Announcer: This podcast is intended solely for educational purposes and presents information of a general nature. It is not intended to guide or determine any specific individual situation and persons should consult qualified professionals before taking specific action. The views expressed in this podcast are those of the speakers and not those of Milliman.
Rebecca Driskill: Hello and welcome to Critical Point, a podcast brought to you by Milliman. My name is Rebecca Driskill and I'll be your host today. Our episode this morning focuses on cyber risk. This is the second time we’ve tackled the topic. Previously, we looked at the potential for a massive cyberattack to cause of the next Big Short, harkening back to the 2008 financial crisis. Today, we're going to focus on cyber risk in emerging markets. And what managing that risk looks like in countries such as South Africa. Also, this is a Milliman first. We're recording this episode across nearly 8,000 miles on the phone. I'm joined today by David Kirk managing director in our Cape Town South Africa office. Hi, David.
David Kirk: Good morning, Rebecca.
Rebecca Driskill: And here in New York I'm joined by Chris Harner. He’s managing director of Milliman Cyber Risk Solutions Group. Morning, Chris.
Chris Harner: Good morning.
Rebecca Driskill: First, let's just start with some background. David, you and Chris recently participated in a panel in Joburg on cyber risk. And I'm curious what issues are top of mind in the cyberspace in South Africa and other emerging markets?
David Kirk: There are a fair number of similarities between what we do here in South Africa and what I've understood from Chris are key issues in the US. I’d probably group insurers and other companies in South Africa into three groups. Those that are really all in a state of denial. They don't want to know about the issues, and they aren’t doing anything about it. They think maybe it’s not going to affect them. Then there are others for whom they know it's a concern, but they really are unsure where to start. And mostly they just end up wanting insurance to deal with these issues. And the third group are taken quite seriously. They've probably implemented various frameworks but they're still uneasy about the level of maturity and they really are struggling to communicate it to the board. So that's the framework of the spectrum that we see. In terms of the key risk that they’re worried about really what comes up over and over again is reputation. The financial side is there but I think it is secondary to reputation. And probably the biggest source of risk they see is outsourcing and vendor risk. In fact, this came up just yesterday with an entity reporting another breach, so that vendor risk and the complexity that they create is pretty key.
Chris Harner: I would just add that South Africa, I would say in its cyber risk journey, is still perhaps a bit focused on the concerns about cybercrime and I think that makes a lot of sense. When we think of business email compromise, maybe we think of funds being illicitly wired out, et cetera. Probably where it will eventually evolve say like in the US and the UK is to think more holistically about a cyber risk strategy, a very comprehensive, a holistic view. And as David mentioned to think more of how does vendor play into that? How does moving to the cloud play into that? And a lot of more of these complex issues. Rebecca Driskill: So where are some of the weak points? I mean are those the weak points when it comes to cyber risk cover and underwriting in emerging markets or are there others?
Chris Harner: I think—there is perhaps a bit of a weak point, I would say, of a view of—we heard a little bit of, “Well, I have coverage, or don't I just need to buy cyber coverage and I'll be all right.” And, of course, you would want that but that's only going to provide funds to sort of pick up the pieces and clean things up after the fact. Again, once you have reputational damage, once data is exfiltrated and so on there are other second and third order effects. You certainly want that in your toolbox, but I think, again, the market probably needs to think harder about what is the strategy and how can these things play out? And what are more comprehensive ways to prevent cyber events? So for example, what was very interesting is I a saw that the NIST framework which comes out of the US was—seemed to be the adopted standard. Now, there's no regulatory requirement behind that but it seems that the market had figured out there was no need to reinvent the wheel. And I think that's absolutely correct. But I think South Africa just like as it evolves, the market, the banks, the insurers, et cetera, they're going to have to think beyond that and they’re going to have to become more sophisticated as more events and more losses are incurred.
Rebecca Driskill: David, can you talk about some of the challenges that emerging markets might face when it comes to cyber or like that South Africa might face, for instance, compared to well established markets like the US?
