What we generically call "Cyber risk" is, in fact, a family of risks and it is worth observing if there is a commonality in the perception - thus management - of the risk in the academic, risk management, insurance and policymaking communities. The present study found that cyber breach is perceived as "critical" due in part to its own nature and, importantly, in part to the weak understanding of its impact and our preparedness.
Variations in cyberattack distributions and probabilities exist depending on who conducts the study (survey) and also on the composition of the study sample. Some variations are by industry or region, while others are about the weight of internal human errors vs. external attacks. The study added examination of how the insurance market has been dealing with cyber risk (as well as all other critical risks in the past) to strengthen its contention that we need to build up an infrastructure to continue our operations in the physical-cyber world of risk.
Thus, there rises the responsibility of the insurance industry for assisting individuals and organizations in the management of the risks.
Please find bellow the Executive Summary of the study "The Insurance Business in Transition to the Cyber-Physical Market: Communication, Coordination and Harmonization of Cyber Risk Coverages", as kindly provided by its author.
W. Jean Kwon, Ph.D., CPCU,
Edwin A.G. Manton Chair Professor in International Insurance and Risk Management,
School of Risk Management, St. John's University, New York, NY
From a historical perspective, the business of insurance began to deal with a variety of causes of that we could observe. They include natural catastrophes and other calamities as long as the loss outcome would not compromise the sustainability of the industry, at least in principle. The industry then added coverages for intangible causes of loss - liability risks - of which loss outcome includes not only property damages and bodily injuries. It also includes personal injuries. With the commercialization of information technology, we witness that human and business activities are increasingly intertwined and interconnected in the cyberspace. We witness the rise of non-physical, cyber causes of loss as well. Damages arising from the resulting loss events during the early stage of the information technology were limited in the scope and amount, and the industry found solutions by expanding business interruption provisions in the property insurance market. Advances in robotic process automation, cognitive automation (including artificial intelligence and machine learning), Internet of Things (IoT) and the blockchain keep the world more interconnected and the world of cyber risk expanding.
The regulatory measures in the cyberspace are thus far primarily about privacy protection and data management. Like in the physical world, government regulation in the cyber world is to manage risks at the societal or economic community level. Thus far, no countries are known to have a law that subjects the regulated firm to any specific tools to control or finance cyber risk.
This study analyzes the nature of cyber risk (cyberattacks) from a risk management perspective and then from an insurance business perspective. Specifically, it examines extensively the perception of it as a risk and the level of preparedness by the risk bearers as well as whether there is a commonality in the perception by the members in academic, risk management, insurance and policymaking communities. We find that cyber breach is perceived as "critical" due in part to its own nature and, importantly, in part to the weak understanding of its impact and our preparedness. Variations in cyberattack distributions and probabilities exist depending on who conducts the study (survey) and also on the composition of the study sample. Some variations are by industry or region, while others are about the weight of internal human errors vs. external attacks. Reasonable consistency in the sample throughout the study period is essential for generalization of the findings. Nonetheless, existing studies strongly suggest that an insight that employee vigilance and training of all employees remains critical in cyber risk management.
A constant search for statistically useful data for every emerging risk a norm in risk management. Conversely, a lack of understanding of the risk can lead to non-collection of the data or ineffectiveness in the use of collected data. A weak coordination for standardization of the risk among different players reduces efficiency in data management. Studies about quantification of cyber risk are found but commonly are based on theory or simulated-based approaches, including but not limited to modified Bayesian model, information asymmetry theory, utility theory and unifying framework. The question of how to measure performance in cybersecurity is still largely unanswered.
It seems there is a widespread tendency to treat all cyber loss exposures as "a single risk" rather than "risks" in the cyberspace. This study offers a logical reasoning why it is about the multiplicity of the risk - with respect to the causes and also to the resulting damages. Accordingly, we propose that the insurance industry develops a portfolio of coverages - rather than a coverage - for operations in the cyber world of risk along the side of their operations in the conventional physical world of risk.
We support this proposal with the examination of how the insurance market has been dealing with cyber risk (as well as all other critical risks in the past). Two approaches are employed at this stage. One is an analysis of the existing studies along with the historical development of the insurance market. It seems that the industry employs a cycle of adjustment from an initial denial (or extension) of coverage to the modification of coverages (for example, exclusions and coverage limits) and finally to the market adjustment (for example, an introduction of a new policy or line of business). The industry's response is somewhere between the modification and the final adjustment stages.
There remains a concern about whether there is an appropriate channel of communication between the experts in insurance and those in risk management, whether there is a reasonable coordination of efforts within the insurance industry in the attempt to reach the final stage of the above-noted cycle, and whether existing cyber insurance policies show some harmonization in the structure from the consumer's viewpoint. We find a gap of communication between risk managers and insurance underwrites, as evidenced by wide differences in loss exposure classification. We find a wide gap in the list of definitions and the way insurance companies offer their definitions of the contractual terms relevant to cyber risk. In conclusion, it appears that the shapes of cyber insurance policies converge but the contents are so different. The presence of a gap between the cybersecurity community and the cyber insurance community often makes it difficult for the members to find a common basis for the development of reasonable standards of security and insurability. Standardization is critical not only to help the cyber insurance market further developed. It is equally to other stakeholders. Consumers need a guideline for comparison of policies and consumption of the coverages right in scope and limit. Standardization is critical for governments to properly promote cyber risk management and insurance within their domestic economies and cross border.
Finally, the insurance industry might be too eager to commoditize the risk, yet without fully understanding it. The market might be developing too fast to allow insurance companies to come up with properly designed coverages. The cyber world is expanding. It is adding artificial intelligence-based, machine learning elements and becomes more complex as existing and new elements are increasingly interconnected. This expansion will certainly add values to society. It will also change the nature of existing risks and add new risks, thus increasing the responsibility of the insurance industry for assisting individuals and organizations in the management of the risk. Accordingly, we need to build up an infrastructure to continue our operations in the physical-cyber world of risk.
The full paper is available from the author at KwonW@stjohns.edu