Cybersecurity is the top technology concern of advisors and broker-dealers, according to polls done by the Investment Adviser Association and Investment Advisor magazine.
Addressing this issue are cyber insurers, who work in a market that could grow to $17.6 billion in 2023 from about $4.5 billion today, Orbis Research says. Driving this growth are factors like data breaches and the growing use of cloud-based services.
To look at the risks facing cyber insurers today and the limitations of this coverage for financial and other firms, ThinkAdvisor spoke at length with Sid Yenamandra, the co-founder and CEO of cybersecurity firm Entreda.
Yenamandra, who is well-versed in the potential causes of a major cybersecurity-related disruption, addresses the overall threat posed to the financial industry by cyber attacks in an earlier interview. In a third (and final) interview, he explains what actions financial firms are and should be taking to improve their cybersecurity.
ThinkAdvisor: What level of cyber risks do large insurance companies have?
Yenamandra: This is a question that goes to the core of what we do as an organization. At Entrada, we work with independent broker-dealers and insurance firms to help them manage cybersecurity risk for their firms. We try to assess the risk holistically within organizations like AIG.
[Insurance companies do] run the risk of being susceptible to a cyberattack, but are they overextended? In the event of a major attack, I might be overstating it a bit, but I definitely think that big insurance companies have risks.
There are two points that this brings up. AIG is an underwriter of cybersecurity risk insurance policies for a lot of organizations. Are they overextended in terms of their risk model? Do they have a good way of assessing the risk of an organization before writing a cyber insurance policy for that firm?
The answer is that today insurance companies are struggling, because there isn’t a lot of actuarial science in the area of cyber insurance. And that’s actually a problem the industry is grappling with.
When it comes to auto insurance or home insurance, there are years and years of data that you can use to build risk models around. But when it comes to cyber, it’s been an issue [only] in the last five to seven years.
There just isn’t a lot of actuarial science around this to help firms make better risk decisions, so they’re writing insurance policies based on self-adaptation from a lot of firms.
TA: Could you tell more about the risks involved today in cyber insurance?
Yenamandra: Firms like AIG are at risk from a risk-modelling standpoint. Internally, firms like AIG have a network of insurance agents that are writing policies for their clients.
There’s also a cyber risk … at a corporate level from having a network of agents who are independent contractors … in many cases, agents that are running their own business and have their own office locations. They have their own devices, they have their own networks.
It’s like the Wild Wild West, because AIG and other firms struggle to manage or supervise cybersecurity risk on the part of those 1099 contractors. A large insurance firm might have 5,000- plus reps out in the field.
They might be spending a fortune on cybersecurity at the home office or the corporate office, but what are they doing at the fringes? How are they helping the small advisor, small insurance agents or the agency that has five employees, their own devices, their own networks, their own apps in many cases?
It’s unregulated alright.
There are risks that firms have both from an operational standpoint of corporate risk, but also from a product-risk standpoint around their insurance policy. We think that there is a considerable amount of risk — we might not use the phrase overextended — but I would say they’re operating at a high level of risk as a business.
There are also a lot of bad policies out there. Read the fine print of the exclusions list!
Firms think, “Yep, we’ve got insurance, so if we get attacked and we’re a victim of cyberterrorism, we’re going to get paid out and we’re protected.”
But if you read the fine print, it will say you needed to do the following seven things [to be fully insured]. So the burden of proof falls on the organization to [show] that it’s doing the basic things when it comes to protecting itself.