Blog: The five peril categories to better manage cyber risks

Cyber espionage image

  • The money spent on cyber security hasn’t yet reduced cyber risks
  • Cyber incidents come under five categories: data breach, DOS attack, ransomware, IP theft and cyber physical 
  • Companies need to prioritise their efforts, decide which risks to cover and which losses to take on the chin
  • Insurers need to increase capacity and meet regulatory requirements for affirmative and non-affirmative cyber

There needs to be a significant shift in how cyber risk is understood and managed to help boards have a more accurate view of potential losses, as well as opportunities. Robert Vescio, chief analytics officer at SSIC, explains how using five peril categories.

For almost two decades, the business world has been trying to measure cyber risk as if it’s some unique and isolated risk within an organisation. 

This has led to the creation of specific executive-level roles, such as chief information security officers and chief data officers. But, even with these specialised roles, there has been a year-on-year increase in damages related to cyber incidents. As part of an increasingly interconnected and interdependent world, businesses must understand and treat cyber risk as an interconnected and expected risk.

While an increase in cybersecurity awareness and cybersecurity spend are tightly linked, should they be synonymous? Marsh CEO John Doyle summarises this point well: “Awareness is growing. More money is being spent. But, is that leading to a reduction in cyber risk? The answer is: not yet.” 

Cyber security awareness and an increase in cyber security spend should not be synonymous, and in fact should vary greatly from one organisation to the next, based on risk appetite and risk-leverage options.

Cyber risk must be viewed beyond the traditional performance metrics and compliance frameworks and translated into something that matters to executives and shareholders. Distilling all cyber incidents over the last decade, there are five primary cyber peril categories:

  • Data breach
  • Denial-of-service interruption
  • Extortion and ransomware 
  • Misappropriation of intellectual property, trade secrets, and other highly sensitive information
  • ‘Cyber physical’ as related to property damage and human casualty. 

For each of these cyber peril categories, we must understand probability, impact, and expected loss. The sum of the five expected loss values enables organisations to prioritise risk reduction efforts. 

Additionally, it helps organisations to understand whether each cyber risk reduction project will produce a positive return on investment. Firms can then consider which risks should be transferred via an insurance policy, and which should simply be ‘taken on the chin’ as an expected cost of doing business in the digital age.

This is a significant shift in how cyber risk is understood and managed. It will translate into improving the executive function as leaders will finally be able to have an accurate forward view of cyber-related expected losses while actively pursuing strategic goals.

Cyber threats are now the top CEO concern, according to the results of the PWC survey US Business Leadership in the World in 2018. It’s safe to say that part of this concern is based on uncertainty and media hype. Genuine knowledge is the key to understanding the problem and making informed decisions on how to deal with it. Cyber risk must be expressed, understood, and managed in economic terms.

Anticipating an increased need to transfer cyber risk, the insurance industry also recognises that it needs to understand cyber risk in economic terms to increase capacity, open new markets and meet regulatory requirements for affirmative and non-affirmative cyber.

Robert Vescio SSIC
Robert Vescio, chief analytics officer, SSIC
  • LinkedIn  
  • Save this article
  • Print this page  

Cyber Research 2018: The findings

Cyber has come a long way in the past 70 years, yet its meaning has essentially remained the same: it still encompasses the notions of control and communication. Post, in association with Cyberscout, surveyed the insurance market and consumers to find out how well cyber insurance is working

When cyber gets physical

Recent events such as the Wanna Cry ransomware attack and British Airways’ computer outage have helped to drive sales of cyber insurance, but there are concerns that a significant part of the risk is being overlooked

You need to sign in to use this feature. If you don’t have an Insurance Post account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: