In a cyber environment in which PwC estimates that annual gross written premiums are set to increase from around $2.5 billion today to reach $7.5 billion by the end of the decade we are going to need a workable model soon.
According to a recent PwC thought leadership piece: “Many insurers face considerable cyber exposures within their technology, errors and omissions, general liability and other existing business lines. The immediate priority is to evaluate and manage these “buried” exposures.”
“Buried” exposures is a good way of raising the issue, but transparency of information is also an issue as is having access to real time data that gets insurers as close as possible to knowing their cyber exposures as they bind the policy.
As it becomes increasingly clear that the threat posed by cyberspace is as much an issue of governance and internal conduct risk controls as it is of technology, the shadow of the regulators, whether in the US, Europe or elsewhere looms larger.
As NSS Labs’ Andrew Braunberg has written in an analyst brief, there has been a recent: “push by the White House to promote greater insurance carrier participation in the National Institute of Standards and Technology (NIST) effort to create a cybersecurity best practices framework for critical infrastructure providers.”
Connected enterprises need to start viewing cybersecurity insurance as an inter-connected component of their wider risk management strategy, which means in the US understanding current SEC expectations for cyber-risk/incident disclosure or in Europe keeping abreast of the latest EU Directives.
In London it means not falling foul of the FCA, which is concerned about poor procedures and controls while it encourages firms to strengthen consumer protection regarding technological risks. The FCA points out in its Business Plan 2015/16 that:
“The growing inter-connectedness of firms increases the risk of an impact on one having a knock-on effect on others. Separately, insurance firms are already offering cover for cyber risks and are collecting large volumes of data about their customers that, if compromised, could provide a valuable source of information to cyber attackers. It is also vital that there is absolute clarity about what such policies do and do not cover, and under what circumstances it will be possible to claim.”
PwC for its part states: “While underwriters can estimate the likely cost of systems remediation with reasonable certainty, there simply isn’t enough historical data to gauge further losses resulting from brand impairment or compensation to customers, suppliers and other stakeholders.”
It says that as potential cyber losses enter the realm of natural catastrophes losses, with incidents becoming more frequent, concern about cyber risk concentrations and the capability of less experienced insurers to endure potentially a fast sequence of high-loss events increases.
The PwC advice is that: “Insurers and reinsurers need more rigorous and relevant risk evaluation built around more reliable data, more effective scenario analysis and partnerships with government, technology companies and specialist firms.”
We have become used to the idea of an earthquake or windstorm causing large financial losses and human misery so it takes time to adjust to the idea that a human typing on a laptop or the loss of an unencrypted memory stick might cause the same level of threat.
The reality, however, is that cyber connectivity is an existential threat to insurers’ balance sheets and those of their clients. It is surely time to address the issue collectively – insurers, Government, and risk managers - before it is too late.
For more information on enterprise risks and the cyber threat, visit http://russell.co.uk/ProductsAndServices/AlpsEnterprise or contact email@example.com / firstname.lastname@example.org