Effective Cyber Risk - an Insurance Market Perspective

Computer Security and Cyber Risk are amongst the hottest topics in business today with everyday new reports of data loss and business disruption being reported. 


What are the Challenges and opportunities for the Insurance Sector 


Managing digital, or Cyber Risk, as dependence on technology and the internet accelerates is changing the way business and markets need to think and this means understanding not only the threats and vulnerabilities, but also the way we use the tools we have to manage and mitigate the risks themselves. 


“Many organisations are waking up to the scale of the problem they are facing, but have yet to really develop coherent management plans that effectively address their exposure” says Russell Price, Chairman of the Continuity Forum. “Firms can’t just think in terms of this challenge being an IT problem, it’s a business wide issue that needs to be properly assessed and built into the attitude and culture of the organisation.”  


Building effective Computer Security capabilities is part of the answer, good prevention measures will go a long to help reduce the risk, but can never be perfect and IT failure itself can never be eliminated completely form the equation.      


Matt Hogg, Cyber Risk & Insurance ChairmanMatt Hogg, Chairman of the Cyber Risk & Insurance Forum and VP of  the Insurance Underwriters Liberty Mutual’s Strategic Assets Division adds ”Companies need to develop have their own view on what the cyber risks are in its jurisdiction and how they affect its business. It’s too easy to be distracted by media coverage of the high profile events that attract attention and cause large losses and think nothing can really be done, that’s wrong."  


It is clear that all Companies should be learning from these events and thinking about what the consequences would be if something similar were to happen to them with Hogg adding “Companies need to look at the options they have to manage the effects cyber breach and IT failure, especially when it comes to insurance.  Having access to the right support, expertise and resources to recover is critical.”  


Price said “No matter how effective Computer Security measures are there will always be some residual risk left, you just can’t protect yourself against the scale of the threat completely.  With the dependence we have on the technology, increasing legislation and regulation and the costs of recovery more and more companies are going to have to look at insurance as a vital business protection measure.” He added “ Risk, Business Continuity and IT Security Management processes can only do so much.  They can help you understand the risks and be very effective in mitigating them, but then it’ll come down to having the financial resources in place to cope.  Money is the single biggest differentiator in the ability of a firm to recover.”  


These comments reflect the growing realisation that while London is an innovative market and a thought leader in the Cyber Insurance market, a lot of the cyber products came out of tech E&O markets, whose underwriting skills, reinsurance support and commercial expectations derive from the liabilities, but liability is only one element of cyber risks.  


Hogg explains “We need to be very focused on responding to the needs of our insureds and providing cover for all areas of cyber exposure and this raises questions important to all the parties involved.  I’m concerned that the market is moving at a speed it should really be uncomfortable with.  The external threat horizon, including the pace of technology development and emerging regulation is developing quickly.  The cyber market is playing catch-up with regards to reliable data on the impact and losses  and it change as new threats emerge.  Our approach and products need to evolve as quickly as the risks and this is a challenge given the sheer pace of change across the sector”


“The experience of the breaches in the US retail industry in 2013 had a real impact on how the cyber insurance market operates and represent the closest thing we’ve had to a hardening cyber market.  Markets have dropped out of writing primary retail industry business, or are reassessing pricing. The spate of retail data breaches has also increased insurance uptake and moved much more business across to the UK from US.” He added “In terms of the bigger picture, the last 12 months has seen government, regulatory and standards bodies combine in both the US and UK to develop the first steps towards a coordinated risk management approach to cyber risk."


All these are just examples of the pace of change in the market and business is still unsure of how the landscape will develop over the coming years.

NIST Framework

Approaches like the NIST framework in the US and the ‘cyber hygiene’ framework drafts in the UK will ultimately drive the cyber insurance market through a greater appreciation of cyber exposures in larger corporations. 


Over time this effect directly changes the general business culture and the way SMEs approach cyber risk too as responsibility for cyber risk is driven down the supply chain.


This view is supported by the announcement in June of the UK governments Cyber Essentials plan being adopted as a tender criteria for some contracts and the adoption of the scheme by a number of high profile business including Barclays and BAe. 

Cyber Essentials

Price commented “Cyber Essentials establishes a minimum expectation of the capabilities that should be in place in all organisations.  It is just a matter of time now before firms realise that if they don’t act on cyber risk they’ll be hurting their own competitiveness  and risk losing more and more business”  


Undoubtedly the advent of more standards will be a boost to insurers and helps develop new products and markets, especially for those who have done little to address the problem to date. Insurance can be seen as a quick fix and demand for Cyber Insurance is expected to continue to rise as pressure mounts on businesses to manage their exposure and external liabilities. 


Hogg though raises the issue of the insurance markets institutional memory, or rather the lack of it saying ...


“The insurance market sometimes has a short-term memory.  If the cyber market enjoys a few years of rapid expansion, with minimal losses, outside capacity providers behave as if it will always perform that way. We have to be careful though, the real underlying issues and exposures are only just starting to be really examined and there is still a lot that needs to be better understood. It’ll be a while before Cyber can be described as a mature market with the kind of maturity and information that is really needed.  We also shouldn’t disregard the bigger picture for other insurance lines.”


In Hogg’s opinion that it will be increasingly important to look at collaboration between the different insurance ‘silos’ or classes of business as the cyber market moves forward saying “ This is definitely an industry concern, not just a cyber industry concern. The whole industry will have to work together better to create products in a sustainable fashion that really develop a more integrated view of the digital or cyber risks in context of the whole business and how best to approach them in an intelligent and comprehensive way.”


Article based on interviews with the Cyber Risk and Insurance Forum and Advisen