Sustainable cybersecurity for manufacturing and distribution: Managing risks with limited budgets and talent
Article

New dog, old tricks – how the cyber insurance market can learn from the property market

Authored by Ben Hobby and Bernard Regan

The great American writer, Mark Twain, is the source of a great many quotes, some amusing, some thought-provoking, some both – and some possibly apocryphal, too. A particular favorite, though, is the one about his father:

“When I was a boy of fourteen, my father was so ignorant I could hardly stand to have the old man around. But when I got to be twenty-one, I was astonished at how much he had learned in seven years.”

Smart kids realize that their elders may actually have some wisdom to impact – not unlike Mr. Miyagi in The Karate Kid. And just perhaps, those who do may learn a little faster. A comparative relationship can be seen between that of the property and cyber insurance markets: the property market being the mature parent and the cyber market being the young upstart.

The recent hardening in rates by cyber insurers indicates that work is still ongoing to ensure that the premium charged is commensurate with the underlying risk. But it is in the area of claims – principally the costs incurred by a company in restoring its network and data after a cyberattack – where cyber may have something to learn from property.

Following a warehouse fire, before anything can be rebuilt, the damaged site needs to be demolished and cleared. The loss adjuster involved in the claim will receive a copy of the tender documents and the final quote for this work as part of their review.

Thereafter, the warehouse needs to be rebuilt. The loss adjuster will have details of the original warehouse, its design and specification. They will then receive details of the replacement warehouse, this being needed to understand if the new facility is a similar replacement. If not, then the adjuster will need to determine if the changes are the result of alterations in building regulations, which may be insured, or betterment, which will not.

The adjuster will also receive a copy of the request for quotation (RFQ) pack issued to prospective contractors, as well as the tender documents when they are received. A copy of the final contract and agreed price will also be provided to the adjuster.

Consequently, when invoices are paid by the insured and then submitted to the adjuster as part of the claim process, the adjuster already knows which costs are covered under the policy, which are not, and which will require further discussion with insurers. This is because they have previously received all the necessary documents with which to reach these conclusions as part of their review of the incident and the claim.

In a ransomware incident, while there has been no physical damage in the same way that there is after a warehouse fire, the network environment still needs to be rebuilt, given that its security has been compromised by the hackers. Servers and personal computers will need to be forensically cleaned and made ready for use again. Data will need to be restored from backup to the network.

While these activities following a cyber event are dealing with intangible assets, there is a strong parallel with the tangible assets from the warehouse fire – something has been damaged and it needs to be reinstated. If that is the case, why is the approach taken by insureds to submitting these reinstatement costs under a cyber claim so different?

When reviewing any third-party consultant costs associated with a cyber claim, it is critical to understand the reason why each vendor was brought in and what work they assisted the insured with. In considering this, a “story-based” methodology can be used

  • The beginning: related to any forensics/investigation/internal reports and other background information that sets out the detail of the incident itself
  • The main part of the story: consisting of statements of work description of tasks/task orders that detail the work undertaken by each consultant to assist the insured in their recovery effort
  • The end of the story: the actual invoices paid by the insured that ultimately form part of the claim

This methodology is no different to that used by the property loss adjuster. It is therefore surprising that insureds and their advisors, particularly those who have had experience of a property claim, consider that the invoices alone are adequate to support a cyber claim when the context of the work performed is often missing from these documents.

Now, we are certainly not advocating that the cyber market go all zen-like, reciting “wax on, wax off,” as taught by Mr. Miyagi. But given that the purpose of these exercises was to teach karate to Daniel, the titular Karate Kid, by using everyday tasks to build muscle memory, it seems that the older sensei does indeed have something to offer.

If that is so, when it comes to dealing with network and data restoration costs, maybe the new dog that is cyber can learn and develop from the old tricks already mastered by the property market …

 For more information on this topic, or to learn how Baker Tilly’s Value Architects™ can help, contact our team.

Next up

Top risk considerations for private equity