Three years after NotPetya became the most expensive malware attack of all time, the insurance industry is changing the ways cyber risk is assessed, writes QOMPLX President of MGA/MGU Operations, Conan Ward, for the publication Carrier Management.
June 27th will mark the third anniversary of the outbreak of NotPetya, a devastating piece of "wiper" malware that is believed to be the most costly malicious software of all time. But NotPetya was a watershed not only for companies, but for the insurance industry, which saw claims for more than $3 billion in insured losses, mostly collected under the ‘Silent Cyber’ cover.
In the three years since NotPetya, the insurance industry has responded, particularly in the ways cyber risk is assessed. In an article in the most recent issue of Carrier Management, QOMPLX President of MGA/MGU Operations, Conan Ward writes that NotPetya also changed industry thinking about what makes a good cyber policy. “A good cyber policy is a bespoke document that brings a complete coverage toolset from other lines of business," he writes. "That may include an embedded service element. It should reflect who attacks, how and why they attack, and what needs to happen when they succeed.” A variety of elements must be addressed in a good cyber insurance policy, including who, intentionally or unintentionally, is responsible for the cyber breach, Ward writes.
Pricing cyber policies is another challenge. Without an understanding of the threat-asset matrix, pricing is challenging, inaccurate, and opaque. “Pricing cyber policies fundamentally comes down to understanding the unique nature of threats, network assets those threats might exploit, and the defenses and resiliency of the insured,” writes Ward.
The industry has begun to utilize practices that allow for greater transparency, increasing risk management. While there is a large amount of work that still needs to be done, cyber policy is moving in the right direction.