Alarmist debate around cyber risk insurance can leave risk managers lost. Here, Scott Hammesfahr, solutions consultant - insurance analytics, strategy, and operations at Guidewire Software, clears up the myths.
The Federation of European Risk Management Associations (FERMA) has recently raised concerns about the viability of cybersecurity insurance.
Without intending it, some of the debate around cyber risk insurance can get alarmist and there is a need to challenge some of the fears and concerns out there.
Firstly, there is sometimes a sense that cyber insurers and their products are disconnected from their risk manager clients.
The reality is that cyber risk insurers are dynamic and competitive.
The nature of cyber risks is such that cyber insurance is like no other coverage line in the speed at which it must innovate to address the needs of its clients.
For example, coverage has evolved to cover complex supply chains, the theft of money and securities, the replacement of physical equipment, and to help the business community deal with the scourge of ransomware.
The takeaway for risk managers is that they should not be tempted to assume an understanding of cyber risks by market headlines.
Given the complex nature of cyber risks, risk managers need to take the time to dig into what their exposure really is and lean on expert advice. This can be best done through a broker or ratings firm like S&P, who have access to the best tools to understand cyber risks in the round.
Secondly, there is a clamour that cyber insurance should cover cyber war.
No other commercial insurance is intended to cover acts of war or terrorism, at least as a base offering.
There is a debate to be had here because this is a highly problematic issue given that cyber risk knows no geographical boundaries. We also know we live in a volatile world and critical infrastructure is being targeted for cyber attacks by nation-states for geopolitical purposes.
Insurers have keenly aware of potential losses and payouts associated with geopolitical tensions which stop short of war. For example, do not forget the $30 billion payout for 9/11.
They also have become accustomed to the need to cover economic losses associated with mass cyber attacks like NotPetya, which have been covered by insurance.
Lloyd’s is not alone in sounding the alarm with respect to cyber war and MunichRe has also highlighted the benefits of clear exclusions - transparency of coverage for clients, and sustainability of insurance markets for insurable risks.
So, if cyber war is not covered, what should risk managers do?
They should increase their cyber planning. Lloyd’s is indicating a legitimate fear that nation-state-based, probably destructive or disruptive, cyber attacks that impact many companies are a real possibility.
In the past, a good deal of nation-state-based attacks were espionage focused. The implications of this are far different from events with a destructive element.
Today’s geopolitical world is in flux and there are now more actors that may be inclined to orchestrate destructive attacks.
While critical infrastructure is most likely targeted, risk managers need to be able to model how such mass events spread and affect potentially hundreds or thousands of companies, based on the industry, geography, and tech stack of the client and how a specific attack unfolds.
In response, establishing business resiliency is more important than ever, and to the extent the business relies on IT systems for its core functioning, “cyber” risk is a key risk that risk managers should be taking very seriously.
It may sound too obvious as a recommendation on cyber war risks but risk managers must review their exposure closely and ensure they are well prepared from a business resiliency, information security and privacy perspective.
In a nutshell, evaluate their insurance coverage as a potential means to reduce and manage this exposure.
And finally, the notion that cyber insurance is becoming uncompetitive and unviable is not borne out by the facts.
Indeed, money speaks louder than words. All signs show that the global cyber insurance market continues to grow, and is now well over $10B in annual premiums.
In the USA, the NAIC’s cyber reporting shows that the total number of policyholders has steadily increased for several years, and recent reporting by Marsh indicates the same globally.
Cyber risks are ranked as a top 10 risk, and as so many chief risk officers report it is increasingly a boardroom issue as incidents become more severe.
Cyber insurance purchasing trends reflect today’s risk reality, which is that cyber insurance, while imperfect, is an excellent tool to help risk managers address threats, along with a multifaceted risk management approach to improving technical and operational resiliency.
I feel that much of the industry reporting on FERMA’s comments has taken an unhelpful tone and perhaps clouded what risk managers and insurers are trying to do.
Risk managers should have a seat at the table to voice their needs and concerns as the industry evolves.
Honest, transparent, and proactive dialogue that includes all relevant stakeholders, will be crucial for fostering a better understanding of the challenges and finding effective solutions to complex 21st century risks like cyber.
Scott Hammesfahr is solutions consultant - insurance analytics, strategy, and operations at Guidewire Software. He previously worked as a cyber underwriter, including for Zurich.