Across the world, businesses are more and more concerned with the exponential growth of cyber risks. Regardless of the business type, the sector you operate in or the firm size, you and your stakeholders are using computers, mobile devices, wearables or other types of digital technologies that are susceptible to be hacked. Yes, we all are at high risk to be the next victim of a cyber attack. In fact, that could be happening right now.
As we all have experienced, COVID-19 caused an abrupt transition to remote working. Sometimes carried out quickly without paying enough attention to variables such as cybersecurity, businesses’ exposure to cyber risks has skyrocketed as a consequence. The trend hasn’t slowed down and there are no signs of that happening any time soon.
As a result, IT Security has become more complex and challenging. Indeed, one of the tiny coronavirus’ side effects has been surfacing the vulnerability of businesses’ security systems.
From Tron and War Games back in the 80s, to Hackers in early mid 90s or V for Vendetta in early 2000s, hackers and cybersecurity breach movies have depicted dramatic scenarios with dangerous consequences. But reality, often, outdoes fiction. Numerous recent cyber attacks have only made obvious the fragility of the systems our world is supported by and how interconnected they are, like domino blocks.
Indeed, we are witnesses of numerous examples of security breaches (or have even experienced them) such as social media data leaks or the cyber attack on one of the US largest oil pipelines, and there are many more. Blackmailing citizens or authorities, stopping goods production, highjacking networks or security controls, etc all of them can happen, suddenly.
However, are cyber risks a market challenge or an opportunity for the insurance industry? Or could we turn them into an opportunity? That’s precisely what this article focuses on. We explore the growing cyber insurance market, how insurers perceive cyber risks and a modern approach to quantify them.
Exploring cyber insurance market needs
We observe that cybersecurity-related businesses are booming, and cyber insurance takes part in the list as well. Regarding the latter, we expect strong growth in the coming years.
In October 2019, cyber insurance market penetration in EMEA was relatively low with only around 30% of companies buying standalone cover. However, the European cyber insurance market annual growth rate is expected to be at around 20% yearly until 2030.
EU regulators are aware of that and foresee that cyber Insurance will play an important role as the member states digitalise and are required to become more resilient.
With the development of cyber insurance, we expect an improvement of the following key areas:
- Product development: products must be tailored in a way that businesses are in fact mitigating the faced cyber-risk and, in turn, risk management departments are keen to purchase those products.
- Underwriting and pricing: Cyber underwriters—skillful professionals dealing with the ever-changing risks associated with cyber coverages—are in short supply. On the other hand, the tools used haven’t yet proved to be effective, and the completeness and quality of data that underwriters use is not up to standards. To cope with the lack of cyber underwriters, upskilling existing professionals, investing in new tools and improving the information collected will be essential in coming years.
- Portfolio risk management: The cyber risk exposure which has not been explicitly excluded within traditional insurance policies is called silent cyber or non-affirmative cyber. It endangers risk management decisions and scenario analysis (e.g. for building ORSA), as a significant risk portion could be omitted from the analysis.
Insurers must carefully review their products, identify all the risks that are being covered and adjust their risk management accordingly.
- Claim prevention (pre-claim): Policyholders must fulfil minimal IT systems standards to mitigate risks to acceptable levels, and improve human behaviour by creating regular awareness campaigns. Afterall in the majority of successful attacks are due to human intervention.
- Claim management (during-claim): Basic services to manage cyber attack crises and develop a proper response are sometimes not available which makes it difficult to get clients back in business.
What has the Insurance Market perceived cyber risks in the last decade?
Before the pandemic, insurers that participated in the Insurance Banana Skins 2019 ranked technology and cyber risk as the two major arising business risks. In the 2021 edition, the panorama wasn’t that different. Insurers listed, in this order, crime (including cyber), regulation, technology and climate change as the four main risks for the industry.
Exhibit 1 shows the evolution of risks that insurers consider as more influential for the industry.
Exhibit 1. Top Risks for Insurers 2009-2021 (click image to enlarge)
Naturally, insurers’ concerns have changed over time, tied to socio-political contexts and, more recently, to environmental concerns. For years, regulation has usually been on the insurers’ risk podium to cope with, for instance, the implementation of Solvency 2, IFRS 17 or the decrease of interest rates set by the European Central Bank (ECB) to stimulate the economy, cyber risk only entered the scene in 2015.
And with the blooming technological developments currently happening—artificial intelligence (AI), blockchain or process automation—insurers have realised that the status quo no longer holds, and catching up with the transformation mainly driven by digital technology is a priority.
One has to acknowledge that the insurance industry has experienced steady growth and has been a profitable sector over the past decade and this may have caused innovation not to be considered a priority.
