The property/casualty insurance industry must change its approach to cyber security and update its coverage approach to help minimize risks, FireEye Inc. Chief Technology Officer Grady Summers said.
“I don’t think we can easily separate cyber risk and property/casualty risk anymore,” Summers added during the 2015 PCI conference in Hollywood, Fla. “There is a lot of room for improvement.”
Summers said that P/C insurers have made strides but have a long way to go in how they shape cyber security coverage.
Cyber risk is becoming much more intertwined with property coverage, such as homes that are more Internet-connective through everything from thermostats to online home security systems, Summers said.
“What if an attacker is able to access a home security system and disable [it] to facilitate burglary?” Summers asked. “Or worse yet, in my area, every new house of a certain size has to have fire sprinklers. What if someone figures out how to trigger remotely? The division of property and cyber risk is blurring very rapidly.”
Summers said that insurers now better understand direct cyber risks such as stolen customer financial data, business continuity, stolen intellectual property, physical damage and cyber terrorism. But those advances are only first steps toward fully grasping losses related to cyber, he said.
For example, Summers argues that it is hard to put a price tag on cyber-theft of intellectual property, which means modeling those risks and understanding those losses remains a struggle.
“How do you put a price tag on a next-generation gas turbine or water filtration system or new model train that will be more efficient? We are in the first inning of understanding how to model cyber risk and understanding what types of loss there are,” Summers said.
All of that said, he noted that FireEye and other cyber security companies have learned about risks, and Summers passed on some of this to P/C insurers and reinsurers.
Among them:
- A company’s risk level is only as good as its worst connected partner. Cyber security can be increased in response to one breach, but “so many companies have thousands of network level connections to their partners,” Summers said.
- Few companies truly understand their sensitive systems and how to protect them equitably.
- Security is not a point-in-time check, where one check is done and then a system is left alone.
- “You have to keep security continuous,” Summers said, adding that if a company is not responding to breaches, it must also do hunting and continue to look for network attacks.
“No company can stop 100 percent of attacks, but response preparedness determines the damage,” Summers said. “They way you respond will keep you from being a headline. Hire the right people, and build the right people to absolutely minimize losses.”