Despite its complexities, insurers and companies can get to grips with cyber risk, Swiss Re sigma says

01 March 2017, Zurich

Cyber risk is a growing concern for businesses, with recent attacks demonstrating that the costs of a cyber breach can escalate well beyond managing the fallout of lost or corrupted data. Swiss Re's latest sigma report "Cyber: getting to grips with a complex risk", says businesses need to do much more to integrate cyber security into their risk management programmes. Initiatives to boost cyber resilience are underway.

A dedicated cyber insurance market is developing rapidly, but so far the scope of cover is modest relative to potential exposure. Product and process innovation and also advanced analytics will help foster improved cyber insurance solutions and extend both the boundaries of insurability and reach of cover. Ultimately, some cyber risks, especially those related to extreme catastrophic loss events, may be uninsurable. For such risks, there may be a case for a government-sponsored back-stop.

Recent high-profile cyber-attacks increasingly demonstrate that the costs of a cyber security breach extend beyond managing the fallout of lost or corrupted data. Firms must now factor in the potential damage to their reputation, physical and intellectual property, and also disruption to business operations. The increasing scope and magnitude of potential costs associated with cyber-incidents reflect the ever-evolving cyber risk landscape, which in turn is being shaped by three main dynamics:

- the growing speed and scope of digital transformation;

- the widening sources of vulnerability from hyper-connectivity, with the rapid spread of, for example, internet-enabled devices and cloud computing;

- and the growing sophistication of hackers alert to the potential economic gains from successful cyber-attacks.

Despite increased awareness of the dangers, firms are generally ill-prepared to cope with cyber risks. Relatively few firms have integrated cyber security into their mainstream risk management. Regulation could be a catalyst for change with legislation coming into force in many jurisdictions requiring firms to build enhanced data protection safeguards. As a result, "firms - large and small - need to invest more in cyber security architecture to develop robust pre-and post-loss risk management capabilities," says Swiss Re Chief Economist Kurt Karl.

Managing a complex risk

Many firms are looking to transfer cyber risks to third parties better-placed to absorb them. "A dedicated cyber insurance market is developing, and an increasing number of insurers are looking to write more business in this specialty line," Kurt Karl continues. Dedicated cyber insurance typically provides core protection against data and network security breaches and associated losses, with capacity limits in the market today ranging from around USD 5 million to USD 100 million. However, some significant cyber-related risks remain largely uninsured and the scale of existing cover is modest relative to companies' overall potential exposures.

A key constraint on the development of insurance solutions is linked to the intrinsic nature of cyber risks. They are complex and difficult to quantify, especially given the fast-changing technological environment and lack of historical cyber-related claims data from which to extrapolate information about possible future losses. Insurers and risk analytics vendors are experimenting with different approaches to cyber risk modelling, including deterministic scenario analyses and probabilistic models, in an attempt to estimate the potential losses of cyber events. The experience of other perils, such as natural catastrophes, offers hope that models will continually improve as understanding of the fundamental risk drivers develops and more data about cyber losses becomes available.

Product and process innovation

In the meantime, product and process innovation in insurance and other risk transfer mechanisms will play an important role in upgrading cyber risk management capabilities. A crucial factor influencing the pace of innovation will be the capture and analysis of relevant data and threat intelligence needed to underwrite cyber risks accurately. There are ongoing industry developments to upgrade information collection and dissemination.

For example, various risk analytics vendors have built data schema that provide firms with a standardised approach to identify, quantify and report cyber exposure to insurers. Similarly, the CRO Forum is promoting a common language and framework for firms to capture salient information about cyber incidents and vulnerabilities.

For their part, insurers are looking to develop less complex and more flexible insurance products. These include covers that can be tailored to small and medium-sized businesses, which have hitherto been underserved by insurance and are often less well placed to cope with cyber risks than larger firms. Further, some re/insurers are seeking partnerships with cyber security firms and data analytics vendors to fill knowledge gaps and scale up/provide additional services to their clients. More generally, advanced analytics can augment re/insurers traditional underwriting tools, and help them respond quickly to fast-changing underlying risk factors.



Another way to increase overall loss-absorbing capacity for cyber risk is by developing investment vehicles that enable capital market investors to take some of the exposures. There are currently some initiatives to develop insurance-linked securities (ILS) that cover operational-type risks like cyber. The ILS market for cyber risks remains nascent but could possibly grow.

Supporting role for governments


To expand the boundaries of insurability, companies will need to work with their insurers to create a sustainable market. Ultimately, however, the potential scale of losses from some cyber events could be too great for the private re/insurance sector to absorb, especially peak-loss events such as widespread disruption to critical infrastructure or networks which could lead to significant accumulated losses. For such risks, there may be a case for a government-sponsored back-stop (i.e., a re/insurer of last resort), something akin to the state support for protection against catastrophic terrorism risks.

More broadly governments have an important role in promoting cyber resilience, including measures to improve cyber information capture and diffusion, and setting laws and regulations about how cyberspace is used and protected. By reshaping incentives and increasing awareness of cyber threats, governments can further nudge the private sector into developing improved market-led solutions.

This sigma is the first to be published under the "Swiss Re Institute" banner. The Swiss Re Institute formally launches on 1 March 2017 with a mandate to build on Swiss Re's position as the thought leader in the industry, bringing together the firm's various high-quality research and outreach capabilities under one roof. The Swiss Re Institute will produce Swiss Re's research reports including sigma, the insurance industry's leading research publication.

