sigma 1/2017

Cyber: Getting to grips with a complex risk

Cyber risk is a growing concern for businesses. Insurance can play a role to boost resilience, but firms will need to work with their insurers to create a market that is sustainable.

Recent attacks demonstrate that the costs of a cyber breach can accumulate well beyond managing the fallout of lost or corrupted data. Risks also include potential damage to a firm's reputation and physical property, which could lead to physical danger, as well as disruption to business operations. Even so, businesses – large and small – are generally ill-prepared to cope with cyber threats, the latest sigma report says. Regulation could be a catalyst for change: legislation is coming on-stream in many jurisdictions that will compel firms to introduce enhanced safeguards for their customers' private information or face sanctions should they fall short of required standards. But these regulations won't address the full scale of risk, and firms cannot afford to wait for changes in laws. They need to invest more in their own cyber security architecture today.

Insurance should also be a central component of firm's risk management procedures and capabilities. A dedicated cyber insurance market has been developing over recent years, and an increasing number of insurers are looking to write more business in this specialty line. Standalone cyber insurance typically provides core protection against data and network security breaches and associated losses. However, the scope of available covers in the market is still limited, as are the capacity limits, which range from around USD 5 million to USD 100 million.

A key challenge for insurers and companies is the complexity of cyber risks and quantifying their associated losses. Insurers and risk analytics vendors are experimenting with different approaches to cyber risk modelling, but there is still work to do. In the meantime, product and process innovations like greater use of smart analytics can improve threat detection and risk assessment. This will help foster improved cyber insurance solutions and extend available cover to a wider set of policyholders.

As part of that, insurers are looking to develop less complex and more flexible insurance products. These include covers that can be tailored to small and medium-sized businesses, which have historically been underserved by insurance and are often less able to cope with cyber risks than larger firms. Firms are also becoming more comfortable sharing information, which will be crucial if insurers are to do a better job at assessing and underwriting cyber risk. To create a viable private cyber insurance market, both firms and their insurers will need to cooperate in creating sustainable products.

Ultimately, however, some cyber risks may be uninsurable. The magnitude of losses resulting from a cyber incident, particularly peak-loss events like widespread disruption to critical infrastructure or networks could lead to significant accumulated losses. These would likely exhaust the risk-absorbing capacity of the private insurance sector. For such risks, there may be a case for a government-sponsored back-stop, something akin to state support for protection against catastrophic terrorism risks. More broadly, governments play an important role in promoting cyber resilience, including setting laws and regulations about how cyberspace is used and protected.


​sigma 1/2017

Cyber: getting to grips with a complex risk