This testimonial from an insurance company’s treasurer based in the US couldn’t make it clearer: The insurance industry as a whole is woefully behind other financial services firms in implementing technology. To keep up with other sectors, insurers must choose the adequate path to innovation based on their customers’ needs, business type and resources.
But let’s get back to Exhibit 1’s information. From 2017 onwards, technology and Cyber Risk have been moving up the ranking almost hand on hand. This is not a coincidence since they are closely related.
Beyond the insurance sector, we observe that most financial services industries are investing in technology to continue delivering value, answer to clients’ expectations and remain relevant.
Because of increased competition from incumbent firms that are moving faster to transform themselves digitally, or new entrants such as insurtechs, insurers are also called to invest in and stimulate innovation.
However, one of innovation’s side effects is the exposure to cyber risks. Aware of this, insurers want to balance opportunity and cautiousness so they are in a better place to answer any cyber risk that arises.
Common factors leading to cyber risks challenges in the insurance industry
Digitalisation brings with it risks of various kinds, those related to cybersecurity being among the most important. Another risk we should highlight is that of not living up to employees’ expectations to get ready for the digital transformation.
There are no one-size-fits-all solutions to approach cyber risks, certainly. We are however seeing positive changes in the insurance industry and the future looks promising.
Insurers and consultants are getting more knowledgeable about cyber risks and the approaches to tackle them are constantly improving.
Exhibit 2 describes some of the most recurrent factors that could lead to cyber risks in the insurance industry.
Exhibit 2. Common factors leading to cyber risks challenges in the insurance industry (Click image to enlarge)
When consulting meets insurance: common working areas
Because of exposure to different clients’ realities and challenges and experience gained across the globe, consultants usually have a vast view of the insurance industry.
Despite that positive fact, the truth is that there aren’t standard approaches to tackle cyber risks and the majority of insurance models that have been used until now seem to be outdated and not truly capable to tackle challenges that digitalisation has brought.
Let’s bear in mind that, although cybersecurity in itself isn’t a new field, it’s only in recent years when it has gained the relevance and consideration it has always deserved and it’s being embedded in the risk management approach of most sectors, financial services included.
But the nature of the insurance work makes it more challenging because it has to do with the anticipation of future cyber-related risks. That is relatively a young and emerging field which calls for experimenting different approaches and understanding what works better.
Some common areas where consultants support insurers are:
- Scenario development: tailoring a plausible list of scenarios, analysing risk exposure, and quantifying the financial impact.
- Dynamic model output dashboard: by building dynamic dashboards, the management can question and challenge the reasonableness of the model’s outputs and evaluate investment options. Currently there are numerous tools in the market.
- Other: key market benchmarks, estimating the scenario probability models, analysing the implemented controls, among others.
How can insurers quantify cyber risk today?
Risk is quantified by the likelihood of an event and its impact.
This publication provides insurers with a sophisticated and modern approach to estimate cyber risks as an alternative to the simple risk matrix.
It starts with a description of how to create an impact graph which lists all business processes, services and assets involved (considering the inter-dependencies) that are defined as nodes.
From this graph insurers can more easily define several possible hacking attack scenarios (Exhibit 3) to each of the nodes. They are called attack paths and are part of the attack graph shown below.
Exhibit 3. Cyber risk estimation model (click image to enlarge)
The Exhibit above may remind you of a Bayesian Network, a type of probabilistic graphical model.
To reach a certain node, one should apply conditional probabilities so as to estimate the probability of each of the attack paths.
The next step is the amount estimation for each of the cost factors that adverse cyber events can cause—which is determined via historical data or expert judgement—and calculate the potential loss of each of the attack paths.
Do you still have time to jump on this cyber journey?
We asked in the introduction, “Is cyber risk a market challenge or an opportunity?”
We don’t have a concrete answer (we’d need to assess the risk of giving one!) but we trust that we’ve offered some insights to you so you can come to a conclusion on your own. Each reader likely has a different one.
What we can certainly say is that there are several challenges in the emerging cyber risk field and all that it encompasses.
But, all coins have two sides, well, all the physical ones. Because, with the challenges, there is also a growing market need and, therefore, an opportunity that some market players want to take advantage of.
In addition to that, the methodologies to quantify cyber risks are becoming more interesting and sophisticated so the field is more exciting from a professional point of view as well.
In anycase, the importance of Cyber Risk is growing on a daily basis and by no means should be ignored!
What we think
Like it or lump it, with digitalisation companies are more exposed to cyber risk. This brings, on the one side, the challenges of implementing comprehensive cybersecurity, both offensive and defensive. On the other hand, there is the market opportunity for insurers to develop cyber-risk products and new models too. It’s, like most things, a matter of perspective.