English, German, Spanish and French full versions of the latest sigma report are available here.

Related articles

photodune-3834701-laughing-girl-xs

Challenges and opportunities of agricultural risks transfer

Despite the rapid movement of the modern world towards digitalization, high technology and process sophistication, the longtime existing agricultural industry remains important for satisfying the primary needs of humanity in food and basic material. In parallel with all technological development people are returning to forgotten principles of sustainable nutrition. Can agricultural industry support this trend? Which challenges agricultural industry experience itself in the era of climate change? We have discussed these and other questions with Olena SOSENKO - International expert in agricultural risk management.

2018-05-23
photodune-3834701-laughing-girl-xs

CEE, FY2017: GWP and paid claims increased at the same pace: 11.5%

The CEE insurance market saw a 11.5% y-o-y growth in 2017, statistical data gathered by XPRIMM show. Overall, GWP amounted to EUR 36.12 billion. With a similar increase, paid claims reached almost EUR 22 billion. The forthcoming issue of the XPRIMM Insurance Report for FY2017, to be launched on May 14, will present in depth information in this regard.

2018-04-19
photodune-3834701-laughing-girl-xs

SERBIA: New Law on Compulsory Traffic Insurance announced

By 2020, Serbia should adopt new regulation in the field of insurance, which would follow the requirements in the process of European integration. The biggest challenge will be the adoption of the new Law on Compulsory Traffic Insurance, to replace the current Law adopted in 2009.

2018-04-12

Europe's future may lie in its pensions

The EU is set to introduce an entirely new class of pension products, according to a proposal by the European Commission currently under debate. Here comes the... PEPPs.

2018-02-16
photodune-3834701-laughing-girl-xs

Allianz Risk Barometer 2018 - Business Interruption and cyber-related incident, top threats for companies globally; NatCat risks return on the top risk agenda

Evolving nature of risk, and rise in cyber-related incidents, means business interruption ranks as top threat for companies globally, according to 1,900+ risk experts from 80 countries, the latest Allianz Risk Barometer shows. On the other hand, while the economic state of the global economy seems to arouse less concern, the strong wave of Nat Cat events brought by the second half of 2017 has placed once again natural catastrophes and climate change up on the risk agenda.

2018-01-18
photodune-3834701-laughing-girl-xs

S&P's: Introducing compulsory cessions could support Russia's domestic reinsurance market, or undermine it

In a recently published report S&P Global Ratings said that operating conditions for Russian reinsurers have become considerably more complex over the past few years In the agency's view, the market has become more concentrated, in part because of an increase in minimal capital requirements since 2012. The Russian reinsurance market lacks internal capacity and remains heavily dependent on reinsurance protection from developed markets.

2018-01-11
photodune-3834701-laughing-girl-xs

Online insurance in Europe reached more than 100 billion EUR in 2016

Online and direct channels are the fastest growing business models in both life and non-life insurance industry in Europe. The market share of the online/direct channel business was, in 2015, 8.2% of the total business, while the total gross written premiums of this channel throughout all Europe reached 99.3 billion EUR.

2017-11-16

ON THE MOVE

TOP EVENT

FIAR 2018 - Motor Insurance Conference (I & II): with the right use of technoloogy, clients' expectations and MTPL insurer's profitability may go hand in hand

The first and second parts of the Motor Insurance Conference taking place at FIAR 2018 focused on the new MTPL Law in Romania and the way it changed the market after almost 1 year of implementation, as well as the consequences of the new legislative framework and the operational challenges this brings, but also the most suitable solutions for balancing regulation, insurers' appetites and customer expectations on the MTPL market.

16.05.2018

FIAR 2018: Brokers' Conference (II): digitization and technology are needed for efficient operations, but will not replace the human touch in consultancy

The second part of the Brokers' Conference taking place at FIAR 2018 analyzed the impact of European Union's legislative overhaul - IDD & GDPR -, also bringing into debate study cases and real-life scenarios of what the brokers face on the market, and, last but not least, trying to see whether digitization and InsurTech could truly lead to disintermediation.


15.05.2018

Brokers' Conference (I): Until 1 July, when we will see the final version of the IDD, we cannot say for certain if we are ready and how ready we actually are

The second day of debates at FIAR 2018 started with The Brokers' Conference, the event dedicated to the mediation market in Romania and in the CEE region. The first part of the conference focused on a market overview and also analyzed the challenges of the IDD implementation, as well as the potential impact of IPID for MTPL and PAD.

15.05.2018

INSURANCE IN A DIGITAL WORLD Conference: capacity, consistency and culture are the three key success factors in the digital transformation of insurers

The INSURANCE IN A DIGITAL WORLD Conference, taking place at FIAR 2018, brought into debate the impact of digitization on the insurance industry. The first part of the conference focused on risks & opportunities of digitalization for both industry and consumers, as well as case studies and best practices: BigData & IoT, BlockChain, Peer-to-Peer, and AI.

14.05.2018

Insurance Market Trends Conference (II): GDPR and IDD, European regulations affecting all business lines, as well as the compliance with the Solvency II framework, are the main challenges ahead for the Romanian market

During the second part of the Insurance Market Trends Conference, taking place at FIAR 2018, the debates focused on the current situation in Romania and the sustainable development for a growing and stable insurance market, as well as the challenges and opportunities for the local insurers.


14.05.2018

See all