Getting to grips with cyber
Cyber has been on the insurance industry’s radar for years, and the threat’s significance is well understood.
But Swiss Re says insurers, businesses and governments still need to raise their game to get a handle on it.
Part of the problem is the cyber-risk landscape is constantly shifting due to the speed and scope of digital transformation, the growing sophistication of hackers and increasing sources of vulnerability from hyper-connectivity.
And the consequences of an attack can be huge.
Swiss Re says recent high-profile incidents demonstrate that the costs of a cyber breach extend way beyond the fallout of lost or corrupted data.
Businesses must also factor in damage to reputation and physical and intellectual property, plus disruption to operations.
Despite increasing awareness of the dangers, businesses are “generally ill prepared” to cope with cyber risks, and relatively few have integrated cyber security into mainstream risk management.
“Firms – large and small – need to invest more in cyber-security architecture to develop robust pre and post-loss risk management capabilities,” Swiss Re Chief Economist Kurt Karl said.
A dedicated cyber-insurance market is developing, with increasing numbers of insurers writing business.
Cyber cover typically provides core protection against data and network security breaches and associated losses, with capacity limits ranging from $US5 million to $US100 million ($6.56 million to $131.14 million).
“However, some significant cyber-related risks remain largely uninsured and the scale of existing cover is modest relative to companies’ overall potential exposures,” the report says.
It says a “key constraint” is the complex, and hard to quantify, nature of cyber risks, plus the lack of claims history.
But insurers and risk analytics vendors are experimenting with different approaches to cyber-risk modelling in an attempt to estimate potential losses.
“The experience of other perils, such as natural catastrophes, offers hope that models will continually improve as understanding of the fundamental risk drivers develops and more data about cyber losses becomes available.”
Innovation in insurance “will play an important role in upgrading cyber-risk management capability”, and insurers are looking to develop less complex, more flexible products.
“These include covers that can be tailored to small and medium-sized businesses, which have hitherto been underserved by insurance and are often less well placed to cope with cyber risks than larger firms.”
Some (re)insurers are partnering with cyber-security groups and data analytics vendors to fill knowledge gaps and provide additional services to clients.
Swiss Re says another way to increase overall loss-absorbing capacity for cyber risk is by developing investment vehicles that enable capital market investors to take some of the exposures.
“There are currently some initiatives to develop insurance-linked securities (ILS) that cover operational-type risks such as cyber,” the report says.
“The ILS market for cyber risks remains nascent, but could possibly grow.”
Ultimately, Swiss Re believes the potential scale of some cyber losses, such as widespread disruption to critical infrastructure, could be too great for the private market to absorb.
“For such risks, there may be a case for a government-sponsored backstop… something akin to the state support for protection against catastrophic terrorism risks,” the report says.
Governments also have an important role in promoting cyber resilience, including measures to improve information capture and diffusion, and setting laws and regulations about how cyberspace is used and protected.
“By reshaping incentives and increasing awareness of cyber threats, governments can further nudge the private sector into developing improved market-led solutions,” the report says.
Swiss Re’s call to action is all the more relevant to the Australian market following the Privacy Act amendments passed by Federal Parliament last month.
Federal agencies, companies and non-profits with annual turnover of $3 million or more must notify the Office of the Australian Information Commissioner about cyber breaches, and alert affected individuals.
It may seem like we’ve been talking about cyber risks forever, but acting on the issue has never been more crucial.