Following the recent WannaCry ransomware attack, Hermes Marangos, a partner at London law firm Signature Litigation LLP, explains why cyber security is an immense challenge for insurers – and why in the light of recent events, everyone should now be aware that the dangers are very real.
Cyber security is an immense challenge for many businesses. Its latest global manifestation recently arrived in the shape of the WannaCry ransomware attack, which affected multiple organisations in nearly 150 countries. No longer just an IT concern, it can affect any sector, as demonstrated by WannaCry’s devastating consequences in parts of the NHS.
For sectors with substantial IT systems, such as healthcare and insurance, an informed strategy is needed to deal with the problem and to manage the potential risk exposure.
Beyond the use of ransomware, data outsourcing and insufficiently skilled or trained staff often pose the greatest cyber security risks.
As highlighted by various studies, organisational failures are numerous. A recent report by the Institute of Directors confirmed that most companies either have an inadequate cyber security policy, or none at all.
In the light of recent events, everyone should now be aware that the dangers are very real.
Cyber security in healthcare
Cyber Security in Healthcare (CSIH) already exists as a dedicated platform for the NHS, its partners and suppliers. Its stated aim is working together to counter the increasing threat of cyber-attacks, to ensure world-class information governance and to integrate new technologies into existing infrastructure.
Last year, its annual conference addressed ‘the growing recognition that cyber security poses one of the biggest operational threats to the NHS in the 21st century.’ The WannaCry attack underscored the point very strongly.
The U.S. Department of Health and Human Services (HHS) recently published a report for Congress which might act as a template for the sector.
Among its six key recommendations, covering governance, security, mechanisms and information sharing, perhaps the most valuable was a commitment to ‘develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities…and improve cybersecurity awareness and education.’
Employee behaviour and knowledge
However good a system, individual employee behaviour and knowledge are often the best line of defence.
Cyber attacks also increasingly affect the life insurance sector as insurers use more digital channels to develop customer relationships, promote new products and cross-sell their product portfolio.
This is driving investment in core IT systems (such as policy and claims) alongside more integrated enabling platforms: agency portals, online policy applications and apps for filing claims.
Such digital investments increase cyber risks for those with limited experience of operating in a multi-channel environment.
As life insurers increase their use of big data analytics which handle vast amounts of information, innovative ways to analyse data will need to be matched by equally innovative security to prevent cyber-attacks.
Meanwhile, regulation is increasing with cyber risk firmly on the agenda of the Financial Conduct Authority and the Prudential Regulation Authority.
Effective compliance is critical to ensure that the procedures and policies in place provide sufficient protection against cyber attacks – and that they are appropriately designed, fully implemented and rigorously enforced. The main focus is managing and mitigating risk at every level.
Risk management strategy
Having the right risk management strategy to cover every relevant risk is of paramount importance. Like any business, life insurance companies cannot face the prospect of business interruption – often the most important issue for many companies because of the potentially catastrophic consequences of an attack, as well as loss or damage to digital assets, and reputational damage.
Life insurance and healthcare companies therefore need to have strong compliance with well-established protocols.
In this context, it is self-evident that IT security is paramount. But the reality is that many organisations still fall short of acceptable standards.
Inadequate protection or failing to maintain sufficient protection by regularly updating systems and security can become evident when there is a cyber attack.
Cyber attacks can have damaging consequences beyond the immediate effect on the business: heavy fines, legal fees, and litigation.
Loss of customer trust
Equally, there may be loss of customer trust arising from concerns about data privacy. Since both sectors centre on trust, a major breach could significantly impact the company brand.
If it can be demonstrated that an organisation has failed to meet its contractual obligations by not keeping systems up to date or having inadequate security, these may be regarded as the twenty first century equivalent of leaving your house with the doors unlocked and the window open.
In terms of liability, it can also create problems for directors, in-house lawyers, officers and consultants who are responsible for compliance. For each, there are potential legal ramifications.
Whether in healthcare or life insurance, compliance professionals have key responsibilities at every stage: to ensure that systems and processes are in place, that they are regularly updated and that staff are adequately trained to follow protocols and procedures.
Cyber insurance policy wording
As the use of dedicated cyber insurance policies grows, risk managers need to examine the legal language used in each policy to determine whether losses arising from cyber incidents are excluded.
The wording relating to cyber-attacks, where there is a remote connection with terrorism or counter-terrorism activities, needs particularly careful attention.
More than anything, the ransomware attack is a pointed reminder to the market that serious legal repercussions can follow if proper protections are not put in place or adequately maintained.
Marangos is also a vice president of the insurance institute and author and co-author of books on reinsurance and war risks and terrorism and associated wordings for the international market.