Earlier this year, at the Berkshire Hathaway annual shareholders' meeting, Warren Buffett said he believes cyber issues are “the number one problem with mankind” – ranking them above even biological and nuclear weaponry.

This problem is hardly getting smaller. Quite the opposite, in fact: cyber attacks grow in sophistication and morph seemingly every week.

For its part, the insurance industry understands the risk, even if many others are burying their heads in the sand. 

In PwC’s 2017 CEO Survey, cyber security ranked as the joint-second-highest threat that insurance-industry CEOs say could impact their growth. A huge 81% of them told us they’re concerned by cyber threats, while only 61% of CEOs in general think the same.

So, given Warren Buffett’s warning (among countless others), what are some of the cyber security trends that insurance companies should be aware of? PwC recently released its Global State of Information Security Survey (GSISS) for 2018, which looks at how cyber threats have developed in New Zealand, and what our businesses – and insurance experts – should look out for on the road ahead.

Cyber insurance gathers a head of steam

Cyber insurance is becoming a more important safety net for businesses in this current climate – one that’s typified by not ‘if’ you’ll get hit by a cyber attack, but ‘when’ it will happen. 

As a relatively new product, cyber insurance has certainly come of age, and has been snapped up by many businesses both in New Zealand and around the world. Over half the organisations responding to our GSISS survey (58 per cent) now have a cyber security insurance policy – a growing figure that’s still slightly behind those in Australia.

It’s very likely that cyber insurance policies will continue on a similar trajectory for the time being, too. Research from our colleagues at PwC US shows that annual gross written cyber-insurance premiums are set to increase from around US$2.5 billion today to US$7.5 billion by 2020. Considering our uptake in New Zealand, we could expect to see growth in this region, too.

We’re also seeing insurers take the front foot and expect clients to proactively manage their cyber risk. It might not be long before New Zealand’s cyber insurers are demanding companies have their cyber-security processes independently verified to confirm they’re maintaining an environment of best practice.

Mobile breaches rising globally

American entrepreneur, venture capitalist and four-time New York Times bestselling author Gary Vaynerchuk says the mobile phone is today’s television, and television is now the radio. The smartphone has completely changed how people consume media, communicate with people and businesses, and perform certain tasks during their day-to-day lives.

It was five years ago, in 2012, when connected mobile phones in New Zealand reached a point where they outnumbered New Zealanders themselves. Today, there are some 6.3 million smartphones, tablets and other connected mobile devices in NZ.

So it’s not surprising that cyber attacks via mobile connections are quickly growing, too – at least globally.

In fact, around the world, mobile devices are the scenes for the highest number of cyber attacks. In New Zealand, it’s the sixth most common platform for a security incident (traditional software is currently the highest in NZ, and ninth internationally). Expect New Zealand’s mobile vulnerabilities to become more exploited in line with global averages sooner rather than later.

New Zealand business perhaps too trusting

PwC’s GSISS 2018 report found that current service providers, suppliers and business partners have collectively caused around half of all cyber incidents in New Zealand over the past 12 months. On top of that, former employees ranked highly as an entry point for hackers. 

All of these causes are significantly above global averages, while current employees as an originator of a cyber breach are similarly as highly ranked in NZ as they are overseas. One of the things all these sources of a cyber breach have in common is they all come from relationships and partnerships that a business should trust.

It’s clear we need to maintain New Zealand’s high-trust business environment for all its benefits, although there’s also a pressing business need to put the controls in place to limit liabilities from the people and organisations we work with.

The best-locked digital door is pointless when everyone’s holding the keys. Instead, businesses and insurers need to start looking at how their company’s identity and access management stack up. Insurers, similarly, will want to take this into account with their clients.

Without an improvement in proven cyber security controls, insurers will have no option but to start seeing a company’s cyber security standards as being only as strong as those of their partners, suppliers and service providers.

There’s a golden opportunity in InsurTech

At the risk of sounding contradictory, New Zealand’s insurance companies need to team up more. Many insurance incumbents are already doing just that – particularly with insurtech start-ups – to unlock growth opportunities in innovation.

Annual investments in InsurTech start-ups have increased fivefold over the past three years. Around the world, cumulative funding for InsurTechs has reached US$3.4 billion since 2010, based on the companies followed by PwC’s DeNovo platform.

There are plenty of reasons for this spike in interest from funding sources. InsurTech start-ups – as with FinTechs in general – have been able to go to market quickly, with technology on their side, to experiment with what consumers want. Their fearlessness has found the odd failure, but it’s also uncovered new ways of serving policyholders that risk-averse companies might never have realised, showing the way for other insurance start-ups and established firms alike.

Some popular ways insurance companies today are partnering with and leveraging the capabilities of InsurTechs are to develop new products or services, aid market exploration and discovery, and to test and deploy new insurance solutions.

So, while cyber security principles suggest companies lock down their business borders, the insurance industry will need to continue to expand their number of partnerships and joint ventures. Of course, that will require the right security control environment, one that allows out-of-firm access to important information to those who need it, and keeps out those who don’t.

Breaking the chains of habit

Cyber security is a relentlessly changing beast, but keeping up with the trends and changes gives businesses – both inside and outside of the insurance sector – a chance to stay ahead of it.

With shifting (or shifted) consumer tastes towards mobile devices, the broad acceptance of new products like cyber insurance, upgrades to business control environments, and the symbiosis between incumbents and InsurTechs, many of the old ways of working may soon be left behind. But that lets me finish with another Warren Buffett quote:

“Chains of habit are too light to be felt until they are too heavy to be broken.”

December 2017