Swiss Re Sigma Report "Cyber: getting to grips with a complex risk"
Cyber threats are evolving rapidly due to the growing digital transformation of society, the widespread use of internet-enabled devices and processes, and the changing profile of hackers. Recent high-profile cyber attacks demonstrate that the extent of associated possible losses is also broadening, increasingly comprising both physical and financial damage relating to data privacy breaches and to companies’ tangible and intangible assets, and also business interruption costs. As a result, the issue of cyber protection is rising up the corporate agenda, at both large and small companies.
Despite increased awareness, corporations are generally ill-prepared to cope with cyber risks. Relatively few firms have integrated cyber security into their mainstream risk management. This situation is not sustainable. Legislation is coming on-stream in many jurisdictions that will compel firms to introduce enhanced safeguards for their customers’ private information or face heavy fines should they fall short of the required standards.
Companies’ first line of defence against cyber threats is greater investment in security technology and robust and comprehensive risk management practices. Many are also looking for external solutions to manage their cyber exposures, including transferring risks to third parties better-placed to absorb them. A dedicated cyber insurance market is developing rapidly with an increasing number of insurers looking to write more business in this specialty line. But some significant cyber related risks remain largely uninsured and the scale of cover is modest compared with firms’ overall exposures.
Cyber risks are complex to understand and calibrate, especially given the significant potential for correlated exposures. The very fast changing technological environment and the lack of historical claims data from which to extrapolate information about future losses is a challenge. Insurers and their clients are nevertheless wrestling with different cyber risk modelling approaches. Even if full probabilistic models are still in their infancy, the experience of other perils offers hope that better, richer cyber risk models will eventually emerge as understanding of the fundamental risk drivers develops and more data about cyber losses become available.
Yet progress in addressing cyber risk should not be dictated by advances in risk modelling. Product and process innovation in insurance will help make cyber risks more insurable and extend available cover to a wider set of policyholders. This includes common standards for capturing, sharing and reporting data about cyber incidents, and greater use of smart analytics to improve threat detection and risk assessment. To expand the boundaries of insurability, companies will need to work with their insurers to create a market which is sustainable. Future development of new insurance-linked securities may in due course also enable certain cyber risks to be transferred to capital market investors.