It is possible to insure cyber risk but it should be done in tandem with effective risk management and assurance practices. Mark Weil explains steps that can ensure business resilience under stress
Cyber is the new way bad things happen. As we put more online – money, data, market trading – we increase the probability and severity of a cyber attack. At the same time, social media accelerates bad news, making it harder for firms that suffer from a cyber attack to retain customer and investor confidence as speculation takes hold.
Earlier this year, Marsh worked with the government and leading insurers on the report, UK cyber security: The role of insurance in managing and mitigating the risk, which details a new set of joint initiatives between government and the insurance sector to help firms tackle cyber risk more effectively. This work – and the work that we do with our clients – tries to frame the kinds of things that can happen, the impact they will have and the ways in which firms can increase their chance of coming through them (relatively) unscathed.
Despite the existence of insurance solutions for most forms of cyber risk, our work suggests that boards are often unaware that cyber, to a large extent, is an insurable risk. In addition, those boards that are informed are too optimistic about the level of cover provided by the insurance they are currently buying. Our research found that while 39% of executives believe that their organisation has some form of cyber insurance; the actual figure is close to 2%.
According to the report, one probable barrier to adoption is the complexity of insurers’ offerings: traditional insurance products have not been designed to protect clients against cyber risks and, in some cases, underwriters have introduced policy exclusions for cyber risks on these policies.
This means that firms need to navigate a maze of implicit and explicit cover andexclusions, while trying to identify their best means of protection. Below are some examples of typical cyber exclusions and the gaps in traditional insurance policies:
Insurers are recognising that they need to fill these gaps in cover, and are introducing cyber extensions to traditional policies and dedicated cyber insurance products. Figure 1 highlights how most cyber risks are now insurable (or insurable with certain limitations), depending on the expected frequency and severity for each risk.
While insurers get to grips with dealing with cyber risk on a more consistent basis, brokers and their clients can work together to develop a ‘statement of cyber assurance’. This will detail the cyber cover that is in place to an agreed specification for those insurable risks that have been identified, as appropriate to the firm’s risk appetite.
Flowing from the wider risk assessment and stress testing work, this statement of assurance should form part of a firm’s statement of cyber resilience. Ultimately this gives the board comfort on the completeness of its insurance with respect to cyber.
Cyber risk has come of age, and firms are acting on it. The newness of the risk has created a clamour of voices offering technical, legal and other services, which makes it hard for those under threat to focus on the truly important actions.
The heart of the issue is for boards to put in place risk management disciplines and insurance programmes that will defend against, but also help them survive, a successful cyber attack. A key part of that is financial resilience under stress, confirming that the instruments at your disposal to fund the business will respond.
And that’s where brokers, insurers and government need to work together to ensure that our products and solutions are fit for purpose. Cyber risk needs to be owned collectively as a key risk to our viability, otherwise there’s a real risk that the bad guys may win.