The landscape of cyber risk continues to evolve, as trends change and methods and techniques for carrying out cyber attacks become more sophisticated. The COVID-19 pandemic has accelerated this. Cyber criminals have employed creative techniques to target businesses and consumers alike, as they have moved more of their activities online. And there have been reports of attempted phishing attacks advertising the sale of vaccines, testing kits or medication purported to help fight the virus, marrying misinformation with malicious cyber capabilities to exploit vulnerable individuals and posing a challenge to society at large. If any positives can be taken from COVID-19, one is that the pandemic — and the resulting widespread shift to remote working — has placed cyber risk firmly on the agenda.
For insurers, cyber resilience relates to two things. On the one hand, it refers to enhancing their own operational resilience and is a central component of their own risk management planning. On the other, it relates to the growing line of cyber insurance business for which they are continuously developing new and innovative products.
Cyber risks are challenging to insure for a number of reasons, including:
Difficulty estimating future losses
For insurers, managing exposures and maintaining solvency require careful underwriting to accurately forecast future losses. However, estimating potential future cyber losses is not an easy task. With cyber attacks increasing in frequency and severity, but also permanently evolving, and the legal landscape evolving to respond to new threats, forecasting future losses is difficult and this can reduce insurers' appetite to insure cyber risk.
Lack of quality data
As a relatively “new” risk, at least compared with many others on insurers' balance sheets, there is still a comparative lack of historical/actuarial data on cyber risks, which further adds to the difficulty in quantifying potential losses and managing exposures.
Cyber risk has the potential to materialise as a chain of highly correlated risks due to the widespread use of certain operating systems. As these operating systems increasingly dominate, a cyber incident affecting one system can have far-reaching effects on others. This also means that the potential losses from a single event can be significant and potentially uninsurable. Indeed, as the COVID-19 pandemic rages on and its effects continue to be felt around the world, many similarities have been drawn between the mathematics of epidemiology/pandemic risk and the spread of viruses, worms and malware through computer systems, which have the capacity to be similarly correlated and equally catastrophic.
“Ransomware claim notifications in continental Europe doubled in 2019.”
Source: “The Changing Face of Cyber Claims”, Marsh, July 2020
WHAT INSURERS CAN DO
Insurers play an important role in helping society to be resilient in the face of cyber risk and in helping the EU in its efforts to increase cyber resilience.
Insurers offer many cyber risk management and risk transfer services to customers, ranging from guidance and assistance with the implementation of prevention measures to post-incident compensation for losses and forensic support. These ensure business continuity, as they help companies to swiftly recover from cyber attacks.
Cyber insurance products can range from standalone products to aspects of broader insurance policies (eg, property , directors' and officers' liability or general liability). The type and extent of the cover varies greatly depending on the needs of the buyer, the type of cyber risks to which they are exposed and their size, business model and level of digitalisation. The policies can cover a variety of cyber risks and can provide first-party cover — such as for damage to digital assets, business interruption and incident response costs — and third-party cover — such as for privacy and confidentiality-related liabilities.
In addition, the service element of some policies provides policyholders with help assessing their potential exposure and with technical, legal and public relations assistance in the event of an incident.
There is a great deal of innovation in the cyber insurance market, as insurers respond to the changing risk landscape and the evolving requirements of their clients.
Promoting cyber literacy
Many insurers, national insurance associations and Insurance Europe are active in promoting cyber literacy and particularly in raising cyber-risk awareness among small and medium-sized enterprises (SMEs). You can read about some of these initiatives here.
Increasing the awareness of cyber risk and promoting cyber literacy are effective ways of identifying and tackling vulnerabilities. Attacks such as phishing, which is one of the most common types of cyber attack, can be significantly reduced by promoting cyber-risk awareness. And raising awareness of cyber risks not only results in better preparedness in the face of threats and incidents, it also increases the insurability of the risks, as it is likely to result in fewer claims.
Building on a long-standing culture of risk transfer and risk management, insurers are key players in increasing resilience — both society's and their own — against cyber risk.
“The proportion of firms suffering cyber attacks in 2020 rose from 38% to 43%.
Many suffered multiple attacks.
One in six firms attacked say their survival was threatened.”
Source: Hiscox annual survey of 6000 organisations in eight countries, April 2021
WHAT POLICYMAKERS SHOULD DO
Developing sound cyber risk management and resilience requires commitment on the part of all stakeholders, including support from policymakers.
While cyber risk transfer through cyber insurance has a key role to play, the cyber insurance market in Europe is still in its relative infancy when compared with markets for other risks. It is worth only a fraction of its sister market in the US, where written premiums in 2018 amounted to €3.6bn compared with €295m in Europe. Such a market requires the right economic, social and regulatory environment to prosper and thrive.
Improve access to data
The more data that insurers have, the more accurate underwriting will be. In line with efforts to increase data-sharing in the EU and establish a digital single market, policymakers should grant insurers access to pools of cyber-incident data gathered under existing EU legislation — such as the General Data Protection Regulation and the Network and Information Security Directive — and future legislation, such as the Digital Operational Resilience Act. However, it is also important that data is of sufficient quality to be used by insurers. Encouraging further harmonisation of the reporting and classification of cyber incidents across relevant legislation would not only lead to data pools of a higher quality — improving the accuracy of underwriting — but would also contribute to an improved common understanding of the landscape of cyber incidents across the EU. This is one clear area where policymakers could play a pivotal role in encouraging the growth of the European cyber insurance market.
Grant underwriting freedom
The cyber insurance market continues to evolve to meet the changing landscape of risks and consumer demands. It is important that insurers can maintain their ability to develop a wide range of innovative cyber products. As cyber risk is a moving target, introducing standards into the market — either for products or for coverage — would be premature:
- Policyholders forced to buy standardised products are more likely to purchase cover that is not tailored to their needs and/or to buy either more or less coverage than they actually need.
- Insurers need the flexibility to tailor policies to their clients' risks, and policy language is still evolving to reflect changing threats.
Promote cyber literacy
Reducing cyber risk is impossible without raising cyber literacy. EU countries differ in the extent to which their populations are cyber literate and national and EU policymakers have a role to play in improving awareness of cyber risks across the bloc. The EU's Cybersecurity Strategy for the Digital Decade is an important step in this regard.