Ethan Pitts, senior underwriter for PI and Cyber at the EMEA region for AIG shares thoughts on recent developments in the environment of Cyber risk and Cyber insurance.
COVER: Cyber risks and Cyber insurance is something that, over the past 18 months, has probably been one of the biggest things on people’s minds, especially with offices and businesses moving home. Can you give us your thoughts on the latest developments in the environment of Cyber risk?
Ethan: I think it is going to be no surprise to brokers and businesses alike, that their cyber risk exposure within South Africa has increased dramatically, as you say, over the past 18 months. And that has come from a few different areas.
I think the first is that South Africa has always been a hotspot for cybercrime. We have always been a targeted nation and so, what we are seeing now, should not surprise us. But really, I think two factors have pushed us over the edge in terms of the number of attacks that we are seeing. The first is ransomware. That is something which is probably top of mind for every executive these days. Cyber is always within the top 10 of the risk registers of companies. And really, ransomware has exploded globally. It is not just a South African problem but, unfortunately, it is affecting our clients significantly. Historically, we have had a relatively low cyber security posture and of course, the hackers are more than happy to take advantage of that.
The second thing which has changed for us recently is with POPIA coming into full force as of July 2021. What happened previously was that if a company was breached, unless it was something that was highly publicised, they were able to keep it quiet, sweep it under the carpet and not address it from a liability or a public reputation perspective. That has now obviously changed. There are mandatory disclosure requirements, whether it is to the information regulator or to the affected data subjects, the victims of a breach.
That has really increased the exposure which companies are facing now and that they must be very open and transparent about these kinds of attacks that they suffer. That is going to open the doors from a liability perspective going forward which, historically, South African companies have not had to deal with, in the same way, that their counterparts in the EU, US, Australia and other countries who have had existing data regulations. It is a new exposure for most companies.
COVER: As an industry, we do have some sort of responsibility, because we understand the risk, and we know how devastating it can be. How do we make sure clients take it seriously, and those brokers get to them with the right information to insure that risk?
Ethan Pitts: That is a great question, and I think I will talk to the first part, initially, in terms of whether South African companies take the risk seriously enough.
I would say, if you were to ask that question, looking back over the past five to 10 years, the answer would be no. Because we did not have that data regulation forcing public disclosure, cyber often fell at the bottom end of a risk register for companies and was very often neglected. There were just more important priorities to assign a budget to. So, it is not necessarily coming from a position of naivety or ignorance. I think a lot of the IT specialists, the CIOs and other relevant people have been clamoring for increased investment with respect to technology, internal skillsets within their team, employee security awareness training and just the basics.
But the budget has not necessarily always been allocated and, over the last five to 10 years, that decision was probably justified. Companies were not seeing the exposure to warrant the very expensive investments which cybersecurity requires. That, unfortunately, has changed very rapidly over the last two years and probably driven, as you mentioned earlier, to a large extent by the move to work from home. That exposure has changed rapidly. A lot of companies are on the back foot, trying to bridge a gap in an unfeasibly short amount of time. That is why I would say that, on average, South African companies do not have the same level of cyber security and mitigating controls that some of their international colleagues have. And, of course, that then draws attackers to them, because they know that it might be a slightly easier target to breach.
That being said, the amount of work that South African companies have put in since 2020 has been phenomenal and they have certainly increased their ability to mitigate the risk and to defend themselves against these attacks far faster than I personally thought they would be able to. So, it is not all doom and gloom. The reality is that we still have a long way to go. There are many industries, particularly the likes of manufacturing, which have not necessarily thought of cybersecurity first and foremost, and now they are really getting hit hard and targeted. So, there is a lot that companies have to do.
When we are talking about the role that the insurance industry can play in that, we are probably the best positioned in order to really drive a change in the dialogue and a change in the security posture within the country. That is off the back of the huge increase in the number of cyber claims globally, locally too, which has driven the pricing of cyber insurance, the amount of capacity available. So not all clients are able to get cover, or the same amount of cover they would have two or three years ago. And really, insurers are moving to a stage of risk selection, rather than risk pricing. That means we have very in-depth conversations about what the basic controls are, which companies should have, in order to get insurance. Then over and above, what are the extra controls, which will give them better terms and conditions?
That conversation is helping to give the IT specialists ammunition for when they go to their boards and request funding for all the investments which they have been asking for. They now suddenly have an actual case for the return on investment, because you can see it in the nature of cyber insurance, which companies can get. So, we are actively discussing with our clients about what kind of controls and technologies they should be putting in place and investing in and helping drive that conversation.