David Kirk: So one of the starting points there is about the appreciation for the extent of the risk in South Africa. Many emerging markets, physical security, be it of assets or people really is probably more top of mind, than it is in developed markets. So we're looking at cyber risk and trying to evaluate how important cyber risk is. There's this balance of how important really should it be? But, also, emerging markets tend to have, generally speaking, older technology, maybe less Internet connected services, less Internet connected devices. So in some ways that potentially decreases the attack vector, so that could be a good thing. But we've heard from many entities that the shortage of skills really is critical. That the major IT companies will either buy up those skills in the country. Or, you know, companies in developed markets will actually pick up the staff and remove them from the South African market. So I can imagine that the skills shortage is true everywhere, but we definitely feel that here. And then in South Africa, in particular, we have a very fragile electricity generation infrastructure. There are probably some of the fragile infrastructure areas in other emerging markets. So it doesn't take that much in terms of a disruption to really have a knock-on effect in terms of some really major cyber dimension on that front.
Chris Harner: I would absolutely agree. I think that's a very interesting point David raises. Typically, when we talk about cyber risk we’re talking—or people think this is about nefarious actors or state actors. But South Africa does have sort of this unique problem of—that the electrical grid often—doesn't have the capacity to meet the needs of the nation. And that could play itself out into some type of cyber event, but again, not because of nefarious actions but simply as the system goes down think of payments, think of communications, think of processing different things whether it's trades and what have you. It's actually a unique problem that probably the banks and insurers do need to think about.
David Kirk: I mean, the advantage that we have is that we can look and learn from what's happened in developed markets, so we don’t have to make all the same mistakes over and again. A key example there is cloud migration or migration to the cloud. We had several insurers in South Africa looking at that as an option, were part way through that and really started to worry about what those risk might be. The flip side is we’re a relatively small economy and some of the cyberattacks that we've had, possibly most of them, are from global players. We are exposed to global attacks even though we are a relatively small market with a relatively small set of skills.
Rebecca Driskill: I think that's an interesting point that South Africa has sort of the opportunity to also as it’s developing to create some new efficiencies. And then I'm curious, what has been your observation of the growth and the pricing in the market? And then, Chris, I'm curious how that compares to what we’re seeing in the oversees market.
David Kirk: In terms of the cyber risk cover that's available, mostly that is provided either directly or indirectly by global players. And in fact has been— we had an interesting conversation with local players with some of them really not wanting to touch this risk. I think they recognize the large risk size that’s going to come through and the aggregation of risk. The underwriting process are still relatively crude. Having said that, we've also had clients who said that they, looked at the set of questions to be able to go through this underwriting process. And they didn't understand the questions, let alone have the information able to put the answers down. And these are the same entities that need some work. I don't know how much cover do they actually need? They really are struggling with a way to assess what their overall need for insurance might be.
Chris Harner: Yes, I think it'll be a process. So if we look at the US, for example, there is roughly 170 carriers underwriting cyber. But when you look at premiums written five carriers dominate with over 50 percent of premiums. So there's a bit of large players. Whereas, others feel they need to get exposure to get into the market. I think there's some dangers with that. And it's interesting to see that there's this caution which is perhaps wise in SA, or South Africa, perhaps to learn a bit more from experiences of other nations. I think initially in the US and probably where SA is the focus is what we would call moat-and-castle. You know, what are your defenses? What systems do you have? What policies and so forth? And it's going to have to evolve as it is in developing markets to more of a holistic risk view of what is the actual risk. And I think the insurers in the developing market or in the developed markets do struggle with this, of thinking about the accumulation risk of their book. As well as how are other policies affected? For example, typically in the US if you get breached you're going to get sued, so you're going to tap that DNO policy as well. Right? So there's some complexities that have to be resolved with coverages, triggers and so on.
David Kirk: Yeah. In fact, where local insurers are picking this cover-up is, as Chris mentioned, with part of business continuity policies. But there's also pressure from the broker because he wants to be able to offer the coverage to the clients. So, again, insurers are picking this up somewhat reluctantly. But if the individual clients themselves aren't able to adequately assess the risk and they're much closer to the information, it's arguably even harder for an outside insurer to assess that risk. So either it's unsustainable and we're just waiting for that large claim that sort of resets everybody’s appreciation for what the risks are. Or you're going to be paying a lot for the cover because it's very difficult to assess the risk. So insurance is an option that's usually part of an overall program but there is a lot of work that needs to be done before you sign that policy.
Chris Harner: Yeah, that's that. That's right. I think when we look at the US, in particular the experience in property and casualty, Hurricane Andrew in 1992, really helped those carriers focus more on how to assess that risk, when we think of flood, what we call fluvial inundation and so on, how to assess damage. That type of modeling, that type of risk assessment really only came of age after a major event.
