The Insurance Business in Transition to the Cyber-Physical Market

What we generically call "Cyber risk" is, in fact, a family of risks and it is worth observing if there is a commonality in the perception - thus management - of the risk in the academic, risk management, insurance and policymaking communities. The present study found that cyber breach is perceived as "critical" due in part to its own nature and, importantly, in part to the weak understanding of its impact and our preparedness.

Variations in cyberattack distributions and probabilities exist depending on who conducts the study (survey) and also on the composition of the study sample. Some variations are by industry or region, while others are about the weight of internal human errors vs. external attacks. The study added examination of how the insurance market has been dealing with cyber risk (as well as all other critical risks in the past) to strengthen its contention that we need to build up an infrastructure to continue our operations in the physical-cyber world of risk.

Thus, there rises the responsibility of the insurance industry for assisting individuals and organizations in the management of the risks.

Please find bellow the Executive Summary of the study "The Insurance Business in Transition to the Cyber-Physical Market: Communication, Coordination and Harmonization of Cyber Risk Coverages", as kindly provided by its author.

W. Jean Kwon, Ph.D., CPCU,
Edwin A.G. Manton Chair Professor in International Insurance and Risk Management,
School of Risk Management, St. John's University, New York, NY

From a historical perspective, the business of insurance began to deal with a variety of causes of that we could observe. They include natural catastrophes and other calamities as long as the loss outcome would not compromise the sustainability of the industry, at least in principle. The industry then added coverages for intangible causes of loss - liability risks - of which loss outcome includes not only property damages and bodily injuries. It also includes personal injuries. With the commercialization of information technology, we witness that human and business activities are increasingly intertwined and interconnected in the cyberspace. We witness the rise of non-physical, cyber causes of loss as well. Damages arising from the resulting loss events during the early stage of the information technology were limited in the scope and amount, and the industry found solutions by expanding business interruption provisions in the property insurance market. Advances in robotic process automation, cognitive automation (including artificial intelligence and machine learning), Internet of Things (IoT) and the blockchain keep the world more interconnected and the world of cyber risk expanding.

The regulatory measures in the cyberspace are thus far primarily about privacy protection and data management. Like in the physical world, government regulation in the cyber world is to manage risks at the societal or economic community level. Thus far, no countries are known to have a law that subjects the regulated firm to any specific tools to control or finance cyber risk.

This study analyzes the nature of cyber risk (cyberattacks) from a risk management perspective and then from an insurance business perspective. Specifically, it examines extensively the perception of it as a risk and the level of preparedness by the risk bearers as well as whether there is a commonality in the perception by the members in academic, risk management, insurance and policymaking communities. We find that cyber breach is perceived as "critical" due in part to its own nature and, importantly, in part to the weak understanding of its impact and our preparedness. Variations in cyberattack distributions and probabilities exist depending on who conducts the study (survey) and also on the composition of the study sample. Some variations are by industry or region, while others are about the weight of internal human errors vs. external attacks. Reasonable consistency in the sample throughout the study period is essential for generalization of the findings. Nonetheless, existing studies strongly suggest that an insight that employee vigilance and training of all employees remains critical in cyber risk management.

A constant search for statistically useful data for every emerging risk a norm in risk management. Conversely, a lack of understanding of the risk can lead to non-collection of the data or ineffectiveness in the use of collected data. A weak coordination for standardization of the risk among different players reduces efficiency in data management. Studies about quantification of cyber risk are found but commonly are based on theory or simulated-based approaches, including but not limited to modified Bayesian model, information asymmetry theory, utility theory and unifying framework. The question of how to measure performance in cybersecurity is still largely unanswered. 

It seems there is a widespread tendency to treat all cyber loss exposures as "a single risk" rather than "risks" in the cyberspace. This study offers a logical reasoning why it is about the multiplicity of the risk - with respect to the causes and also to the resulting damages. Accordingly, we propose that the insurance industry develops a portfolio of coverages - rather than a coverage - for operations in the cyber world of risk along the side of their operations in the conventional physical world of risk.

We support this proposal with the examination of how the insurance market has been dealing with cyber risk (as well as all other critical risks in the past). Two approaches are employed at this stage. One is an analysis of the existing studies along with the historical development of the insurance market. It seems that the industry employs a cycle of adjustment from an initial denial (or extension) of coverage to the modification of coverages (for example, exclusions and coverage limits) and finally to the market adjustment (for example, an introduction of a new policy or line of business). The industry's response is somewhere between the modification and the final adjustment stages.

There remains a concern about whether there is an appropriate channel of communication between the experts in insurance and those in risk management, whether there is a reasonable coordination of efforts within the insurance industry in the attempt to reach the final stage of the above-noted cycle, and whether existing cyber insurance policies show some harmonization in the structure from the consumer's viewpoint. We find a gap of communication between risk managers and insurance underwrites, as evidenced by wide differences in loss exposure classification. We find a wide gap in the list of definitions and the way insurance companies offer their definitions of the contractual terms relevant to cyber risk. In conclusion, it appears that the shapes of cyber insurance policies converge but the contents are so different. The presence of a gap between the cybersecurity community and the cyber insurance community often makes it difficult for the members to find a common basis for the development of reasonable standards of security and insurability. Standardization is critical not only to help the cyber insurance market further developed. It is equally to other stakeholders. Consumers need a guideline for comparison of policies and consumption of the coverages right in scope and limit. Standardization is critical for governments to properly promote cyber risk management and insurance within their domestic economies and cross border.

