sigma 1/2017: Cyber: getting to grips with a complex risk
Cyber threats are evolving rapidly due to the growing digital transformation of society, the widespread use of internet-enabled devices and processes, and the changing profile of hackers. Recent high-profile cyber attacks demonstrate that the extent of associated possible losses is also broadening, increasingly comprising both physical and financial damage relating to data privacy breaches and to companies’ tangible and intangible assets, and also business interruption costs. As a result, the issue of cyber protection is rising up the corporate agenda, at both large and small companies.
Article information and share options
Cyber risk is a growing concern for businesses. Insurance can play a role to boost resilience, but firms will need to work with their insurers to create a market that is sustainable.
Recent attacks demonstrate that the costs of a cyber breach can accumulate well beyond managing the fallout of lost or corrupted data. Risks also include potential damage to a firm's reputation and physical property, which could lead to physical danger, as well as disruption to business operations. Even so, businesses – large and small -- are generally ill-prepared to cope with cyber threats, the latest sigma report says. Regulation could be a catalyst for change: legislation is coming on-stream in many jurisdictions that will compel firms to introduce enhanced safeguards for their customers’ private information or face sanctions should they fall short of required standards. But these regulations won't address the full scale of risk, and firms cannot afford to wait for changes in laws. They need to invest more in their own cyber security architecture today.
Insurance should also be a central component of firm's risk management procedures and capabilities. A dedicated cyber insurance market has been developing over recent years, and an increasing number of insurers are looking to write more business in this specialty line. Standalone cyber insurance typically provides core protection against data and network security breaches and associated losses. However, the scope of available covers in the market is still limited, as are the capacity limits, which range from around USD 5 million to USD 100 million.
A key challenge for insurers and companies is the complexity of cyber risks and quantifying their associated losses. Insurers and risk analytics vendors are experimenting with different approaches to cyber risk modelling, but there is still work to do. In the meantime, product and process innovations like greater use of smart analytics can improve threat detection and risk assessment. This will help foster improved cyber insurance solutions and extend available cover to a wider set of policyholders.
As part of that, insurers are looking to develop less complex and more flexible insurance products. These include covers that can be tailored to small and medium-sized businesses, which have historically been underserved by insurance and are often less able to cope with cyber risks than larger firms. Firms are also becoming more comfortable sharing information, which will be crucial if insurers are to do a better job at assessing and underwriting cyber risk. To create a viable private cyber insurance market, both firms and their insurers will need to cooperate in creating sustainable products.
Governments can also play an important role in promoting cyber resilience, including setting laws and regulations about how cyberspace is used and protected. Ultimately, however, some cyber risks may be uninsurable. The magnitude of losses resulting from a cyber incident, particularly peak-loss events like widespread disruption to critical infrastructure or networks could lead to significant accumulated losses. These would likely exhaust the risk-absorbing capacity of the private insurance sector.