David Kirk: Chris mentioned earlier how, I think, in his experience people focused very much on the cybercrime aspect in South Africa and that's right. But they’re also very focused sitting on an individual level focused on the financial loss, the transactional loss, the hacking of the bank accounts. Typical, person on the street in South Africa really isn't bothered by health data which is often the most targeted data in other markets. So, you know, we wait for that very first major breach on health data that people really started to care about. And both the insurers of the normal risks are going to be concerned about it. The cyber insurers are going to be worried about it. And it's something that will change the perception quite a lot.
Rebecca Driskill: We were talking about the other exposures coming along with cyber, how are war versus terrorism versus crime treated in the insurances policies in South Africa? And why is that relevant for cyber?
David Kirk: Yeah. We have an interesting situation in South Africa where the South African Special Risks Insurance Agency or Sasria picks up the civil unrest and riots and terrorism risks out of normal policies. So those aren't covered by the underlying insurers. They pass this on to Sasria which is formed by several of the insurers. And that really comes from our history in the seventies and eighties with a lot of civil unrest. Those policies still don't cover war. To the extent to which this is viewed as a crime and a criminal attack or even terrorism, at least in theory, those are covered. But the moment it becomes an active act of war or I would argue more like in South Africa collateral damage from somebody else's war, then those policies aren't going to be providing cover.
Rebecca Driskill: That's really interesting.
Chris Harner: Yes. I think that theme that David raises is a bit of dilemma both for the insurance sector as well as let's just say the banking sector. And that is this, again, goes back to your cyber strategy cyber resilience of really understanding what are the risks? What are your defenses? What are your forward-looking capabilities to understand that? And is there actually broad awareness of what David just said? That you may not have the coverage that you think you have, the government may not step in or may not have the means to step in or to bridge certain gaps. And it's very interesting that South Africa has that. If you read the literature in the US, there is some positions advocating or discussion about will the government eventually have to step in, again, when we think of massive catastrophes in which we have FEMA, for example. When we think of a massive systemic attack as a cyberattack will that require government intervention? We don't know yet, but it's possible.
David Kirk: And those government bailouts, government stepping are controversial anywhere in the world. In South Africa we've had our own challenges recently of state-owned enterprises running into trouble and arguably needing bailouts and funding. Those are always difficult decisions. When a state-owned energy fails the question is who's going to benefit and who's going to bear the cost. And the same question would need to be asked of a cyberattack. And with the incredible wealth inequality we have in South Africa, if the primary victims of this attack are the more wealthy I can see it being a very difficult popular political position to take to then be bailing out those individuals. If, you know, that means that companies have to fail—now there's still going to be the systemic knock on impact to the overall economy that is always going to be part of a political conversation.
Rebecca Driskill: That’s a very interesting point and I'm sure one that is true across markets, not just in South Africa but basically for many emerging markets where there’s a disparate spread in terms of socioeconomics. Chris, you had mentioned earlier that beyond just purchasing cyber coverage really the next step is to look at an overall cyber risk strategy. And I'm curious if there are differences between what that strategy would be in a country like South Africa or another emerging market versus a more established country like the US or the UK in terms of their cyber strategy?
Chris Harner: That's an excellent question. And I think first off people need to ask themselves or leadership in whether it's a bank, a state-owned enterprise, who owns this risk? And I would argue you own this risk. That you have to have the strategy in terms of what are your priorities? What's the spend? Really understanding mapping out what are my key risks again as David mentioned earlier. Is it vendor? Is it—do I have old technologies? What is the speed? What is my sense of urgency to modernize and to get those defenses? And then I think at a national level which would be for the government, and in particular any type of military or intelligence agency, is what's the forward-looking capability or the collaboration with other countries to get out in front of this? Meaning aside from the electrical grid going down just because of it doesn't have capacity if we're talking about state actors really the government that's their role is to have some type of capability and then disseminating information whether it's through briefings, through some type of system to allow critical infrastructure, whether that's the financial system or the electrical grid, et cetera, to give people some type of warning in order to prepare for that.
David Kirk: I can also imagine some of those differences South Africa and many emerging markets aren't perhaps as stereotypically litigious as the US. And the data protection regulations aren't as developed as they are in Europe and the US. We've had our Protection of Personal Information (POPI) Bill floating around almost enacted for a long period of time. So those would be some reason to be less concerned. Then there's a question of scale. I can imagine you'd find any individual insurer in South Africa or Nigeria or Kenya and find an equivalent sized, equivalent sophisticated insurer in the US. But there are far fewer large insurers in the US and even more so in Nigeria. You’ve got some of the same challenges, some of the same problems, some of the same attack vectors, but you don't have that same scale to be apply the resources to it. So I think there's— we definitely on average I would say that we are behind in the maturity stage. And it's more expensive per unit or premium per policy to implement some of these strategies. So looking for the most efficient way to understand that risk, and the most efficient of solutions is key.
