Over the last few months, my colleagues and I have had multiple speaking engagements and discussions with banking and payments professionals on the topic of business email compromise (BEC). Generally, these discussions lead to talk about a risk management strategy or approach for this large, and growing, type of scam. One way some companies and financial institutions are mitigating their risk of financial loss to BEC and other cyber-related events is through a cyber-risk insurance policy. In a recent conversation, someone told me their cyber-insurance carrier mandates that they get an outside firm to audit and assess their cybersecurity strategy and practices, or they risk losing coverage.
According to a recent Wall Street Journal article, some large insurers are even going a step further and collaborating with each other to offer their own assessments of cybersecurity products and services available to businesses. Their results, which they will make publically available, will identify products and services they deem effective in reducing cybersecurity incidents and potentially qualify insured companies with improved policy terms and conditions if they use those products or services.
Cybersecurity vendors who would like their products and services to be assessed must apply by early May. They are not required to pay any fees for the evaluation. In light of the rising number of cyber-related events and increasing financial losses, along with the growing number of legal cases between companies and their insurance providers, this move by the insurance companies makes sense as a way for them to potentially reduce their exposure to cyber incidents. But it will be very interesting to see just how many cybersecurity vendors apply for participation in the program and how effective the insurers are at assessing the vendors' products and services. Moreover, for businesses, just using cybersecurity solutions helps them meet only part of the challenge. How they implement and maintain these solutions is critical to an effective cybersecurity approach.
Also of note in the Wall Street article is a graph that depicts the percentage of a particular global insurance company's clients, by industry, that have purchased a stand-alone cyber-insurance policy. Financial institutions, at 27 percent, rank last. Perhaps they are more confident in their cybersecurity strategies than are other industries, or perhaps insurers have no attractive stand-alone policies for financial institutions.
The cyber threat today is serious. In fact, Federal Reserve Board chairman Jerome Powell in a recent CBS 60 Minutes interview, when asked about a possible cyberattack on the U.S. banking system, responded that "cyber risk is a major focus—perhaps the major focus in terms of big risks."
As the Risk Forum continues to also focus on and monitor cyber risks, we look forward to the public findings from the insurers' collaborative assessment of cybersecurity products and services and will be interested to see if, over time, more financial institutions obtain cyber-risk insurance policies. I suspect the cyber-insurance industry will evolve in the products they offer and will continue to grow as companies look to mitigate their risks in the event of a cyber event.
What are your thoughts on this collaborative effort by the insurers? How do you see the cyber-insurance industry evolving? And do you think more financial institutions (or perhaps your own) will acquire cyber-insurance policies?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed