OECD Report : Supporting an Effective Cyber Insurance Market
The increasing use of and dependence on information technology in economic activities - while creating significant benefits in terms of productivity and efficiency - is also leading to significant risks. Among them are "digital security risks" which, when they materialise, can disrupt the achievement of economic and social objectives by compromising the confidentiality, integrity and availability of information and information systems. It is widely assumed that most companies have been, will be or don't know they have been affected by such "cyber" incidents. Although quantitative measurement is still emerging and raises significant challenges, accounts of the frequency and scope of (reported) cyber incidents regularly find significant growth in both the numbers of incidents and the share of companies they affect. This has led to cyber risk being identified as the risk of highest (or secondhighest) concern to doing business in five of the G7 countries in the World Economic Forum's 2017 Global Risk Report.
Insurance coverage for cyber risk provides a means for companies and individuals to transfer a portion of their financial exposure to insurance markets. Insurance markets and companies can potentially contribute to the management of cyber risk by promoting awareness, encouraging measurement, and by providing incentives for risk reduction. For example:
- The process of seeking insurance coverage requires policyholders to understand (and quantify) the risk that they face in order to determine the amount of coverage that they require.
- The underwriting process will usually involve an assessment of risk management and security practices, including recommendations on further preventative measures that could be taken.
- The pricing of risk should provide incentives to reduce the risk to the extent that the investments in risk reduction will lead to reductions in premiums.
However, for insurance to have a significant impact on risk reduction, the market must be offering a material level of coverage to a large share of companies and individuals at risk - which is not currently the case.