Interview with Mark Camillo: CyberAcuView, a new industry initiative to combat Cyber Accumulation and data sparsity

Cyber Accumulation is still a major concern for the cyber inusrance industry. While we have not yet seen the in the academic literature described “Cyber-Hurricane”, it still lingers in the back of the mind of carriers and regulators alike. We interviewed Mark Camillo, CEO of the neweley created Intiative CyberAcuView. Could you tell us about the objectives of CyberAcuView?

Mark Camillo: The industry has been discussing the need for a platform like CyberAcuView for several years now.  The recent cyber insurance report by the Government Accountability Office (GAO) and the recommendations from the Ransomware Task Force both highlight the need for the industry to work together to advance common policy definitions, collect and aggregate cyber data, and accelerate loss-control best practices – all to improve overall risk mitigation and ensure a competitive marketplace.  With the formation of CyberAcuView, we now have the industry support to help move these initiatives forward to greatly benefit policyholders. You got major industry players, like AIG, AXIS, Beazley, Chubb, The Hartford, Liberty Mutual Insurance and Travelers, to commit to the initiative. Could you tell us about the history and members of CyberAcuView?

Mark Camillo: A number of leading cyber insurers decided to form the consortium in the fall of 2020 to focus on several objectives including (a) developing voluntary cyber insurance data standards to assure consistency; (b) providing insight into the overall state of the cyber insurance threat landscape; (c) acting as a focal point for improving the industry’s understanding of systemic cyber risk threats; and (d) developing practical solutions so that the industry can help their policyholders prepare for cyber events.

In addition to the founding members, we have associate members that are part of CyberAcuView, so combined, there are approximately 20 cyber insurers that currently participate. So it is not a closed initiative, but you are open for new members, basically every carrier that directly writes cyber?

Mark Camillo: Yes. Covid-19 has been an external shock for the cyber insurance market, especially driven by a spike in ransomware payments. However, it is not one of the often-discussed cyber catastrophe scenarios, that are mainly driven by a high correlation in damages, like a multi-day outage of a major cloud provider, or a zero-day exploit in an operation system that can be effectively used by criminals or other malicious actors. Would you say that Covid-19 was a cyber catastrophe?

Mark Camillo: Both the frequency and severity of cyber-attacks are growing at an alarming rate. AIG reports a 150% rise in ransomware claims since 2018 while Beazley reports a 131% increase. Not only are the number of attacks and the amount of ransom payments increasing, but the average down-time is now close to three weeks causing significant restoration and business interruption losses.

Although attackers shifted their tactics a bit in response to the pandemic (e.g. using targeted phishing emails with content related to Covid-19), the rapid increase in cyber claim activity was occurring prior to March 2020 so it’s difficult based on the information we have to draw a direct correlation to the increase being Covid-19 related. Insurance Linked Securities (ILS) have been discussed for over a decade for cyber risks, and there have been a few instruments that have already been brought to market. Do you think in general that the capital market via ILS has a place in cyber and how do you think the timeline looks for the next 5 years? Will there be a substantial amount of risk, say a billion USD, that is transferred via cyber bonds or the like in 2026?

Mark Camillo: It’s hard to predict how the ILS market will evolve but one of the issues that we need to address to continue to attract capacity into the overall market is a better understanding on the systemic risk threat.  Industry participants hold different views on the possible causes and size of potential systemic cyber events, and how the industry should address them. By stimulating discussion and interaction on these topics among multiple stakeholders, CyberAcuView will help the industry to develop the most accurate and valuable understanding and approach. This may include identifying areas where the industry can work together to develop an insurance solution or specifically for the ILS market, a path forward to bring more investors/capacity into the market. The actuarial sciences are inherently frequentist in nature and usually gain confidence in their predictions by building a history on top of increasing amounts of data. For cyber this data usually doesn’t exist or is diminished in its predictive value. CyberAcuView properly more than any other company is exposed to this problem, or viewed from another angle, has the opportunity to tackle this important problem. What is your current plan to fill this void?

Mark Camillo: We have to start by collecting some data, even if it’s limited information initially, to begin to have a better picture on the overall market.  This is a long-term effort so my expectation is that as we start aggregating, anonymizing, and distributing basic information, we will get feedback on what additional data would be most useful to our members and then we will expand the types of data we collect in a phased approach.  Ultimately, by analyzing cyber trends to get better visibility on attacks and the causes of loss, insurers can identify critical controls and educate policyholders on loss mitigation and prevention. Cyber security and incident responses are in cyber insurance for risk carriers a unique opportunity among risks classes to positively influence loss ratios through and efficient management of incidents. What aspects of the interface between cyber insurance and cyber security/incident response do you plan to enrich?

Mark Camillo: Some level of incident response capabilities are now the baseline in cyber insurance policies as almost all insurers offer some type of event management services when notified of an incident.  Recently, there’s been a shift to more insurers offering loss control services to help their policyholders avoid a loss in the first place.  This could include providing vulnerability scanning, threat intelligence or employee training to improve a policyholder’s cyber hygiene.

Also, with increasing claims attributed to ransomware, leading insurers are actively underwriting to effective risk management practices such as strong authentication (use of multi-factor authentication), proactive patching of vulnerabilities, and suitable endpoint protection and monitoring.  All of these developments demonstrate that insurers have a lot of value to offer in addition to the policy itself, and the work that we are doing at CyberAcuView will hopefully enhance the risk mitigation services that are available. How do you plan to engage public institutions and law enforcement in your scope?

Mark Camillo: Monica Lindeen is our Head of Regulatory Affairs and Jim Schweitzer is our Head of Law Enforcement Engagement.  They both have tremendous experience in their respective areas and are proactively working with our members to act as a central point of contact with government and law enforcement.  There’s a lot of momentum coming out of the recent White House Cyber Summit that gathered leaders from various industries in the technology, banking and insurance sector to make some actionable progress on the overall cyber security challenges we face. Through its work on industry data collection and data information standards, CyberAcuView will be uniquely positioned to provide feedback and guidance in tackling issues posed by increasing cyber threats and risks to the digital economy.

Daniel Kasper

Daniel Kasper is the principal of Cyber Economics.