The second thing, which the insurance industry is almost uniquely positioned to do, is to threat-share between different industries. There are certain industry bodies set up for the financial sector, for example, and they do a phenomenal job of sharing new attack types and threats that they are seeing, but within that closed industry. Everyone else is missing out on that valuable insight. Whereas insurers, because we are positioned in that we look at everything, from a small mom-and-pop kind of business all the way up to a multinational organisation and banks, and everything in between, we can see the trends which are happening locally.
We can advise clients in different industries about the types of attacks we are seeing, and how they can prevent them or mitigate them. I think that is something which AIG does very well, because we do not just tap into what we are seeing locally, we obviously tap into the experience of our colleagues internationally, when they see certain hacking groups on the rise and the changes in the modus operandi. Internationally, we can take that feedback and bring it home and really drive that conversation so that we are potentially able to get ahead of the curve before that type of attack is used in South Africa.
I would say that it really are those two areas in which insurers and brokers both, are uniquely positioned to assist clients. One, driving the conversation about what you need to do in order to protect yourself and two, being able to back it up with actual evidence and threat-sharing from the hard lessons learned from other companies or victims, which were not as fortunate. That is really the two advantages we bring to the conversation.
COVER: Lastly, brokers must walk this tightrope now, because they must go and speak to their clients about these risks because the client relies on them for advice. But the risks and the measures to mitigate these risks have become so complicated. Where do the brokers sit in this process and what advice would you give them in terms of preparing to approach a client about these risks?
Ethan Pitts: I think brokers are probably the most important link in this chain between insured and insurer, they always have been no matter what arm of insurance you are talking about. But for cyber specifically, they found a very key role in terms of getting the right people talking to each other.
So, I would put down probably three specific pieces of advice which I would give a broker and the first is, know your market. So, in the current market, cyber insurance is not something that is readily available, or easily accessible. It is not a case of a half-filled out an application form that will get you five quotes and it is just a discussion on which is cheapest, that was the conversation years ago. Nowadays, it is really trying to find which markets are going to support your risk. So, some insurers will prefer to be on primary, others will focus on specific industries. It is really a case about knowing who you should go to for this kind of cover, especially when you are talking about the need to now build towers of insurance because one market won’t give the full limit a client is looking for.
On that second point, it is only one-half of the solution to know your market. But really, it is knowing your client, each client will have its own unique risk exposures. When talking to them, you really must dive down into what are their unique pain points. So, for example, a manufacturing entity, their biggest issue is loss of revenue if they were to go down, it is their business interruption losses from a cyber event, they are not going to have the same amount of data to worry about, fine out of POPIA or class action against them, that a bank or a hospital would, for example. So, it is understanding the specific pain points, and then being able to talk very effectively to those points when you discuss with the client what mitigation they need to put in place. Then to spin that and then talk to the underwriters and say, well, here are the main exposures for the client and look at what they have done to mitigate x y z, that is going to get you the best result time in and time out.
The last point is potentially a combination of the above two, and it is having the ability to get the right people in the room to talk to each other. Cyber insurance has now evolved past the other types of insurance where it is sufficient for the CFO or the CEO of a company to be able to fill out the forms and give disclosure on their risk exposure and get quotes. We are not talking at a technical level, which you need your CIO to be involved with, you need your managed service provider who is providing the IT infrastructure, to help fill out these forms, to help answer underwriters’ questions. So, what I often see is if we get forms, which are not completed by the right technical experts, they answer conservatively, they do not want to prejudice themselves and say that they have got something in place, which they do not. But when we as underwriters are looking at that, we obviously get the wrong end of the stick, and we quote very conservatively, or maybe declined to quote, only then to sit in front of the clients, with their CIOs and their technical experts, and realise that, no, they are doing everything which we want them to do, they have got much better posture than initially presented. I think that that is really an important part to get right, in that it should start with the CIO or whoever the responsible parties are, who can talk to the technical side of things, filling out the application forms so that insurers get the right picture. Then secondly, what we have found very effective at AIG is we sit down, and we have client meetings very often. So, what we will normally do is we will provide a quote with some subjectivities. And rather than trying to hash this out over email, book a time with the client to sit down in front of them, we have the technical knowledge to talk to the risk directly to the CIO. We can take that kind of that burden off the shoulders of a broker, they are an insurance expert, they are not required to be a technical expert, an IT expert. So, we can facilitate that conversation and really get a clear picture of what the actual risk is and put forward to them, the very best terms for our clients. So, I would say that that is probably one of the most effective strategies, getting the right people into the room to have a conversation about something which cannot be accessible or not commonly knowable.
COVER: It sounds to me like there is a great opportunity for brokers, especially if they put the effort into what you have said, doing their homework with regards to the client, the market and the risks.