Cyber Risk Insights from the AIG 2017 Cyber Insurance Review

June 21, 2018

I read with interest AIG’s 2017 Cyber Insurance Review. In a one sentence summary: cyber insurance claims are up, due to systemic ransomware and wiper malware attacks, the cyber business is booming, but we are still early in the market evolution.

Reading the report prompted me to ask three questions regarding Cyber Insurance:

  1. How well do insurance brokers understand cyber risk and cyber insurance?
  2. What percentage of businesses shopping for cyber insurance truly understand their cyber loss exposure in quantitative terms, and conversely how well do brokers understand their exposure
  3. What security controls and policies do businesses have in place that makes them a good risk vs a liability?

The report makes it clear that we are facing an escalating threat from sophisticated “ransomware as a service” operators leveraging advanced malware, stolen from places like the NSA, and widely shared.

Nation state threat actors and state-sponsored cybercriminals, operating at the highest levels of skill with virtually unlimited resources, have the ability to cause catastrophic failures of critical infrastructure, triggering systemic losses.

No industry sector is immune from cyber-attacks, as recent malware targets software versus specific companies or industries.

The words, “it won’t happen here” or “I don’t have any interesting data” remind me of those famous last words of ‘50s R&B singer Johnny Ace, who killed himself backstage when playing with a revolver between sets. “It’s okay, the gun’s not loaded.”

A Wiper malware or ransomware attack has the potential to kill a small business, regardless of how interesting your data. The report calls out vulnerability of SMBs who lack robust security and have poor backup discipline.

GDPR looms as a trigger for more claims, higher premium volume as well as an opportunity for criminals to extort payment from companies or threaten disclosure. It is unlikely underwriters will accept secondary risk losses from GDPR fines or class action lawsuits brought by shareholders following a breach.


1. How well do insurance brokers understand cyber risk and cyber insurance?

To answer this question, I asked Chip Block, Vice President of Evolver Inc. a VA-based systems integrator and key implementer of FAIR quantitative risk management method.

“It’s still early days in the evolution of Cyber Insurance. The market and providers are rapidly maturing but there are still a lot of lessons to be learned. Eventually the auto-insurance industry matured and provided common policies and codified the terms of insurance. This has not happened in cyber and we are years away from it.

What complicates this, and what I don’t think insurers have a good grip on, is the uniqueness and preparedness of different companies. The cyber risk of a manufacturing company worried about business interruption is very different than a healthcare company that holds large volumes of personal data.

Today, there is very little difference in premiums between a company that is mature in its cyber defense and policies, versus a company that is immature and under-defended.”

2. What percentage of businesses shopping for cyber insurance truly understand their cyber loss exposure in quantitative terms, and conversely how well do brokers understand their exposure?

Block continued, “Great question. Take a systemic event, like AWS going down for a day or two, due to a hack. This will cause chaos and widespread business interruption, resulting in tens of thousands of multi-million dollar claims for what the AIG report refers to as a ‘network interruption’ claim, potentially wiping out numerous underwriters. As we saw with the Mirai botnet, which knocked out relatively unknown Dyn for the better part of a day…the threat is real, it’s very significant and it’s scary and few companies understand and quantify it.

My company, Evolver Inc. helps businesses to quantify the losses from this type of outage and, based on this information, CISOs and Risk Managers can make better decisions on the policies, methods and technologies they choose to defend their environment and secure their data — and the cyber insurance required to offset potential losses.”

3. What security controls and policies do businesses have in place that make them a good risk vs. a liability?

We are in a new security paradigm and the traditional perimeter defense model is obsolete, yet the bulk of cyber defense spending is still going to legacy technology.

If you look at the claims data from the 2017 AIG Report, you will see that a quarter of claims came from malware or ransomware attacks caused by phishing and stolen credentials. Next were data breaches by hackers and then other security failures including unauthorized access. Clearly the current approach to security is not working as hackers continue to exploit the low hanging fruit, using phishing, weak passwords and poorly secured remote access, using relatively unsophisticated attack methods.

Industry analysts and leaders like Google have articulated a new model for security called “Zero Trust.” The Zero Trust model centers on the concept that users inside a network are no more trustworthy than users outside a network, and therefore no one is to be trusted.

A company that proactively promotes cyber hygiene, is mature in its implementation of Zero Trust Security solutions, which in addition to Identity and Access Management include encryption, network segmentation, antivirus and anti-malware are a far better risk than a company with weak security posture that relies primarily on firewalls and endpoint security.

Instead of the old adage “trust but verify,” the new paradigm is “never trust, always verify.”

Effective Zero Trust Security requires a unified identity platform consisting of four key elements within a single security model. Combined, these elements help to ensure secure access to resources while they significantly reduce the possibility of access by bad actors.

To implement Zero Trust Security, organizations must:

  1. Verify the user, using single sign-on, multi-factor authentication, and machine learning
  2. Validate their device, to ensure it not jail-broken, is using the latest OS version, and is running current endpoint protection software.
  3. Limit access and privilege, to prevent lateral movement in the event of unauthorized access for both malicious or curious insiders and threats.
  4. Learn & adapt to make real-time access decisions based on behavior of the individual.

    This approach must be implemented across the entire organization. Whether you’re giving users access to apps or administrators access to local or remote servers in the cloud, it all comes down to a person, an endpoint and a protected resource. Users include your employees, but also contractors and business partners that have access to your systems.


The AIG report concludes with an anticipation of significant financial consequences of business/network interruption through 2018, driving demand for cover and continued growth of cyber insurance market across Europe.

AIG anticipates the systemic nature of ransomware attacks like those seen in 2017 are just tip of the iceberg and predicts they will become more challenging in future.

Claims over next 12 months will be impacted by:

  1. Commoditization of Ransomware
  2. A spike in data breach losses later in year due to ransomware
  3. Continued influence of nation state actors against increasingly fragile and uncertain political backdrop

Organizations must prepare for the inevitability that systems and networks will be breached, implementing a robust risk management strategy and insuring they are indemnified for the full range of cyber exposures, including network interruption.

Zero Trust is a strategy and a journey that cyber security leaders must commit their company to in order to reduce cyber risk and avoid becoming a statistic in the 2018 Cyber Insurance claims report.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.