Emy Donavan: “Directors are now understanding what the cyber risks are”

As the national practice leader for cyber at AGCS, and before we get into cyber security, could you tell us a bit about yourself and your role? 

When I came on to AGCS, last October, there was no infrastructure for cyber; no policy and no underwriters. Now we have four underwriters in the US, two in Canada and are ready to launch the US-based cyber product. Personally, I’ve been in the San Francisco market my whole career, which is part of why I got into cyber so early. Some of the early adopters of purchasing cyber insurance were the people in Silicon Valley; there were some early policies out there in case of Y2K.  

Would you say there has been an evolution on how cyber is viewed?    

The US is somewhat ahead of the rest of the world in terms of understanding exposures –we have regulatory schemes that were put in place here that created an awareness around how consumers and also companies might be affected, in terms of the real costs that are associated with a breach occurring.      

How has cyber become a driver for some of the better understood risks like business interruption and reputational damage?  

Four or five years ago, I couldn’t convince somebody to buy a cyber policy if I gave them the premium to pay for it. Now, the real-world fallout and the media and press associated with very highly publicised instances led to a greater understanding that cyber can cause reputational damage in those sectors, and boards of directors are starting to really understand what that risks are.For example, Home Depot just settled for about $19m to its customers for its 2014 data breach, but no one talks about that. It’s all about Target’s 2014 breach due to its lack of quality response: the Target chief executive was ousted, and people on corporate boards realised this could actually affect them.      

There was a time when a cyber breach was something people didn’t talk about. Has that changed?    

I think that probably still happens, and that’s the whole reason they put regulatory schemes in place around this to begin with. It was to protect consumers, because the initial reaction wasn’t to tell consumers they might have personally identifiable information, it was not to tell in case of repercussions. When we look back over the last several years and the volume of hacking incidents, it looks like it’s just gone through the roof. However, I’m not sure that it’s that exponential, because really what we’re taking is data that was made available on a self-reporting basis, as we don’t have a mechanism for tracking this unless people report the incidents that happen. I think there was honestly a lot of under-reporting, either because people were afraid to come out and talk about it, or because they just weren’t really paying attention and just didn’t realised it was happening.   

Over the last 12 months there’s been a particular increase in ransomware. I’m aware of a couple of instances with hospitals in the US, for example. Could you speak a bit on this?    

The first ransomware attack that I was aware of happened in 2007/2008 and it was against a Virginia hospital. Somebody actively hacked into them, encrypted all of their backup, deleted all of their primary files and demand a million dollars for the key. It was a targeted breach, and we’re still seeing echoes of that now. In a lot of instances, firms get hacked just enough for someone to end up on their system, move around under the radar, and paying attention to the behavioural issues around internal sources so they can deploy these ransomware attacks in a targeted way.  Human error still accounts for about two thirds of breaches, and that includes clicking on a phishing attack that ends up deploying a ransomware attack onto your system.   

Why are hospitals a target for this? 

Healthcare is a particularly rife area for being targeted, because there’s a lot of easily monetisable personal data available. In the US, because of budgetary issues, they’re probably the softest points to kind of poke your way into. It’s the lowest hanging fruit with the greatest return and, historically, healthcare hasn’t been as widely networked; security has been an afterthought.  

Will we see more of these kinds of attacks happening?   

I anticipate that these attacks will continue to happen, and will probably increase over the next 6 - 12 months at least. I’m very hopeful that there starts to be some recommended cyber hygiene kind of educational modules and things offered to employees in these sectors, because that would go a long way in stemming some of these things.  

Speaking more broadly now: what are the pressure points when it comes to insurance cover, particularly in light of the newer cover?    

I think there’s a big misunderstanding of cyber risk in the insurance sector generally. I’m not a crime  or property underwriter; if there is an issue where someone calls pretending to be the CEO and tells an accounting person to wire money somewhere, though that was enabled due they hacked the system, ultimately that’s still funds transfer fraud, and that falls under a crime policy. Some of the cyber policies have responded by doing very normative carve-outs at a supplement to the policy. AGCS has an extension cover under its property policy for physical damage as a result of cyber event. But, for the industry that’s not a very good solution books because everyone’s going to end up under-insured. There needs to be a balance of premium there.  

And what about the Internet of Things? What role does it play in this picture?   

The Internet of Things is also an issue. People have connected thermostats in their homes, and apps that lock and unlock their doors. Ultimately, if there’s a security breach caused by the software or a hacking incident then that might be a cyber loss; but someone stealing your phone and using your application to unlock your door and then going in and stealing from you, that is not a cyber loss, that’s home insurance loss. The property people, and the crime people because there’s a misunderstanding about what cyber covers are trying to exclude it and trying to push it into the cyber bucket, which is not sustainable in the long term. Right now, the largest cyber tower I’m aware of is about $510m, and that’s involving the US, London and Singapore. That’s about as much capacity that is available in the commercial insurance market for cyber. And when you think about the potential for risk, for any given company, it’s greater than that. And for the industry as a whole it’s certainly greater than that.    

You’ve mentioned regulation and also the need for education, but how else is this being addressed by industries?  

The payment card industry, for example, specifically MasterCard and Visa, put together the Payment Card Industry Data Security Standard (PCI DSS) to address their systemic risks. It’s aimed at their customers –the banks – and end users, who are the most porous point of potential intrusion. That’s a good example of non-governmental self-regulation, and I would love to see more of this happening. The American Hospital Association could potentially put together something similar. The more education goes out to executive level management and individual employees outlining what is at stake for their organisation, the better we all shall be.