Finally, the insurance industry might be too eager to commoditize the risk, yet without fully understanding it. The market might be developing too fast to allow insurance companies to come up with properly designed coverages. The cyber world is expanding. It is adding artificial intelligence-based, machine learning elements and becomes more complex as existing and new elements are increasingly interconnected. This expansion will certainly add values to society. It will also change the nature of existing risks and add new risks, thus increasing the responsibility of the insurance industry for assisting individuals and organizations in the management of the risk. Accordingly, we need to build up an infrastructure to continue our operations in the physical-cyber world of risk.

The full paper is available from the author at KwonW@stjohns.edu

Follow XPRIMM Publications on LinkedIn, for more data on the insurance and financial industry.

Share |

Related articles

Hail and windstorms cause multi-billion global economic loss in June; draught may be this summer's nightmare for European farmers

Overall, extreme weather events led to a multi-billion dollar economic toll, of which insurers have to pay more than USD 3 billion in claims for US losses alone, the latest edition of Aon's monthly Global Catastrophe Recap report shows. Economic losses in the Central and South-Eastern Europe amounted some hundred million USD, but weather continued also in July, adding extra costs which may also amount to significant sums.

2018-07-11

Swiss Re's sigma: The global insurance market slowed down in 2017; emerging markets and the US strengthening economy will lead future growth

Global insurance premiums increased 1.5% in real terms1 to nearly USD 5 trillion in 2017, after rising 2.2% in 2016, the latest sigma report reads. Growth in both the life and non-life sectors slowed. According to Swiss Re Institute next years will see the life insurance segment's premiums improving driven by the strong growth in the emerging markets, especially China, while the strengthening economy of the US will lead the non-life global market's development.

2018-07-05

MENA: Fast growing insurance business outpacing economic growth min the region

Insurance markets of the Middle East and Northern Africa (MENA) are expected to continue outgrowing the region's GDP over the next 12 months. Personal lines business remains the key growth driver, with primary insurers benefiting from compulsory insurance requirements as well as regulatory actions supporting rates, the latest edition of the MENA Insurance Pulse reads.

2018-06-28

Are GDPR non-compliance fines insurable or not?

Complying to the EU General Data Protection Regulation (GDPR), effective from 25 of May 2018, is currently one of the most challenging issues for many organizations. Even in the absence of a personal data breach incident, companies may face regulatory assessments resulting in fines and penalties. Moreover, companies operating on several territories, including the EU, may encounter situations interesting several jurisdictions with different legislation. How much can insurance help organization to manage this kind of operational risks?

2018-06-14

HOPE DIES LAST

Such a reading is also the most recent report of the GENEVA Association (details on them, HERE), suggestively titled "Understanding and Addressing Global Insurance Protection Gaps". Summarily, the material analyzes and seeks solutions for the so-called insurance protection gap. The phenomenon of under-insurance, on a global scale.

2018-06-07

Lloyd's: Cyber-crime, interstate conflicts or market crashes yearly costs may reach USD 320.1 billion

Man-made risks like cyber-crime, interstate conflicts or market crashes are a bigger threat to economic output than natural disasters, putting an estimated USD 320.1 billion of global GDP at risk on average each year, according to Lloyd's City Risk Index. Built in collaboration with Cambridge University, the study measures the impact of 22 threats on 279 cities' projected economic output.

2018-06-07

Swiss Re's 2018 SONAR Report: re-emerging or new risks - mostly related to new technologies or lifestyle trends - pose the largest challenges for the re/insurance industry

"While our trust in assistance systems remains unbroken, and their usage increases, humans are still held accountable and are expected to be able "take over the wheel" any time. While the law treats drivers mainly as it used to, actual driving practice and alertness are decreasing. The consequent widening skills gap not only impacts insurance risk, but also operational risks." This is just one of the risk evolving trends identified by the Swiss Re's 2018 SONAR report.

2018-05-31

ON THE MOVE

Stefan STAVROSITU appointed Sales Director of GROUPAMA's Romanian unit

Groupama Asiguraari, the Romanian arm of the French group and of the leading players on he ocal market, has announced the appointment of Stefan STAVROSITU as National Sales Director, replacing Julien RAMILLION who, after holding this position for four years, will receive other responsibilities.

08.08.2018

TOP EVENT

LIVE: IIS Global Insurance Forum 2018 / Day2

The works of the Global Insurance Forum continued today in Berlin, Germany. Providing security for ageing populations in health care and pensions terms, as well as innovation and InsurTech or innovative strategies for the future development of the industry are on the today's agenda.

10.07.2018

See all