10 Years in Cyber Risk
2009-2019: A Decade of Cyber Threats
The “10 Year Challenge” meme that made the rounds last month on Facebook and Instagram got us thinking about how things have changed in a decade in the world of cyber risk.
Looking back to the cyber risk landscape of 2009, it’s not a clear-cut narrative of change between then and now. In fact, it’s a bit like the people who shared their photos for the challenge: on the surface, much is new and different - yet certain more essential aspects remain unchanged.
First, let's look at the similarities. In a general sense, cyber risk was already well-known 10 years ago, at least in government, military, and tech, if not in the broader business community. That year, President Obama launched a White House cybersecurity office and focused a major speech on the subject. North Korea made headlines for alleged cyberattacks on South Korea. Twitter suffered its first high-profile distributed denial of service (DDoS) attack. Spear phishing was known as one of the top tactics for hackers. Many of these stories and topics wouldn’t be out of place if published today, with a few names and details changed.
But just as technology has driven rapid change in how we communicate and consume information on the Internet in the last 10 years, cyber risk has evolved and expanded. Here are three of the key ways that cyber risk has changed.
The Scale of Cyber Risk Has Exploded
First, scale. In 2009, the iPhone was only two years old, and Android was in its infancy. The predominant access point for the Internet was the personal computer and web browser, and most businesses still hosted their data in on-premises servers.
Today, our smartphone apps, speaker systems, thermostats, cars, and even household appliances are increasingly Internet-connected and thus are potential vectors for attack. Next year it’s expected that there will be 20 billion IoT devices in use worldwide; in 2009 that number was under 1 billion.
Meanwhile, this trend toward increased connectivity has led to increasing loads of data being collected and stored by businesses, who in turn have dealt with the task of managing and storing that data by turning to cloud-based storage options. Now, not only are businesses holding onto an abundance of data but it’s also being stored in a way that increases the attack surface - scattered on third-party servers that are often accessible through the web.
On the basis of scale alone, cyber risk is a completely different conversation in 2019 than it was in 2009.
Cyber Risk Has Gone Mainstream
Next is awareness. For business leaders, the last 10 years have presented a series of wake-up calls in the form of data breaches and ransomware attacks. Target and Home Depot in 2013 and 2014. Anthem, the major health insurer, in 2015. A slew of major businesses in 2017, including Equifax, Merck, Maersk, and more. All of a sudden, the cyber risk conversation spread from the realm of data centers and nuclear facilities into the mainstream of businesses large and small -- and their employees, personal computers, and customers.
A survey from Allianz of business leaders puts cyber risk at #2 on a list of business risks - up from 15th just five years ago.
The Cyber Risk Conversation Is Now an Insurance Conversation
Finally, one that’s close to home for us at Corvus: insurance. While cyber insurance has been available in some form since the 1990s, it has only become a common, well-known option for businesses much more recently. Once businesses came to grips with the scale of the digital assets they had to protect, and the business risks posed by high-profile cyberattacks, they naturally looked to their insurers for help. The industry has responded, and now there are a number of options for cyber insurance, both from traditional insurers and from startups like Corvus who work with carriers.
Aside from the fact that there are more options to insure cyber risk, there is also far more in the way of information and knowledge suffused throughout the insurance industry. As with other complex commercial insurance products, insurance brokers are the preferred channel for businesses to get informed about and acquire insurance. Wholesale brokers and some retail brokers are increasingly folding cyber into their standard set of commercial offerings and developing institutional expertise in insuring cyber risk.
Part of extending knowledge about cyber risk is sharing data, something that is possible, and indeed welcomed, in cyber insurance today. This is a departure both from the cyber landscape of 2009 and from the traditional model of insurance. The digital landscape is constantly evolving -- and with new types of threats, and new vulnerabilities, popping up constantly, predicting risk is hard. That’s why, for insurers, gathering as much new data as possible about cyber risks is critical; and why sharing that data with brokers, and in turn with policyholders, helps to prevent claims and improve the products that get put into the market. Sharing data has become a cornerstone of our approach at Corvus, and makes cyber insurance unique within the field of insurance.
Looking Forward to the Next 10 Years
The last 10 years have brought massive changes to cyber risk, and the next 10 are sure to bring more yet. All of us in the cyber insurance field are working to ensure that in spite of its constant evolution, the cyber landscape becomes safer more predictable by the end of the next decade.
The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives — safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year.
The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled in the face of a hard market.