Are silent cyber and behavioral risks in your line of sight?

Insurers need a more holistic view of cyber exposure.

December 13, 2017
| United States
Aerial view of evergreen trees with Emphasis title text

By Adeola Adele, Anthony Dagostino and Mark P. Synnott

With silent cyber exposure and related behavioral risks on the rise, how do insurers get better visibility into the full spectrum of cyber risks?

An ever-evolving cyberthreat landscape requires that insurers examine cyber exposure through a broader lens. Our research shows that two sources of cyber risk merit increased attention: silent cyber exposure and behavioral risks.

Silent exposure

Silent cyber exposure can push up loss ratios on policies not specifically designed to cover cyber risk. Examples of silent cyber exposure could include a cyberattack on an industrial plant’s control system causing a boiler explosion, resulting in widespread property damage and business interruption, or malware triggering an elevator failure, leading to multiple casualties. Policy payouts will vary depending on policy wordings and the specifics of individual cases. However, these and many other examples illustrate the potential for silent cyber losses.

How significant an issue is silent cyber exposure for insurers? To find out, we conducted a survey on the likelihood and potential financial implications of cyber-related losses in cases where policies specifically neither included nor excluded cyber risk.

The survey focused on four broad insurance lines of business: first-party property, third-party auto liability, third-party other liability and workers compensation. Approximately 750 leaders and experts at more than 70 insurance companies and groups around the world as well as within Willis Towers Watson participated in the survey.

We asked respondents to gauge the extent to which cyber exposure would increase the likelihood of a covered loss over the next 12 months. Roughly half of industry practitioners see the risk of silent cyber exposure as growing over the coming year.

Using the range of responses — from 0% indicating no additional losses due to cyber exposure to 100% indicating as many cyber-related losses as non-cyber-related ones — we converted these into a silent cyber risk factor. For example, a risk factor of 1.01 represents one cyber-related loss for every 100 non-cyber-related losses.

Variations across business lines and industries

Our findings, detailed in the Silent Cyber Risk Outlook report, reveal considerable uncertainty over the potential degree of silent cyber exposure (Figure 1). For instance, more than half of respondents estimated the risk factor for silent cyber losses from property or other liability policies as 1.01 or less. However, close to a quarter reported the risk to be greater than one in 10.

Figure 1. Silent cyber risk factor by line of business

Figure 1. Silent cyber risk factor by line of business

Source: 2017 Willis Towers Watson Silent Cyber Risk Outlook

Responses regarding anticipated silent cyber risk varied across lines of business. Respondents perceived the risk to be lower for auto liability and workers compensation policies than for property and third-party other liability. In fact, more than three-quarters of survey participants estimated the risk factor to be 1.01 or less for both auto liability and workers compensation policies. While for the auto liability line this may suggest that accidents involving technology vulnerabilities would be treated as product liability losses, it is not as clear why respondents would perceive the risk for workers compensation as low.

The potential impact of silent cyber exposure is more readily apparent in results for the higher risk lines of property and other liability coverages. While the median risk factor for both of these lines is 1.01, the mean risk factor is higher: 1.07 for other liability and 1.074 for property policies. Assuming a 60% loss ratio for a book of property business excluding cyber-related losses and a severity distribution for silent cyber losses that was the same as for the other losses, silent cyber exposure might cause the loss ratio to rise to 60.6% using the median view and 64.4% using the average view.

In looking at estimated silent cyber risk across industry groups, the lower risk lines — auto liability and workers compensation — showed little variation. However, our finding uncovered significant industry differences for property and other liability policies (Figure 2).

Figure 2. Silent cyber risk factor by industry

Figure 2. Silent cyber risk factor by industry

Source: 2017 Willis Towers Watson Silent Cyber Risk Outlook

The respondents viewed industry groups that regularly handle consumer information — hospitals/medical facilities/life sciences, IT/utilities/telecom and financial services — as higher risk for liabilities losses. Interestingly, the retail/hospitality group was perceived as lower risk even though this group suffered several major data breaches in recent years.

As for property lines, the industrial/manufacturing/natural resources groups were not regarded as particularly high risk despite the fact that some of the most well-known examples of silent cyber property losses took place in industrial settings. But respondents did view the IT/utilities/telecom and financial services groups as higher risk, which may be an indication of perceived utility and communications infrastructure threats.

An ongoing effort

Overall, the results of the survey highlight the need for underwriters to adopt a more holistic cyber risk insurance strategy that can effectively include tailored policies to address the risk of silent cyber exposure. Our survey was conducted prior to the WannaCry and NotPetya attacks. An expanded follow-up survey, planned for early 2018, will examine how perceptions of silent cyber risk may have changed since these two major events and other cyber-related incidents.

