Scott Kannry is the Chief Executive Officer of Axio Global. Scott’s entire career has been in the commercial insurance industry with a focus on cyber and previously spent 10 years in the Financial Services Group at Aon. He works with clients in all industries but specializes in those with evolving cyber risks, such as energy, utility, transportation and manufacturing. Scott has been allotted by Risk and Insurance Magazine with the distinction as a “Power Broker,” was named to Business Insurance Magazine’s inaugural “Top 40 under 40” brokerage honor roll and was dubbed the 2014 Rising Star by Reactions Magazine. Scott received a BS and BA from Case Western Reserve University, a JD from the Northwestern School of Law and MBA from the Kellogg School of Management.
Christopher P. Skroupa: Recently, one of the keynotes at the 2015 RSA conference focused on how the cyber security industry is failing. Do you agree? If so,why?
Kannry: Failing isn’t the right description, although one could easily come to that conclusion given the trend line on events over the past 12 months. I would characterize the industry as one that needs a better approach. To date, most of the focus has been on solutions –firewalls, encryption, anti-virus, you name it. The problem is that a cyber security program consists of dozens, if not hundreds of technologies, policies and procedures, none of which is a silver bullet and any of which can be immediately outdated based on the ever evolving risk climate. Imagine if your job was solely focused on putting together a puzzle, but some pieces were missing, others didn’t fit together, and every 30 minutes the board changed. Technically, you would fail, but you never really stood a chance!
Skroupa: You have been a proponent of the insurance industry as having a very meaningful role in solving the challenges posed by the cyber climate. Can you explain that?
Kannry: The insurance industry can provide a very unique vantage point –it evaluates risk management technologies, policies and procedures at the macro level during the underwriting process for coverage, and since it pays claims and losses resulting from the failure of those things, it can perform correlation analysis on what is working and what isn’t. This insight can be just as valuable as the insurance coverage that results from the process, and it’s something that the industry has been doing well for a long time in other areas of risk. For example, property insurers like Lexington (AIG), FM Global, and Zurich are arguably phenomenal property risk engineers that just happen to provide insurance, and the insight that they provide on an annual (or more frequent) basis helps firms understand how to continually evolve their defenses.
Skroupa: What does the insurance industry currently do in support of that goal, and what does it need to start doing better or do more of?
Kannry: The insurers that have been in the cyber insurance business the longest and that have paid the most claims come the closest to providing this benefit. Many cyber insurance policyholders would agree that there are meaningful benefits to going through the process of purchasing coverage, even if it simply helps them understand the minimum qualifying criteria as a baseline for a cyber security program. But the insurance industry has barely scratched the surface –this benefit is truer for smaller and middle market firms due to the general sophistication of large firms, the insurance industry has largely focused on information technology and privacy breach risk to date, and underwriting processes are generally lightweight. Additionally, insurers are often only given the bare minimum amount of information in order to pay claims from cyber events, which does not allow them to perform meaningful correlation analysis. Thus there is nowhere close to the type and quantity of data that would allow the insurance industry, for example, to help firms understand the cost/benefit of deploying a new cyber security capability. It all comes down to better and more data.
Skroupa: Will end users (or potential policyholders) play ball? It seems as if you are asking for companies to really change their behavior with respect to transacting insurance?
Kannry: Yes, and that’s actually true for both parties –insurers and policyholders. From the policyholder’s perspective, the CISO (or comparable) needs to get fully invested in the process because they own their firm’s insight and data. Right now they are bit players at best. In our experience, CISOs who understand the benefits that the insurance industry can provide and who yearn for insight comparable to what insurers in the property world provide are willing to share far more information than what is currently asked for. But, it needs to be done in a protected manner because despite that willingness, no CISO wants to create a vulnerability for him or herself by giving out the combination to the back door. The insurers, on the other hand, need to demand more –from both an underwriting and claims perspective.
Skroupa: Where do you see the cyber security and insurance industries in five years?
Kannry: I hope we’ll see far better synergy, and ideally, the cyber equivalent of Lexington (AIG), FM Global, and Zurich – firms you’d consider phenomenal cyber risk engineers that just happen to provide insurance. Firms, who can help their policyholders understand how their cyber programs rank and what they need to do in order to continually evolve –basically providing accurate insight on how to come closer to solving that puzzle with the shifting board and missing pieces.
On October 22, 2015, Skytop Strategies will present, “Cyber Security: Emerging Best Practices in Breach Response and Mitigation Strategies” hosted by Edelman at the Chicago office. Continue the discussion with Scott Kannry and chief information security officers, IT security engineers and information assurance analysts at this full-day conference, designed to explore operational strategies that minimize disruptions from a cyber breach. To inquire about attending, contact Jon Scorcia at email@example.com.