Cyber attacks are increasing in number and sophistication. ‘Transfer’ is one of the four ‘Ts’ of risk management, alongside terminate, tolerate and treat. We examine the growing market for cyber insurance, and the extent to which companies can effectively transfer their cyber risks.
It seems like a scene straight out of a Hollywood blockbuster: criminals plan a heist and make off with $81 million – writes Joyrene Thomas, PCM.
A French TV network and the Ukrainian power grid are taken down. A German steel mill and Iranian nuclear power plant both suffer massive damage. Half a billion passwords are hacked. Yet these are not plot lines from a Hollywood heist or disaster movie. They are real-life cyber attacks on banks, critical infrastructure and corporates since 2010. Welcome to the world of escalating cyber threats.
CYBER RISKS RISING
Cybercrime is costing the global economy approximately $445 billion a year, according to McAfee. The world’s largest ten economies account for half this total. Unsurprisingly cybercrime is one of Interpol’s top priorities, alongside terrorism, human trafficking, crimes against children, drugs and fire arms. Perpetrated by international crime rings, cybercriminals are highly skilled, resourced and motivated to monetise their crimes on an industrial scale. From denial of service attacks to ransomware, CEO fraud to banking Trojans, the new generation of cyber threats has expanded beyond data breaches and privacy issues.
The Institute of Risk Management defines ‘cyber risk’ as any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its IT systems. Modern-day commerce is increasingly connected, and the attack surface broad. Businesses need to be concerned about direct attacks, but also those arising from their extended enterprise and their reliance on connected technology, especially the internet and fast-evolving Internet of Things.
“The cyber market is growing by double-digit figures year-on-year, and could reach $20 billion or more in the next ten years.” Nigel Pearson, global head of fidelity, Allianz Global Corporate & Specialty
As cyber risks have grown, so too has the cyber insurance market. This is now estimated to be worth around $2 billion in premiums worldwide. The US accounts for around 90 percent of this due to the data breach notification requirements in place across the majority of states. Hong Kong, Singapore and Australia are among those countries looking at, or already enforcing, new data breach laws. In Europe, the general data protection regulation (GDPR) comes into force in 2018. This includes stronger provisions on breach notification and enforcement fines of up to four percent of global turnover for data breaches. This is further driving interest in cyber insurance.
“The cyber market is growing by double-digit figures year-on-year, and could reach $20 billion or more in the next ten years,” says Nigel Pearson, global head of fidelity, at specialist insurer Allianz Global Corporate & Specialty. Fewer than ten percent of businesses are thought to purchase cyber insurance today, although as Pearson notes: “Growth in the US is already underway as data protection regulations help focus minds, while legislative developments and increasing levels of liability will see growth accelerate in the rest of the world.”
COVERAGE AND CAVEATS
Businesses may find that they have a patchwork of cover for cyber risks across their existing insurance policies. These include traditional commercial property, business interruption, general and professional liability and accident policies. It does pay to read the small print, though. As the old insurance adage goes, where there is coverage, there is a caveat. To manage exposure, insurers are increasingly introducing exclusions to carve away coverage for risks they are unwilling to insure. Naturally exclusions also prevent them paying out under several different policies for one cyber incident.
“Traditional property and casualty insurers are now looking to examine the cover extended to cyber risks. Exclusions in traditional policies are likely to become more commonplace. Standalone cyber insurance will increasingly be seen as the main source of comprehensive cyber liability cover,” says Pearson.
Generally, standalone cyber policies cover certain direct losses and/or liabilities to third parties, arising from authorised access to or use of a business’s data. They typically also cover destruction or loss of data. The financial cost of reputational damage arising from a cyber incident is not often covered. However, policies do frequently include incident response and crisis management support, which helps insurers and insureds contain and manage their losses. Another gap that currently exists between traditional and standalone cyber insurance is for physical damage. A fire or explosion as a result of a compromised industrial control system, is not typically covered under standalone cyber insurance. Nor is it explicitly covered under property insurance.
NO SILVER BULLETS
It seems a statement of the obvious but purchasing cyber insurance is not a silver bullet. A business cannot simply transfer risk for their reputation, operations and profits to their insurer. Insurance is only part of any solution. A comprehensive risk management approach is central to reducing cyber risk and building resilience. Businesses with mature risk management capabilities will not only find it easier to reduce their levels of risk but to get cyber insurance, and at lower premiums.
Those in the payments industry, who manage card data security risks in accordance with the PCI DSS have a good foundation. Much data security practice translates well into managing cyber risk. For example, building and maintaining firewalls, intrusion detection and anti-virus programmes; patching applications and networks regularly; encrypting data and remote devices (e.g. laptops and smartphones); devising and regularly testing business continuity, disaster recovery and incident response plans, and employing skilled data security staff and data protection officers. This culture and practice can be applied companywide to good effect.
THE FUTURE OF CYBER INSURANCE
Cyber risks have emerged and evolved rapidly. The same is true of cyber insurance. This evolution will continue and naturally brings with it challenges for both insurers and the insured. A number of policy concepts and wordings have yet to be legally tested. “As time passes we may well see more litigation in this area. There will be uncertainty about how courts will interpret some of the concepts. This is not unusual with new products and will result in a body of knowledge for underwriters,” says Pearson.
There are currently a number of gaps around cyber products and level of protection. Much of the innovation and development is taking place at the corporate end of the market. There may be a shortage of suitable products for small to medium businesses, meaning they are under-insured. As to protection gaps, physical damage and total business failure as a result of a cyber incident are not generally covered under standalone policies. “There is the potential for a catastrophic cyber attack. Interest in protecting critical infrastructure is likely to see governments becoming increasingly involved in cyber security, with much greater levels of scrutiny and liability,”
When it comes to cover, businesses are advised to take out insurance proportionate to the risks they face. This is different to the size of the business, number of employees or data records held.
The insurance industry is also facing a data and skills shortage. There is a lack of actuarial data related to cyber risks, and insufficient technical security experts within the underwriting community. The shortage of technical resource is also mirrored within the business community. Consequently, businesses simply may not understand their own cyber risk exposure to seek the appropriate cover. Or they may have a flawed ‘one and done’ approach to insurance, thinking that the purchase of insurance is a panacea to all their cyber ills.
The risk landscape is constantly changing due to the changing nature of cyber threats, regulation and legislation. Taking out insurance proportionate to the risks faced is part of a balanced risk management approach. However, businesses are advised to continually assess their risks, addressing them in accordance with their risk appetite and exposure, and build risk resilience. Prevention is easier, cheaper and less painful than cure.
The post The growing cyber insurance market and how to mitigate cyber risk appeared first on Payments Cards & Mobile.