Cyber risks weaken links in supply chainsPosted On: May. 1, 2019 12:00 AM CST
Supply chain-related cyber risks are an increasing concern for organizations as cyber attacks become more sophisticated, but risk management and insurance strategies to address the problem vary.
Large policyholders often seek coverage for the exposure, but smaller policyholders remain exposed, cyber insurance experts say.
Insurers are meeting the demand for protection by providing contingent business interruption coverage within cyber policies, sometimes for higher rates. But such risks create underwriting challenges for insurers, particularly surrounding the problem of risk aggregation.
Organizations are vulnerable to cyber-related disruptions at their critical vendors, which may sometimes be caused by criminals or state actors that use a vendor as the first step in reaching a target victim, experts say.
A cyber breach can have a “waterfall effect throughout the supply chain,” said Jon M. Boyens, cyber supply chain management program manager at the Gaithersburg, Maryland-based National Institute of Standards and Technology.
An organization’s cybersecurity program may be fairly robust in terms of its be cyber security and defenses, so “what an attacker will do is start out within a firm’s supply chain,” Mr. Boyens said.
A study issued in November 2018 by Traverse City, Michigan-based Ponemon Institute LLC reported that 59% of 1,038 companies said they had experienced a data breach caused by one of their vendors or third parties.
A survey of 589 business continuity professionals by the Caversham, England-based Business Continuity Institute issued in November 2018 found they consider cyberattacks and data breaches their most “concerning” challenge over the next five years, according to the association’s BCI Supply Chain Resilience Report 2018. These risks ranked third, behind unplanned information technology outages and adverse weather, as a major source of disruption.
Experts say cyber-related supply chain risks are often associated with ransomware attacks. This was the case in the March incident involving Norwegian aluminum maker Norsk Hydro ASA, which recently reported it was back to near normal several weeks after suffering a ransomware attack that led to production outages.
Norsk Hydro’s experience has raised awareness of the issue, say observers.
“We’re having a lot of dialogue with first-time buyers,” said Stephanie Snyder, Chicago-based senior vice president and national sales leader for cyber insurance with Aon PLC.
But there remains a lack of awareness with some buyers, say many experts. “Not enough due diligence is going on to understand the IT security makeup” of entities “to make sure there’s no cross-contamination,” said Bernard Regan, director at BTVK Advisory LLP, a London-based forensic accounting firm.
“I don’t think it’s necessarily being effectively sold, and there’s a lot of education and further understanding that needs to happen before the demand will really kick up,” said Brad Gow, Purchase, New York-based cyber product leader for Sompo International Holdings Ltd.
John Farley, New York-based managing director of the cyber liability practice for Arthur J. Gallagher & Co., said, “Probably the larger, more sophisticated companies are going to be focused on supply chain risks, but as we go down the lines of the smaller and medium-sized businesses, they are less focused on cyber risk management.”
More insurers are starting to offer contingent business interruption coverage as an integral part of their coverage, say experts.
Bob Wice, Farmington, Connecticut-based head of the U.S. cyber underwriting team for Beazley PLC, said the market typically covers “that initial step down with the dependent business.” “If they subcontract out to additional subcontractors, then that’s where it stops,” he said. Extension to any additional covered entities would likely involve additional underwriting and premium, he added.
Robert Parisi, New York-based managing director and cyber product leader for Marsh LLC, said the cyber market is “stepping up to fill” the void created by property insurers because that market “is no longer being picked up in the same robust way it might have been” by them in prior years.
Cyber insurers are trying “to expand their policies to say they’re one of the more comprehensive carriers out there in terms of coverage,” said Mr. Farley.
“It’s a competitive market, and they want to stand out. That’s one way to do it,” he said.
“The coverage has been evolving, and it’s certainly been much more readily available in the last couple of years,” said Elissa Doroff, New York-based underwriting and product manager for cyber and technology for Axa XL, a unit of Axa SA.
An industry can be catastrophically hit if there is disruption to its supply chain, she said. Ransomware attacks “are really taking these companies down, and for a significant amount of time, and that’s where the business interruption coverage from cyber coverage would respond after a certain waiting period of eight to 12 hours,” Ms. Doroff said.
Meanwhile, the Norsk Hydro attack “will certainly add more scrutiny to the underwriting questions that are being asked to provide the coverage,” Ms. Doroff said.
Mr. Gow said contingent business interruption coverage “typically isn’t priced out or offered independent of other coverages. It’s just kind of rolled into the price of the (cyber) policy.”
He added, however, with respect to larger companies, “usually if a company has a very complex supply chain or is a heavily logistical firm, often the primary carriers will limit coverage, typically to 50% of the policy limit.”
There is growing concern about aggregation risk, particularly from critical vendors, but also from related lines such as property that may be impacted by a major event as well, even if the coverage is “silent,” and not affirmatively written (see related story).
Aggregation is “the scariest word in cyber insurance,” said Jim Leonard, Nashville, Tennessee-based director of cyber insurance solutions at Kroll LLC.
Tim Francis, Hartford, Connecticut-based enterprise cyber lead for Travelers Cos. Inc., said, “We spend an awful lot of time” thinking about aggregation risk, including how it is being modeled, whether the right tools are being brought to bear on the issue, and whether the tools have the right level of maturity.
There is still some degree of the unknown, although “the industry is getting better at understanding, if some events happen, what is the ultimate aggregation potential,” he said.
“It’s not just an aggregate exposure to one particular risk or one particular insured,” said Max Perkins, Atlanta-based senior vice president for global cyber and technology, global professional and financial risks with Lockton Cos. LLC. “It is the systemic exposure across their book.”
“We just need to be careful we’re approaching the risk with adequate levels of underwriting and data collection, and that we’re comfortable with the portfolio” as to how systemic events might impact it, said James Burns, London-based cyber product leader for CFC Underwriting Ltd.
Aggregation is “something that carriers are very aware of and in most cases very concerned about” said Mr. Gow.
“Part of the underwriting process is stepping in and identifying probable maximum losses for portfolios, and at this point in the cyber realm” many of those scenarios are focused on contingent business interruption, he said.
Aggregation is an issue of great concern, said Shiraz Saeed, Starr Insurance Cos.’ New York-based cyber risk national practice leader, who said Starr works with outside experts “to help us try to understand and gain control” of aggregation risk.
Insurers look for aggregation exposure with any type of coverage that relies on a critical vendor, said Ms. Doroff. “To the extent many manufacturers are in the same industry relying on the same vendor, we’re going to try and track that,” she said.
“Oftentimes, the scope of coverages is from the insured to third parties with whom the insured has a written contract,” said Eric Cernak, Windsor, Connecticut-based president of cyber at Hanover Insurance Group Inc.
“When you get into multiple layers of contracts, that’s where the aggregation becomes a spider web and becomes much more challenging to underwrite … and even understand.