Digital Podcast

Podcast Episode 117: Insurance Industry Confronts Silent Cyber Risk, Converged Threats


Join Now to Share


The Security Ledger Podcasts show

Summary: In this episode of the podcast (#117), we go deep on one of the hottest sectors around: cyber insurance. In the first segment, we talk with Thomas Harvey of the firm RMS about the problem of “silent cyber” risk to insurers and how better modeling of cyber incidents is helping to address that threat. In part II, we invite Chip Block of the firm Evolver back into the studio to talk about the challenge that “converged” cyber physical systems pose to insurance carriers as they try to wrap their arms around their exposure to cyber risk.<br> Editor’s note: as an experiment this week, we’re posting each interview as a separate download, to see if that makes it easier for listeners to jump to the content they’re most interested in. Use the comments section or Twitter (@securityledger) to let us know what you think or whether you prefer the single download! <br> <br> Part I: not ransom…ransomware!<br> You’re a mid-sized corporation with a few thousand employees and offices around the world. A million years ago, you purchased Kidnap and Ransom insurance (or K&amp;R in insurance industry lingo). The idea was to protect your company in the event that one or more of your executives was kidnapped in some distant, shady location. Sure, that seemed like an unlikely (though <a href="http://knowledge.wharton.upenn.edu/article/risky-business-kidnappers-target-global-executives/">not unprecedented</a>) risk. But what the heck? The insurance was dirt cheap.<br> Fast forward a decade. You’re still paying for your K&amp;R, and now your company is facing a ransom demand…from faceless cyber criminals who have planted ransomware software on your network, locking down key IT assets and data. The question your board and executives are asking is obvious: does that K&amp;R insurance also cover the cost of paying ransom to free encrypted data from the grasp of cyber criminals?<br> That question – and a thousand others like it are one of the main questions for insurance carriers and their customers. The so called “Silent Cyber” risk – the degree to which existing insurance protections can be invoked to cover damages resulting from cyber incidents – is lurking on millions of policies. It was a major topic of conversation at the recent <a href="https://netdiligence.com/conferences/cyber-risk-summit-santa-monica-2018/agenda">Cyber Risk Summit</a>* in Santa Monica.<br> [Check out:<a class="yoast-link-suggestion__value" href="https://securityledger.com/2018/03/ponemon-report-organizations-think-iot-devices-pose-catastrophic-risk-then-shrug/" target="_blank" rel="noopener">Report: Organizations say IoT devices pose ‘catastrophic risk’, then shrug</a>]<br> One way insurance companies are responding is by improving their modeling of cyber risk. To understand more about how they’re doing that and how the output of those risk models might effect the kinds of cyber insurance that is offered to companies an area of expertise for our first guest: <a href="https://www.linkedin.com/in/thomas-harvey-28475924">Thomas Harvey</a>,  a senior Product Manger at <a href="https://www.rms.com/models/cyber">RMS, </a>who I caught up with at the Cyber Risk Summit.<br> In our first segment, we speak with Thomas about the fast growing silent cyber risk problem and the equally fast-evolving cyber security marketplace. We look at how insurers are using data analysis and sophisticated modeling to better understand their exposure to cyber risk, including the risk posed by the Internet of Things.<br> Part II: Cyber physical risk is real. Are insurers ready?<br> When a buffer overflow problem causes an infusion pump to malfunction, who’s job is it to address the problem? Nurses and doctors don’t have the training to patch hardware. Hospital IT staff are overwhelmed and lack clinical training. Medical device manufacturers often take a hands off approach to lifecycle management of their d...