Cyber Insurance: Creating a Culture of Risk Management

By Lotte Schou-Zibell, Nigel Phair

As companies increasingly turn to insurance against cyber attacks, insurance firms are figuring out how to quantify such risk.

In today’s interconnected financial system, it is impossible to remain isolated from online communications and commerce or immune from network outages and data breaches. Cyber risks exist everywhere.

While difficult to quantify, the Center for Strategic and International Studies estimates that cybercrime may have cost the world $600 billion in 2017. That is nearly twice the $337 billion lost from natural and man-made disasters reported by Swiss Re Institute.

Earlier this year hackers breached Under Armour's MyFitnessPal app, compromising the usernames, email addresses, and passwords of 150 million users. In 2017, the personal data of 3.7 million Hong Kong, China voters were compromised. US credit bureau Equifax was likewise targeted, revealing 149 million Americans’ credit information. The WannaCry ransomware virus led to 57,000 computer infections in 99 countries, many of them in small and medium-sized organizations. And in 2016, a cyber heist on the Bangladeshi central bank resulted in a loss of $81 million.

Organizations clearly need to embed cyber security risk management at all levels. This can be difficult for the uninitiated or unprepared, yet inaction is no option amid the intense scrutiny of regulators, shareholders, and media in the current marketplace.

Given the risks and vulnerabilities, it is critical organizations match their implementation of technology with their risk profiles. Every organization should have a technology strategy that spells out strategic intent and tactical delivery. Implementation will only be successful if it occurs alongside well-considered risk management that contains protective measures that identify key information assets and transactions. A targeted approach is required.

[tweet="As cyber threats grow, companies increasingly turning to insurance @nphair @UNSWCanberra" text="As cyber threats grow, companies increasingly turning to insurance"]

In this, monitoring and ongoing risk analysis must be the highest priority and be dynamic, constantly scoring the enterprise's information assets amid timely implementation of controls. This could be anything from “application patch management”—which stops security vulnerabilities from executing on a system—to changing user controls due to risks associated with “bring your own device” practices.

As cyber attacks proliferate, companies are increasingly turning to insurance. Cyber insurance can help companies recover from the data loss of a security breach or other cyber events, including network outages and service interruption.

Statista, a market and consumer data provider, estimates that global cyber insurance premiums for companies will reach $7.5 billion by 2020, from $2.75 billion in 2015. Yet, although this figure also represents newly insured companies, the trajectory is unsustainable for bottom lines.

Cyber insurance, an important component of business continuity, nonetheless should be part of a larger comprehensive suite of controls to ensure effective cyber security practices, operational resilience, and peace of mind.

Many insurers struggle to understand cyber security risk and how to structure effective and affordable cyber security policies, and insurance executives are uncertain about the level of risk they are comfortable absorbing. As cyber threats are complex and rapidly evolving, insurers struggle to quantify cyber security risk with limited experience and limited relevant claims data.

[tweet="Insurers struggle to quantify enormous cyber security risk @nphair @UNSWCanberra" text="Insurers struggle to quantify enormous cyber security risk"]

In addition, the data that companies collect can be inconsistent, complicating the aggregation of information, the study of industry trends, and quantification of risks. The fact that many jurisdictions are reluctant to implement data breach notification legislation exacerbates this problem.

Another problem is that the onus for assessing risk lies on the underwriters, who need to use modelling, data, and analytics to understand potential exposures and to tailor coverage. Data science and modelling tools can give organizations, and their insurers, risk evaluations based on technical and behavioural data, providing new insights into those risks using machine-learning techniques.

Although it is challenging to pinpoint the cost of such risks, they would be enormous. The insurance market Lloyd’s of London recently estimated that a hypothetical blackout leaving 93 million people without power in the northeastern US could cost insurers anywhere from $21 billion to $71 billion.

Many organizations are beginning to understand the need to model their cyber risk profiles and invest in appropriate controls. But it would be foolish to see cyber insurance as the only needed measure, and hope to never have to claim. After all, even though we insure our vehicles, we always lock them and hide our valuables when we leave them unattended.

We need to embed this culture into business systems by identifying information assets based on their value to the organization, their value to customers, and the appropriate legislative and regulatory requirements from markets operated in. Only then can a cyber insurance policy be accurately sourced and priced. This process will create the best policy to provide value to organizations’ risk management postures.