Cyber risk: Why we need a new approach to handling this explosive threat
There is a saying in cybersecurity circles that it's not a matter of if you'll be breached, it’s a question of when. It's been repeated so often that maybe it has lost some of its shock value, but that doesn't make it any less true.
Recent statistics only serve to drive home the point – cyber risks are becoming larger and cyber events more frequent. The attack on the Colonial Pipeline in the US, where gasoline and oil supplies had to be shut off and a ransom of USD 4.4 million was paid, is one of the most recent examples. But it is by no means the only one.
In fact, costs to the global business community from cybercrime is USD 945 billion, a more than 80% increase from 2018, according to security software company McAfee. Another cybersecurity company put the cost at multiple trillions of USD for 2021. Beyond the actual costs of an attack itself, there are other costs businesses need to be wary of. A data breach can lead to loss of customer loyalty, a damaged reputation and severe fines from regulators. However, you look at it, cyber risks have become an ever-present part of the global business landscape.
Yet despite these increasing risks, Swiss Re estimates that the current cyber risk insurance market has annual premiums valued at roughly USD 6.9 billion. The market has grown at an annual rate of 20- 30% the past few years, which, if it continues at this pace, translates to USD 20 billion in premiums by the mid-2020s.
Simply put, this is nowhere near enough to provide adequate coverage for this huge risk, as only a tiny amount of cyber risk is actually covered by insurance.
Which begs the question, if there’s not enough insurance cover, who will pay for these cyber events when they happen? Ultimately, the cost will be covered by the company's customers, who will face higher prices, or possibly by the company's owners and shareholders, who will receive lower profits, dividends or share prices. It could be a combination of these factors and might even bankrupt a company that doesn't have the required financial resources.
Given the connected nature of global business and people’s private lives, there is no realistic likelihood of our collective reliance on technology lessening any time soon. Similarly, there are no reasons to suspect that organised cybercrime gangs, disaffected individuals or even state-sponsored hackers are going to simply fade away.
So given the importance of a robust, safe cyber environment to the economic growth and safety of people and organisations in developed and developing countries alike, how can we manage this situation to mitigate the risk and pay a reasonable amount for losses incurred by cybercrime? Three possible routes are through risk mitigation, risk transfer and a pool or government backstop.
Risk mitigation involves ensuring that a company's systems are as secure as possible, while remembering that nothing is 100% attack-proof. This strategy entails constantly updating systems to ward off the latest malware and access threats. Just as importantly, employees must be wise to the ways of cybercriminals so they are able to spot phishing attacks, for example. These are just two approaches in a list of actions companies should take to thwart attacks.
While this approach to risk mitigation is not cheap, the cost pales in comparison to the financial losses and reputational damage that stem from a successful attack. Here the insurance industry has ample evidence from other lines of business to show that investment ahead of time can pay multiples in avoided losses. Many insurers provide some level of support in avoiding cyber incidents through vulnerability assessments, employee education, or other means. An important factor is having plans in place if an attack is successful. The ability to mitigate the impact of an attack is dependent on reacting quickly and decisively when it occurs and contributes to the cyber resilience of the organization. So this is a good time to benefit from the skills, knowledge and resources of partners, such as an insurance provider.
Insurance is the primary method to transfer risk and is highly efficient at doing so. But, as mentioned earlier, the current and projected premium volume from cyber insurance is not nearly enough to cover the ever-growing risk. Therefore, much of the risk is not being transferred to the insurance market, but rather is retained by companies themselves. Using the conservative USD 945 billion cost figure from McAfee, global cyber insurance premiums of USD 6.9 billion and a US stand-alone cyber loss percentage 73% in 2020 as an indicator (see below), insurance covered at best only a little more than 0.5% of economic costs from cybercrime. By contrast, insurance covered 37% of economic losses from global natural catastrophes during the past 10 years, according to the Swiss Re Institute.
Some in the market may complain that the cost of cyber insurance is too high. But insurance merely puts a price on the cost of a risk. If those costs seem high, it's because the likelihood of an event happening and the costs generated when it happens are also high. Fitch Ratings reported that direct losses from stand-alone cyber policies in the US increased from 34% of premiums in 2018 to 47% in 2019 to 73% in 2020. Assuming a 30% administration cost, this means a loss for 2020 for the collective group of companies that provide this coverage.
Pool or government backstop
We believe there needs to be a thorough exploration of a pool or government-backed solutions to provide some level of support for systemic impacts, such as major infrastructure attacks that can cripple an entire region or virulent malware that can take down entire networks. Such an attack could result in a large loss from risk accumulation and propagation that might surpass risk transfer capability of the private insurance industry.
As has been seen in terrorism risk, pools and government backstops can allow insurance companies to provide a layer of coverage without taking inordinate risks, while helping protect the economy and society from severe economic impacts following a large-scale cyber event.
As cyber risk continues to grow, it will require everyone – corporations, re/insurers and governments – to work together on solutions to mitigate and transfer risks in a reasonable way so that no single sector becomes overburdened.
At Swiss Re, we look forward to contributing our risk knowledge and understanding of the cyber insurance market to contribute to this dialogue and the ultimate solutions.