannot bury your head in the sand and hope you are not going to have a problem. Companies need to be seriously investing in protecting themselves and making sure they are staying abreast of the latest attack trends. It’s our responsibility to help our clients do that.”
He concedes that the cyber issue can be a tough one for smaller organisations to get their heads around, never mind formulate an effective defence against it. As they have not been traditional targets for cyber criminals, Mike fears that there are dangerous pockets of complacency throughout the economy.
“The goal for hackers in attacking smaller companies is usually to get Bitcoin ransom payments. They have streamlined the attack process so much that it is relatively cheap to launch a successful ransomware attack against a business. You can log on to the dark web and buy a ransomware toolkit for a less than $100,” he reveals.
“It is much easier to run these attacks today, which has lowered the barrier to entry for hackers. When you can do it relatively cheaply and not spend too much time doing it, it is attractive to go after targets that aren’t prepared or protected.”
The range of threats is very broad – from ransomware and malware to DDoS and phishing attacks –with Cybersecurity Ventures estimating that a ransomware attack occurred every 11 seconds in 2021.*1 More than that, everyone is a potential target with Gartner predicting that by 2025, 45% of worldwide organisations will have experienced a cyberattack on their software supply chain.*2 Bearing this in mind, where does an insurance company start in identifying the key risks?
“Cyber insurance carriers are very concerned with aggregation risks. For instance, if a large cloud provider went down, it could result in business interruption losses across an insurer’s portfolio or a large data breach that results in the compromise of medical records, potentially impacting countless individuals,” says Mike.
He explains that as there aren’t 100 years of loss data to refer to (the traditional underwriting approach in insurance), every insurer is operating in unchartered territory. But the risk is real and highly organised, which has prompted Tokio Marine HCC to take a different approach to meeting the challenge.
“Cybercrime is highly organised. There are numerous ransomware gangs, with organised structures and hierarchy, that operate like any other organised crime gang. And as they are mainly based in Eastern Europe and Russia, they are largely out of reach of western authorities,” says Mike.
“Then you have countries like North Korea that are using these kinds of attacks as a significant fund-raising operation for their governments. Many are state sponsored attacks for financial benefit.”
Facing this threat with a traditional approach to insurance just isn’t feasible which is why Tokio Marine HCC has moved beyond simple risk transfer and into something that seeks to provide proactive security up front rather than purely compensating for a loss.
“We decided it wasn’t enough to be a cyber insurance carrier. We need to be a cyber security company as well and we’ve built an in-house cyber threat intelligence department to meet that need,” Mike explains.
“The team is focused on the emerging, technical trends in the hacking community and are completely plugged into the security community. For example, recently, there was some chatter about a new vulnerability that had been discovered. There hadn’t been any notable attacks at the time, but our team identified the exposure very quickly and we changed our scanning to actively search for it.
“We found that about 100 of our clients had the vulnerability and we worked with them to protect their business before they suffered an attack.”
He says that this proactive, security-led approach meant that when the attacks did start, not one of his clients was exposed and, as is the habit of hackers, the attacks moved from the protected to focus on the exposed.
“It’s about creating resilience,” says Mike.
“It is a risk management partnership and a two-way street. Performing a security role as well as a traditional insurer role means we can have a meaningful impact on the security of our clients. But for that to work effectively, we need them to quickly address any issues that we find.”
“Fortunately, most take security very seriously, and are quick to mitigate any issues. Since we introduced our new threat intelligence approach, the frequency of ransomware breaches among our clients has reduced by 80% from the 2021 peak.”
This flexibility, this willingness to rethink how the insurance industry reacts to emerging threats means that whatever the (digital) criminal fraternity throw at the world, the cyber insurance market can quickly adapt, and react.
“It feels like Spy vs Spy sometimes,” he says.
“We help our clients address a new concerning vulnerability, and then the criminals move on to something new, and the process starts over. This kind of cat and mouse game can only be played well if you have the deep technical expertise needed to stay ahead of the trends.”
“Cyber criminals are always going to look for new ways to attack, and we are committed to doing everything possible to reduce the risk for our insureds.”
Michael Palotay joined Tokio Marine HCC in 2019 when the Houston-based insurer acquired NAS Insurance. Initially, as Chief Underwriting Officer, Michael was focused on maximizing underwriting profitability, product development and overall business development. He continued in this role within the Cyber & Professional Lines group at Tokio Marine HCC until January 1st, 2022, when Michael was appointed President of the group, where he continues to focus on delivering innovative products and services that drive success for its clients, partners, and employees.
- *1Cybersecurity Ventures ”Global Cybersecurity Spending To Exceed $1.75 Trillion From 2021-2025”
- *2Gartner "7 Top Trends in Cybersecurity for 2022"