The insider threat

Another source of cyber exposure that needs to be brought into sharper focus is the human element. Willis Towers Watson 2016 claims data revealed that two-thirds of cyber claims are caused by employee negligence or malfeasance, including the loss of laptops, the accidental disclosure of information or the actions of rogue employees. In fact, 90% of all cyber insurance claims are the result of some type of human error or behavior if one includes claims that result from talent deficits in IT departments and lack of employee engagement.

The 2017 Willis Towers Watson Cyber Risk Survey examines the range of employee behaviors that can result in cyber breaches and reveals that many employees lack the necessary “cyber IQ” to protect company and client information even at a basic level. For instance, 45% of employees responded that it’s safe to open any email on their work computer — a revealing response when compared with the growing number of employers that conduct phishing tests to limit the email scam that targets personal information.

Other behaviors that can leave an organization exposed to cyberthreats include: (1) using a work computer or cellular device to access confidential company information (experienced by approximately 40% of employees), (2) logging into a work device on an unsecured public network or using a work computer in public settings (about 30%), and (3) taking confidential paper files home and using unapproved devices to do work at home (roughly 25%). In addition, roughly a third of employees share personal information (e.g., date of birth, employer name, job title) on social media sites, which can leave their organizations vulnerable to phishing and other social engineering attacks.

These findings make clear that to underwrite cyber risk in a comprehensive manner, insurers must be able to track the extent of risk inherent in employee behavior and identify measures to mitigate the insider threat.

Assessing the internal risk culture

An organization’s culture drives employee behavior. Culture generally refers to the shared set of values, principles, assumptions and beliefs that influence how work gets done. Our research indicates that employers are eager to build a culture of cyber risk awareness in their organizations in order to promote cyber-savvy behaviors and lessen their exposure to cyber vulnerabilities. And their goals are ambitious. While fewer than half of employers have a formally articulated cyber strategy currently in place, over 80% want to have cyber risk management embedded in their company culture within the next three years.

To begin this journey, it’s essential to understand how cultural factors can increase or decrease cyber risk arising from employee behavior. For example, organizations with a customer-centric culture encourage employees to develop strong customer relationships and anticipate customer needs. As employees adopt a customer-centric mindset, they will take the necessary actions to safeguard customer information, which, in turn, can serve as a line of defense against cyber risk.

An employee feedback tool, such as the Willis Towers Watson Cyber Risk Culture Survey, can help identify the cultural factors that influence employees’ cyber risk awareness, responsibility and accountability across their organization. Such a tool can be used to monitor the different aspects of cyber risk awareness, such as the clarity of roles and responsibilities for data security, a personal sense of responsibility and the effectiveness of security awareness training. It can also track behaviors at the individual and organizational levels, including frequency of cyber-smart behaviors, the ability to locate information about data security and the speed of organizational response to data security events.

By assessing the awareness of cyberthreats as well as the effectiveness of employee and organizational behaviors, the Cyber Risk Culture Survey can help companies identify employee segments that leave the organization vulnerable to employee-driven cyber incidents.

In addition, companies can compare their survey results with those of their industry peers and organizations that have experienced major cyber breaches. These results enable organizations to develop plans to bridge gaps in their cyber risk management plans.

A new risk scorecard

Employee feedback data can help underwriters broaden their approach to cyber risk assessment and provide an invaluable insight into the cultural factors that drive or mitigate cyber risk within an organization. For example, our research reveals that employees in companies that experienced data breaches give their companies significantly lower scores in the area of training compared with the opinions from employees in high-performing companies. While employee training in cybersecurity has traditionally been part of the risk assessment process, underwriters can now begin to ask more relevant questions about a company’s investment in tailored training, including how often employees participate in training and for how many hours, whether the company conducts customized phishing exercises as part of the training and more. More important, underwriters can start to gain a broader perspective into those employee behaviors that create vulnerabilities.

This approach will help underwriters develop a new risk scorecard that effectively assesses the human element in cyber risk, resulting in a more complete picture of an organization’s risk profile.

A holistic perspective

The growing concern over silent cyber and internal people risks is a wake-up call for underwriters to change the way they view cyber exposure. By adopting a more holistic perspective, underwriters will have a clearer line of sight to the full spectrum of cyber exposure. In turn, this approach will enable them to unlock opportunities to improve their underwriting practices and help organizations develop or improve their risk resiliency.