The Role of Insurance in Fighting Systemic Cyber Risk

How much has failing to solve the cybersecurity challenge cost us? Is it between $57 billion and $109 billion in the US?[1] Is it $600 billion globally?[2] Or is it $6 trillion by 2020?[3] Regardless of the exact figure, we know the cost is growing. The result of ignoring this problem will be catastrophic to our society and our way of life in line with climate change, involuntary migration, and asset bubbles in major economies[4].

For Arceo, the future is one where insurance providers, brokers, and enterprises share specific risk data to enhance everyone’s ability to measure and manage cyber risk in real time.

Over the course of four workshops from October 2016 to January 2018, over 75 experts from the insurance, reinsurance, technology, financial services, and energy sectors, as well as government and academia joined a working group at the EastWest Institute to explore and increase the understanding of systemic cyber risk and cyber insurance. The resulting “Cyber Insurance and Systemic Market Risk” report published this week brings light not just on why this problem exists, but what can be done at a policy and market level to manage it.

Innovations and new business models are rapidly deepening interconnectedness (and thus risk) between our digital, online, and 'real' worlds. From Tesla’s drive to automate a factory of factories, to Amazon’s revolution of just-in-time delivery and Samsung’s quest to put wi-fi in every device and room in your home, all converged towards enhancing productivity. This increase in productivity is driving a “4th Industrial Revolution[5],” and as we note in our report, “The increasing complexity and interdependency of the digital systems we all depend on also expand[s] the potential for large-scale system failures,” especially as, “malicious actors also continue to innovate and improve, exploiting technology for criminal and geopolitical purposes.”

Having sat on the digital watchtowers with the U.S. Government at the Department of Homeland Security’s cybersecurity operations center and the National Security Council, I do believe that, “enterprises are improving their security, sharing information and enhancing their risk management practices.” However, massive cyber incidents such as NotPetya, which is estimated to cost $10 billion alone[6], are strong reminders that the work done on prevention is no longer enough.

Cybersecurity is an economic risk and demands an economic-based solution. Our working group, under the EastWest Institute, looked at the blossoming cyber insurance market where total policy premiums are projected to reach 7.5 billion USD by 2020[7]. Despite healthy growth of the cyber insurance market, I can say we have just as much work to do on economic incentives as we do on technical mitigation.

The cyber insurance industry at-large faces, “a shortage of rigorous tools to model and measure cyber risks, which are inherently complex, interconnected and forever changing with evolving technologies.”

There are serious concerns inside the cybersecurity market and legislative community about the market’s ability to absorb losses and remain profitable in the event of a catastrophic, systemic cyber incident, especially one that damages physical property or interrupts financial markets. Because of this, insurance carriers are working diligently to model and prepare for these types of events, but cyber insurance is still new and the risk is highly dynamic compared to other insurance lines of business. We propose some policy positions as a jumping off point for debate, recognizing this is the beginning of a collaborative conversation.

The cyber insurance industry at-large faces, “a shortage of rigorous tools to model and measure cyber risks, which are inherently complex, interconnected and forever changing with evolving technologies.” I also believe that this holds back the market’s full potential to offer policy limits and coverages that are required to fully protect organizations from their actual cyber liabilities. One of the goals of our working group was to try and tackle this very problem and initiate a shift in the way we address cyber risks. This starts with developing a better understanding of the systemic nature of cyber risks and helping cyber insurance to “mature in a healthy, stable way that leads to increased cyber resilience and cybersecurity for all.”

As exposures increase, the insurance industry is caught between needing more detailed data on losses, benchmarking, and cyber hygiene, and with competitive pressure that insurers simplify the application process and ask for fewer and fewer information. Arceo increasingly sees our clients’ desires for accurate assessment of cyber risks, using automated data collection and advanced analytics, instead of longer applications. We are taking the next step to fully integrate these efforts with dynamic underwriting for better policy management and to turn data over to the insured to improve their hygiene and lower the likelihood of a loss.

As entrepreneurs we seek to do good by doing well, building the future we wish to see. For us, this is a future where insurance providers, brokers, and enterprises share specific risk data to enhance everyone’s ability to measure and manage cyber risk in real time. This will drive a market that leans into cyber risks; providing higher limits, better policy coverage, and even top quality services mirroring the HMO model we have seen bring improvements in patient healthcare services. We also see a significant opportunity for insurance providers to reward and incentivize good cyber hygiene, just as is done in every other insurance market. This is radical but not unachievable and the catastrophic consequences of failing to fight this systemic challenge demand we work together to realize this vision.

Contact us to find out more.

[1] https://www.whitehouse.gov/articles/cea-report-cost-malicious-cyber-activity-u-s-economy/

[2] https://csis-prod.s3.amazonaws.com/s3fs-public/publication/economic-impact-cybercrime.pdf

[3] https://www.herjavecgroup.com/the-2019-official-annual-cybercrime-report/

[4] https://www.weforum.org/agenda/2019/01/these-are-the-biggest-risks-facing-our-world-in-2019/

[5] https://www.weforum.org/agenda/2016/01/the-fourth-industrial-revolution-what-it-means-and-how-to-respond/

[6] https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

[7] https://www.pwc.com/bm/en/press-releases/assets/091515-cyber.pdf