Source: Mark Chaplin, Principal, ISF
08 Feb 2019
Cyber insurance remains a popular topic of conversation among security professionals. This is no surprise considering the frequency of news items on data breaches, the scale of these breaches and their soaring financial costs.
As security professionals increasingly look to insurance, as a means to manage (transfer) cyber risk, business leaders are asking whether existing insurance cover is adequate or whether additional cyber-specific cover is required. The answer is unclear.
A great deal of uncertainty remains among organisations regarding the extent to which their existing business insurance covers their cyber exposure. Many policies do not make reference to cyber (known as silent or ‘non-affirmative’ cyber) or have cyber-related inclusions and exclusions. The current legal dispute between Mondelēz International and Zurich Insurance is a case in point, where the claim being made, regarding the effects of NotPetya, is under an existing property insurance policy. The outcome of this case, where the insurer is being sued for not honouring the claim, could have far-reaching effects on the future of cyber insurance.
Despite being in its infancy, the cyber insurance industry is growing rapidly and will eventually resolve the problem of silent cyber exposure. PwC estimates that annual gross written premiums are set to reach $7.5 billion by 2020, while Allianz projects a cyber insurance market of $20 billion by 2025. Combine this with industry analysts observing low ‘loss ratios’ for cyber insurance, and what emerges is a seemingly healthy and highly profitable business for many insurance companies.
However, an issue larger than silent cyber exposure is looming and of increasing concern to industry regulators, insurance and re-insurance companies – systemic cyber risk.
Systemic cyber risk relates to the catastrophic impact resulting from a major cyber-attack, that affects an entire industry sector, financial market or critical national infrastructure. Many cyber security specialists believe that, in such a scenario, multiple claims could cripple the insurance industry. Risk Management Solutions and the Centre for Risk Studies at the University of Cambridge estimate that the NotPetya malware led to losses of between $2.5 to $3 billion. It is this type of event that is forcing the insurance industry to examine and model a range of similar scenarios. After all, insurance is where the buck stops.
Cyber risk is difficult to forecast, even for an industry with hundreds of years’ experience in actuarial science and modelling risks, such as weather, shipping and life. And while organisations in the insurance industry are developing tools to model future cyber threat scenarios, important questions remain.
What are the main factors influencing cyber risk? What are the most effective measures to protect against a data breach or ransomware attack? Will a claim for cyber loss affect future cover? How should insurance companies deal with cyber threat scenarios such as a cloud service outage or a global software failure?
Cyber insurance remains uncharted territory for many organisations and challenges need to be resolved. Insurance regulators, insurance companies and organisations looking for cyber cover can all contribute to mitigating systemic cyber risk.
What insurance regulators can do
- Involve insurance companies and commercial organisations in understanding the main factors that influence cyber risk, including the complex relationships between organisations (e.g. the supply chain), dependencies on technology and the role of people.
- Promote proven, quantitative approaches (e.g. applying actuarial science) for managing cyber risk, to insurance companies, other industry sector regulators and commercial organisations.
What insurance companies can do
- Examine existing non-cyber insurance portfolios for silent cyber exposure and take steps to ensure clients are aware of the cover provided.
- Work with industry regulators and partners to determine the impact of increasing cyber risk and develop appropriate cyber risk insurance products to meet the needs of clients.
- Investigate the unique nature of cyber risk and how it differs to other types of insurance, such as property, business interruption and liability.
What organisations can do
- Examine the organisation’s cyber incident management capability as a matter of priority and make necessary improvements immediately such as, defining roles and responsibilities, establishing a clear communication strategy and agreeing expectations with external parties.
- Quantify cyber risk to support meaningful engagement with insurance companies, making use of threat intelligence, security event management information, cyber incident data and industry baseline figures.
- Work closely with cyber insurance providers to understand effective cyber protection strategies, agree policy inclusions and exclusions, and determine the actions in the event of a cyber incident.
Cyber insurance increasingly plays a key role in how organisations manage information and cyber risk. Organisations can access ISF resources that support effective management of both such as the following:
- Delivering an Effective Cyber Security Exercise
- Quantitative Techniques in Information Risk Analysis
- The Standard of Good Practice for Information Security