Cyber is a complex and dynamic risk. We are gathering knowledge together with other stakeholders in order to promote resilience and develop a sustainable cyber insurance market.
Smart devices, fintech, driverless vehicles, cloud computing, social media – these are not just catch-words, rather the apparatus of a hyperconnected world that will continue to revolutionise the way we do business, our lifestyle, and the way we view risk. We are currently but at the incipience of a digital transformation and our understanding of the changing composition of risk is at its infancy…concepts of physicality and discontinuity of loss become less relevant in a digitally connected world, and so we need to again embark on the journey to build knowledge to adequately identify, quantify and mitigate risk in this new environment.
Whilst business has developed a high level of comfort in its understanding of physical perils such as natural catastrophes, fire, machinery breakdown and personal injury and identifies these as key enterprise risks, cyber risk is often sidelined as a purely IT concern outside the broader ERM framework. In reality cyber is just a modern channel for traditional risks such as business interruption, property damage, crime, general liability, management liability and reputational risks. The difference is that cyber is a channel that can be anonymous, leaving little to no physical evidence, is fast acting and the therefore, accumulating quickly. Inherently this makes the risk more difficult to understand and to mitigate. Cyber-channelled perils are often not random and invariably involve a human motivational element, whether it be as the catalyst and or the key vulnerability.
Pleasingly, we can see that Cyber risk management in Australia is beginning to attract increasing attention at all levels across businesses and government. In 2016, the Australian federal government has established a national ministry to pursue Australia's cyber security strategy and in February this year, a pilot of the Joint Cyber Security Centre was launched in Brisbane as partnership between business, government and academia with the aim of enhancing collaboration in the cyber security field. On the regulator front, the Australian Securities and Investments Commission also continues to remind company directors that Cyber risks should be adequately considered and incorporated into governance and risk management practices.
Nevertheless, it is only relatively recently that cyber risks have begun to attract widespread attention, and so a credible database of losses and risk drivers is not readily available. Even where data is being collected, the type and source of cyber-attack is not always apparent, and at times, a company may not know they have been attacked at all. Given the anonymity of attacker and lack of physical evidence, the motivation is not always clear, nor is the vulnerability allowing for the cyber intrusion. The lack of claims data is exacerbated when trying to determine cyber accumulation potential. There are but a handful of 'large' cyber events reported, however in the absence of a widespread cyber insurance market, the losses emanating therefrom tend to go unreported.
This is a huge challenge when attempting to model the expected frequency and severity of loss, the key drivers of risk and the mitigants to accumulation. Greater stakeholder collaboration in establishing common cyber language, standard data reporting and a protocol around data sharing would go a long way to improving the industry's ability to accurately underwrite cyber risk. The national mandatory notification regime that was passed by Australian federal parliament this year will promote better reporting of data breach incidents, hopefully helping to build a central database of incidents with a common language that ideally would be made available to be harnessed by the business community and the insurance industry alike.
Another approach to acquiring risk assessment data is to make the most of the information available on the internet. There are a number of risk modelling and analytics firms, such as Swiss Re's partner Cyence [https://www.cyence.net/], who are using such information to develop risk assessment tools that look at both IT vulnerabilities as well as the human motivational elements that result in cyber-attacks. This is a good way to begin developing, steering and learning from, a young cyber risk portfolio. Australia's fledgling cyber insurance market is estimated to be worth approximately *AUD $30-$40m. When we think about this premium pool in the context of the potential of a large single loss, or even a large accumulating cyber event, it soon becomes apparent that the market is not equipped to respond to the full cyber risk transfer needs of this market, let alone the broader uninsured risk pool. In addition to improving cyber risk awareness and risk management practices, and for the Cyber insurance market to achieve longer-term sustainability, it needs to look at more effective responses to peak accumulation risk. Similar to the approach to terrorism risk, there is opportunity to have further dialogue with key stakeholders, in particular, addressing a response to peak risks of national significance such as National Critical Infrastructure.
Another major challenge for the insurance industry is to delineate within the broader suite of insurance products the cyber exposures that are captured and to what degree. This is important from the perspective of the insurer so that they can properly assess, cost for, and control the risks they accept, but also for the insured so that they have clarity on exposures they actually have protection for. Currently, we observe a patchwork of coverage available in the market for cyber exposures, some intended and perhaps, many more unintended. Beyond the variances in explicit stand-alone cyber risk products, we observe the following cyber coverage examples and exclusions in established insurance products:
• explicit cyber privacy and data restoration extensions to existing financial lines products
• explicit cyber crime coverage in Computer Crime policies. Media/advertising liability under broadform liability (however cyber exclusions are in some cases being introduced)
• cyber extensions under property insurance
• data loss exclusions under property insurance and only in some cases exclusions for property damage caused by non-physical means.
It seems what we know about cyber risk is only the tip of the iceberg with much to be discovered down low. What do you see as the other challenges to understanding and responding to cyber risk? What other steps do you think we can take to thoroughly understand cyber risk better and build a resilient and sustainable cyber insurance market? Share your thoughts below.
You can read more about Cyber Risk in Our Sigma - Getting to grips with cyber risk
*Aon Insurance Market Update 1H 2016