To enhance combat against new risks like cyberattacks, insurance firms need to increase the amount of data they are tapping into, according to Adam Mitchell, Head of Risk Innovation at Chaucer.
Cyberthreats are becoming increasingly complex and widespread, providing firms with a seemingly endless battle to protect themselves and their customers. A recent study from Deloitte found that a cyberattack can cost from as little as $34 a month and earn returns of $25,000 – if an attack ups its efforts and spends $3,800 a month, it could earn $1m each month. With attacks needing so little overheads, financial institutions are clearly taking note, with a Deloitte report claiming 76 per cent of financial institutions have either recently completed an update of their risk management or have one in progress.
The biggest challenge for risk managers around cyber is that its very hard to pre-empt an attack, especially with the level of data financial institutions currently have access to. Taking hurricanes as an example, an insurance risk officer could look at historical hurricane events and conduct numerous simulations in order to build a realistic view of the world. This does not work the same way with the online threat. Cyberattacks are just not as predictable or monitorable. Mitchell said that instead of trying to second-guess cyber-attacks, it is more about being prepared and ensuring that the response teams ready.
Adam Mitchell said, “There’s a perceived threat to the large systemic cyber event which would cause billions of dollars of physical damage. This is yet to materialise. The challenge for us as risk managers and insurers, is to put a probability on the likelihood of this big market turning event happening, and that is very difficult. We can help to understand the problem by tapping into the big data capture and analysis capabilities of InsurTech; looking at the different kinds of data feed out there and approaching the problem in a new way to how we have typically approached something like hurricanes.”
To give these risk managers a better chance at evaluating the cyber risk and an augmented view of the cyber world, they are starting to access data from new sources. InsurTechs are the key to this and it’s where they ‘come into their own.’ There are companies which are offering things like cybersecurity scorecards, which can go a way to help an enterprise better acknowledge risk levels. There is also an array of different datasets being collected and utilised which is based on information not traditionally monitored. This is things like geographical spreads of certain risk, the type of cloud service providers being used or third-party service providers other insurers are using, he said.
“With cyber, the problem is not geographical. It could be linked through cloud service providers or industry sectors or Scada control systems. It’s a very different way of looking at the world and really understanding the interconnectivity between different risk types and different insurers. There are neat tools out there that help us look how connected an ecosystem is. Seemingly unconnected risks may actually be quite closely connected despite one or two points of separation. So, we can start to learn more about that again, through the use of third-party vendors.”
Although there are a variety of companies and tools out there, the difficulty is identifying what the correct tools or data sets are for these emerging risks, he said. It’s essential for companies to improve and strengthen their digital security measures, with a slew of recent attacks reiterating this need. Last month, Metro Bank was reportedly hit by a cyberattack which targeted codes sent through text in order to verify transactions and was part of a wider attack which hit a number of other institutions. According to a study from the UK’s Financial Conduct Authority, it found the number of data breaches reported by financial services increased by 480 per cent last year. Insurers were one of the groups to see a sharp increase, with 33 per cent more breaches reported in 2018 compared with 2017.
There has been an educational change and acceptance of the science behind the risks which the teams are trying to understand, Mitchell said. Underwriting is becoming more technical and scientific, and this is only going to increase in the future as the size of the data pool available grows and the technology available to interrogate it gets more sophisticated. AI technology has received a lot of praise, and it has its use in a variety of places in the insurance space, but for risk management, Mitchell believes more datasets are needed until it can really be useful for them.
Working with the InsurTechs
The InsurTech sector has been ripe for growth, and investment into the space has shot up over recent years. Last year, total investment into InsurTech companies increased by around 92 per cent, going from €1.6bn in 2017 up to $3.1bn, according to data by RegTech Analyst. Traditional institutions and InsurTech companies working together is only a natural development of the market. With Mitchell stating, “it would be naïve as an industry not to embrace the innovation which is offered through FinTech and InsurTech companies alike.”
Its this increased access to data which Mitchell is most interested in, as these new tech companies can improve their overall capabilities. It’s not just tapping into data scientists and computer scientists but working with wider organisation types. For example, with weather the insurer might interact directly with an actual meteorologists and geographers, to provide a more accurate picture of what would be underwritten around extreme weather disasters. Although this adoption has been slow over the couple of years, the market is starting to understand the global scale of risk. The prevalence of these cyberattacks has meant people can see it’s not a simple fix, but sophisticated tools are needed to beat these complex problems, and data is the key.
Not only do institutions need to gain more data but they also have to connect it across the business with Mitchell stating that an underwriter must have rich data and the results at his or her fingertips when sitting down with clients.
Due to the market being so hot for opportunities, it has left an oversaturated market, with institutions or investors having to sift through many different solutions in order to find the best fit for them. Chaucer approaches the market by looking to identify where the challenges are, rather than just innovating for the sake of it – for straightforward, well analysed and understood risks an excel worksheet can work fine and a heavily re-engineered and sometimes costly new solution will not do much to change the result.
He added, “From an InsurTech’s points of view, people have got to be careful not to come up with a solution before they’ve found a problem.”
Copyright © 2018 RegTech Analyst