Recent high profile cyberattacks have brought cyber coverage firmly into the spotlight and insurers are at the sharp end, faced with closing a significant insurance gap. Cyber Risk Insurer sat down with three Aspen senior cyber specialists to discuss recent attacks in the U.K., the firm’s approach to mitigating cyber risk and the future of the cyber product line.
High profile attacks increasing and more sophisticated
Cyber coverage has consistently been one of the most talked about aspects in the insurance sector as the business community comes to the realisation that appropriate coverage is a critical part of economic success. While the focus on cyber has increased, attacks have simultaneously grown more sophisticated and impactful.
For instance, earlier in May the attack on M&S eventually cost the business around £300 million but approximately only one-third of this was covered by an insurance claim, according to reports.
By the end of August, Jaguar Land Rover (JLR) had also been hit by a significant ransomware attack, causing a pause in production, which would eventually last until 1 October. According to the Cyber Monitoring Centre, this attack will cost an estimated £1.9 billion, the most economically damaging cyber event in U.K. history. Strikingly, JLR failed to secure cyber insurance coverage ahead of the incident, three senior cyber insurance market sources previously told The Insurer.
Possible ramifications from these attacks include reputational damage and D&O impacts as well as potential legal action. In addition, Ed Hart, head of international cyber at Aspen, cited potential implications of the U.K. government’s support package for JLR which included a £1.5 billion loan guarantee to support the company’s supply chain.
“What are the implications to businesses around that?” Hart said.
“They [JLR] received a backstop, primarily to support the broader supply chain and third-party vendors, which is outside the usual scope of the government’s role in economic activity. This is not something other business should rely on.”
Hart added that if governments cannot provide such a backstop again, there may be more regulatory scrutiny “to make sure companies buy suitable cyber insurance” to remain resilient in the face of such attacks.
Mitigating risk before it becomes an incident
Bobby Bianconi, global head of cyber at Aspen, and his team use a two-pronged approach to tackle these attacks by offering cyber insurance that transfers risks along with a suite of risk management services to support customers before, during and after an incident.
“Putting a placement of services in front of somebody doesn’t help them become more informed or engrained within the [cyber risk] ecosystem – and that is where the issue lies,” Bianconi said.
He added that Aspen has focused on “providing a comprehensive suite of consulting services” which can involve bringing in third-party experts to prepare and educate insureds.
These services involve, for example, providing advice to clients about adapting to legal or regulatory issues “coming down the pipeline” as well as their incident response and business continuity plans – because the current levels of underinsurance mostly stem from a lack of standardized policies and an education gap, which can lead to confusion over their policy wording and exposures to risk.
“We arm them with the information that they need to go back to their leadership and say, this is a problem, this is why it’s a problem and this is how I need to fix it,” Bianconi said.
In February 2024, the company launched Aspen Cyber Risk Services (ACRS), a complimentary and high-impact suite of services that enables its primary cyber insureds to proactively tackle cybersecurity threats, from pre-incident to response and resilience.
ACRS offerings for users includes code red alerts, which provide direct email notifications to policyholders if or when Aspen detects that their organisation is being targeted by a credible cyber threat. The (re)insurer actively monitors its [cyber insurance] portfolio for indications of cyber-attacks, tracking potential criminal activity across multiple platforms including the dark web.
Additional services include technical and legal tabletop exercises and a cybersecurity improvement plan.
Mike Rastigue, head of cyber risk management at Aspen and chiefly responsible for ACRS, commented that a unique differentiator is the ransomware resilience assessment. This solution tests network defences by simulating a real-world ransomware attack, using the current tactics, techniques and procedures of major ransomware groups. This is followed by a workshop presenting the attacker’s perspective of what assets and data could have been compromised in the attack. The
ACRS data-driven offering allows insureds to make effective contingency plans and detect attackers before incidents escalate.
Future of cyber insurance products
Considering the volume of high-profile breach and cyberattack activity, the future development of the cyber insurance market depends on a skilled group of underwriters with the required depth of expertise to develop forward-looking risk models and innovative solutions that meet and anticipate client needs.
Within this context, Rastigue noted the differences in how Aspen approaches cyber compared to other potentially catastrophic risks, explaining the differences in other product lines. For instance, in property, there is “a data set” underwriters use on hurricanes that includes such information as postal codes in areas “that are expected to be hit and how bad it’s going to be.”
“The way you can calculate these expected losses is by overlaying your insurance portfolio with that data set, and you know which properties you’re insuring, where they are and what they’re worth. That’s the way that we build catastrophic loss models to help us inform everything from exposure management to pricing.”
However, he noted such a strategy can’t be employed when addressing cyber “as there are literally infinite permutations of things you could model inside a risk.”
“So, in cyber, we’ve never experienced an industry catastrophic loss event. Instead, cyber models work off hypothetical event sets where we try to identify risks that could cause a catastrophic loss. Usually, these are based on historical cyber events, but at much greater scale or magnitude,” Rastigue said.
What’s next
As cyber insurance coverage continues to be driven by the increasing frequency and sophistication of cyberattacks and breach activity, Hart emphasised that data-driven risk management, innovation and disciplined underwriting will play a crucial role in solving for insurance gaps. He added the industry needs to advance a more proactive and collaborative approach between insurers and insureds, as well as cultivate the talents of skilled underwriters, who can quickly adapt to changing cyber policies and increasingly complex social engineering and ransomware campaigns.
Putting a placement of services in front of somebody doesn't help them become more informed or engrained within the [cyber risk] ecosystem – and that is where the issue lies
Bobby Bianconi Global Head of Cyber
In a feature story with Insurance Business America, Meghan DiBona, Vice President and Casualty Facultative Manager, at Aspen Reinsurance, explained how social inflation in the United...
Artificial Intelligence (AI) is transforming the insurance industry, but “natural intelligence” remains, says Bruce Eisler, Aspen U.S. CEO and Aspen Insurance Chief Underwriting Officer. In...
Aspen Insurance U.S. Head of Primary Liability, Rebecca Gitig, was a guest speaker at AM Best’s Emerging Risk Panel during the WSIA Annual Marketplace in...