Rebecca Driskill: And for organizations that are interested in starting to think about their cyber risk and implement either a strategy or coverage are there any common mistakes that you both have seen that organizations who don't realize or understand as they’re purchasing coverage or that have led to a claim? And how can those be avoided?
Chris Harner: So let me start with that. I think one of the themes that we've seen is a cyber policy is purchased but it's not clear if senior management really understand what the triggers are and what is actually covered. And so that can be a bit of a shock that once there's an event, there's an incident response, typically you should have a breach coach. That can be an attorney. That can be some kind of specialist. And then as they’re working with the insurance company there's a realization that perhaps this specific event, or the way it was triggered was not covered. As well as, we've asked this question and we get funny looks across the table of have you laid out all of your policies, cyber, D&O, E&O, CBI, and so on crime, fraud, et cetera? And have you actually gone through them and mapped them and say, you know, would this type of event be covered? Would this type of trigger allow us to make a claim? And so that exercise sounds simple, but it's actually very important to really understand what is covered and then to think through what are your vulnerabilities and how would that trigger occur? And last but not least, you know in the US, at least, in other countries where you have breach laws, where you’re obliged by law to inform the government or in the US typically the Attorney General of your state that you may be obliged to do that as quickly as 48 or 72 hours. That's not as easy as people think. We have heard people struggled to actually properly inform their authority. So, again having those tabletop exercises are important as well.
David Kirk: I guess along with that, this is changing bit. Along with that you’ll see that cyber risk overall is often delegated to the IT manager as responsibility. And there's no question that IT is a significant part of this. But this isn't just an IT issue and it can't just be the responsibility of an IT manager to worry about that. You may also think, well, this is just another type of operational risk. But those connections that Chris was talking about into the other areas and into what the financial impact could be and how this could—think of other risks that's another area that we’re seeing that it's maybe been a struggle for some entities to recognize that this—they need to own it. I think part of that struggle is that the overall risk manager may not be that familiar with the jargon or the concepts and the risk ideas. So it's much easier just to make it somebody else's problem until it comes back to bite you.
Chris Harner: Yes. I would just add to that. And I think this is a theme both in South Africa as well as the US. Right now, we have this information asymmetry, that when we think of cyber, it's really the IT guys, the information security people who really understand that risk from a very technical perspective. But the problem is they may not be able to translate that and communicate that into the risk language. And, likewise, the risk people, you know, sitting in the second line of defense just for various reasons never really studied or had the opportunity to really obtain deep knowledge in this risk. So there's going to be a certain amount of time before cyber risk really becomes part of the canon of risk management. And I think that's right that the risk managers are really going to have to upskill themselves. And then there's going to be an expectation and we see that in developing markets that senior management and the board are up skilled and really take ownership of this risk. And back to David's point about the US being a litigious society, shareholder pressure and lawsuits and regulators are going to push that as well.
David Kirk: Yeah. From a board perspective I’d argue the best boards in South Africa at the moment, the primary comment is, “We recognize it's a risk. We want to learn more about it, but we still aren't getting the measures, the metrics, the information to really understand it.”
Rebecca Driskill: Moving forward, what are you know one or two or three concrete steps that organizations in South Africa and other markets what can they do to begin the process of better protecting themselves against cyber risk?
Chris Harner: Yes. Great question. I think instead of giving a laundry list, having spoken to 10 major players in the market, and I think the message to other market participants would be is to elevate cyber as a risk to the other risks that you're already managing and that you're comfortable with. Meaning there needs to be ownership of this risk. There needs to be proper reporting. And what that really means in my mind is you need to get the discipline around what is your risk appetite? How are you going to quantify this risk? What are the metrics? What do you put—what are the key messages you want to report to senior management and the board? Just as you would for credit risk and the other classic risks. I think elevating cyber and putting that lens on this risk will help move things forward.
Rebecca Driskill: Great. Well, thank you David and Chris. It was wonderful to have you join us across 8000 miles for the first time. You’ve been listening to Critical Point, presented by Milliman. To listen to other episodes of our podcast visit us at Milliman.com. Or you can find us on iTunes, Google Play, Spotify, Stitcher or wherever else you find your podcasts. Thanks and see you next time.