There needs to be a significant shift in how cyber risk is understood and managed to help boards have a more accurate view of potential losses, as well as opportunities. Robert Vescio, chief analytics officer at SSIC, explains how using five peril categories.
For almost two decades, the business world has been trying to measure cyber risk as if it’s some unique and isolated risk within an organisation.
This has led to the creation of specific executive-level roles, such as chief information security officers and chief data officers. But, even with these specialised roles, there has been a year-on-year increase in damages related to cyber incidents. As part of an increasingly interconnected and interdependent world, businesses must understand and treat cyber risk as an interconnected and expected risk.
While an increase in cybersecurity awareness and cybersecurity spend are tightly linked, should they be synonymous? Marsh CEO John Doyle summarises this point well: “Awareness is growing. More money is being spent. But, is that leading to a reduction in cyber risk? The answer is: not yet.”
Cyber security awareness and an increase in cyber security spend should not be synonymous, and in fact should vary greatly from one organisation to the next, based on risk appetite and risk-leverage options.
Cyber risk must be viewed beyond the traditional performance metrics and compliance frameworks and translated into something that matters to executives and shareholders. Distilling all cyber incidents over the last decade, there are five primary cyber peril categories:
- Data breach
- Denial-of-service interruption
- Extortion and ransomware
- Misappropriation of intellectual property, trade secrets, and other highly sensitive information
- ‘Cyber physical’ as related to property damage and human casualty.
For each of these cyber peril categories, we must understand probability, impact, and expected loss. The sum of the five expected loss values enables organisations to prioritise risk reduction efforts.
Additionally, it helps organisations to understand whether each cyber risk reduction project will produce a positive return on investment. Firms can then consider which risks should be transferred via an insurance policy, and which should simply be ‘taken on the chin’ as an expected cost of doing business in the digital age.
This is a significant shift in how cyber risk is understood and managed. It will translate into improving the executive function as leaders will finally be able to have an accurate forward view of cyber-related expected losses while actively pursuing strategic goals.
Cyber threats are now the top CEO concern, according to the results of the PWC survey US Business Leadership in the World in 2018. It’s safe to say that part of this concern is based on uncertainty and media hype. Genuine knowledge is the key to understanding the problem and making informed decisions on how to deal with it. Cyber risk must be expressed, understood, and managed in economic terms.
Anticipating an increased need to transfer cyber risk, the insurance industry also recognises that it needs to understand cyber risk in economic terms to increase capacity, open new markets and meet regulatory requirements for affirmative and non-affirmative cyber.
The cyber insurance market is evolving into a more digitally enabled one, which might help it open up to smaller customers where penetration is typically lower.
The number of reported data hacking attacks against financial services companies has quadrupled in the last year, according to figures from the Financial Conduct Authority.
Cyber has come a long way in the past 70 years, yet its meaning has essentially remained the same: it still encompasses the notions of control and communication. Post, in association with Cyberscout, surveyed the insurance market and consumers to find out how well cyber insurance is working
Allianz's annual global survey of risk managers reveals cyber risk is an increasing concern.
Pool Re will expand its remit to cover material damage and business interruption resulting from cyber terrorism.
Recent events such as the Wanna Cry ransomware attack and British Airways’ computer outage have helped to drive sales of cyber insurance, but there are concerns that a significant part of the risk is being overlooked