Cyber: the problem, and ways to fix it
By Marcus Stavrakis, winner of the 2023 Young Actuaries Public Policy Essay competition.
Cyber risk refers to any risk of financial loss, disruption to operations and data or reputation relating to breaches in an organisation’s information technology systems.
Cyber risk is not limited by geography and poses a significant accumulation risk. Cyber attacks range in sophistication from lone hackers to State sponsored attacks. Cyber attacks can be perpetrated by anyone with a computer making it difficult to attribute the ‘cause’ of a cyber event.
The risk of cyber is uncertain and unpredictable, as well as a matter of economic and national security.
This essay attempts to answer the following questions:
What is cyber defence?
Who is vulnerable?
How can we protect our data?
How can insurance provide a solution to minimise cyber risk?
What are the existing roadblocks?
Who could be responsible for facilitating the solution?
What is cyber defence?
Cyber defence is akin to a sandcastle on the beach. To have a fortified sandcastle, a large barrier needs to be placed around the circumference of the castle to protect it. Any weakness in this barrier means that the sandcastle is inadequately protected from the inevitable attack from a wave.
In the same way, a company’s infrastructure must be entirely defended, otherwise, hackers will find a weakness in their armour. Often this weakness is in the form of add-ons, extra contractors, and other people outside the business who are in the network but are not subject to the same defence as the entire company. These types of problems occur in many small and medium-sized enterprises (SMEs).
Cyber risk for SMEs
SMEs make up roughly 50%[1] of Australia’s economy and are increasingly reliant on digital infrastructure for their operations. SMEs are easy targets for cyber attacks with 43% of cyber-attacks targeting SMEs[2] and 50% of SMEs deemed to have poor cyber security practices.[3] As a result, there is a major threat to this segment for cyber-attacks to accumulate in rapid succession.
SMEs can be priced out of the cyber security consulting market. Cyber security support is expensive and the risk-to-reward ratio is simply not justifiable for these sized businesses. This inefficiency in the market creates a weakness in Australia’s cyber network. Consequently, the entire economy is vulnerable, and there is currently no obvious solution available.
Insurance as a solution
As discussed in the Institute’s 2022 Green Paper Cyber Risk and the Role of Insurance, insurance can provide a solution to upgrading Australia’s cyber security.
The value in cyber insurance is not just in the monetary compensation but rather in the support, an SME receives in preparation for an attack to reduce its vulnerability and the recovery advice received following a cyber attack.
Insurers ultimately have the incentive to maintain expertise in cyber risk in order to effectively manage their portfolio exposure. For example, Gallagher Re’s research has found that when an insurer scans for exposed Remote Desktop Protocol, it can reduce the insured’s ransomware claims by 65%.[4]
If an SME purchases cyber insurance, their broker will advise their client to adopt good data practices, such as the use of Virtual Private Networks (VPNs), antivirus systems and Domain Name System (DNS) strategies, to reduce the price of insurance.
In this scenario, the SME would be covered by cyber insurance as well as receive de-facto cyber consulting advice. Some brokers in Australia now provide a cyber security self-assessment tool that compares the insured’s answers to the best practice standards.[5]
The roadblocks
Insurance provides a solution – so why hasn’t it solved the issue naturally? The first reason is a mismatch between rate adequacy and premium written. As it stands – there is capital in the market, however, it is capped at the total premium written. As premiums increase, fewer policies can be written. Insurers are selective of insured risks and restrictive on products to ensure profitability.
This creates less diversification and makes it harder to reinsure for cyber risk. Consequently, the re-insurance market for cyber is underdeveloped, creating instability and preventing insurers from offsetting the necessary capital required to write more cyber business. The second reason is the first mover disadvantage which is a common problem in insurance markets.
Who could be responsible for the solution?
The Australian Reinsurance Pool Corporation (ARPC) can help solve these capital problems. In the same way, the ARPC helped manage the terrorism reinsurance market, the ARPC could do the same for the cyber market.
By stabilising the re-insurance market, flow-on effects for the carrier insurance market will emerge. Insurers will be able to provide products that are not restricted to their current capital requirements – creating diversity for insurers but also providing niche advice and services to the insureds. Once the market is mature, it will alleviate accumulation risk on insurers as there will be re-insurers in the market and the ARPC offering a diverse range of products to fund this risk.
For this proposal to be successful (or even to have a remotely useful cyber market), the “Big 4” insurers will have to enter the market – to provide value to consumers and the country.
How could the ARPC pool work?
The paper proposes to set up a standalone cyber reinsurance pool through the ARPC. The pool would focus on insuring commercial SME cyber risk, regardless of its attribution. This pool should be a retrocession pool, operating in a similar fashion as the terrorism pool.
The formation of the pool would target the issue of accumulation risks within cyber and provide support to insurers, such that carriers could offer cyber products to SME consumers. Ideally, this proposal will protect SMEs, Australia’s strategic interests and Australia’s national data. Afterall, if our data isn’t protected, how can it be used for good?
Concluding thoughts
Cyber risk is a growing concern and Australia is behind other OECD nations in cyber hygiene. The nature of insurance is to protect assets and minimise risk within society. Cyber risk is no exception. The creation of a separate cyber risk pool within the ARPC would bring much-needed stability to the reinsurance market.
The creation of the ARPC cyber pool should improve the affordability and accessibility of cyber products for SMEs, addressing the current situation where premiums in the existing market are rising because cyber is an unknown and increasingly volatile risk.
The alternative solution is to let the market develop naturally once there is enough data to quantify and categorise the risk. However, “enough data” in this case, means SMEs and the Australian economy being the victim of cyber-attacks.
The market is volatile for good reason, so the question this paper poses to policymakers is, when cyber-attacks do happen, what preparations would you like our economy to have made?
• This article summarises the key points from the winning entry of the 2023 Young Actuaries Public Policy Essay competition by Marcus Stavrakis.
References
[1] CSIRO, 2022
[2] Kaine Mathrick Tech, 2023
[3] Australian Cyber Security Center, 2021
[4] Gallagher Re, 2022
[5] Actuaries Institute, 2022