Exploring Cyber Insurance
With little regulatory framework, cyber insurance is still a developing field. The increasing awareness and occurrence of cyber crimes, such as data breach, cyber espionage, or network intrusion, has placed this important topic squarely in front of risk managers and CEOs. The second Cyber Risk Wednesday, the monthly series organized by Cyber Statecraft Initiative, discussed evolving issues and challenges of cyber risk management and risk transfer, and the role of insurance in cyber risk mitigation.
Data shows emerging trends towards growth in cyber insurance purchases, demonstrating that the market no longer represents a discretionary investment, but is maturing into a mandatory approach to cyber mitigation. Catherine Mulligan, the senior vice president of the Management Solutions Group and Specialty Products at Zurich Insurance stressed that the previously existing gap between risk managers and executives in how cyber threats are perceived has been closed, allowing for support across the board for cyber insurance within companies.
Having a contingency plan for cyber crisis enables an organization to better respond to incidents. According to the 2013 Advisen survey, a majority of companies were performing well in the area of incident response, but significant gaps still remained. Addressing these challenges requires educational efforts on mitigation techniques and cultural awareness around these issues within a company. The insurance buying trends for security and liability coverage has been on the increase over the past couple of years, however, this increase only applies to a limited sector of companies; those that are highly regulated or those who deal extensively with personally identifiable information. The insurance sector estimates that future trends and developments in cyber insurance models and products will cover the currently uninsured companies.
Matt McCabe, the senior vice president of Marsh’s Network Security and Privacy Practice pointed out that the sources of information security risk, that cyber insurance can cover, range from loss or damage; to data and loss of revenue due to a computer attack; to cyber-extortion. A multi-threat environment, that includes data privacy and network security, requires inclusion of internal, external, and technological elements to assess the best model for cyber insurance. Effective risk mitigation strategies should cover not only defensive capabilities, but also strategies to respond to a cyber incident. Having an incident plan in place and a CISO, with overall responsibility for enterprise data protection, effectively reduces the cost of a data breach. On the other hand, many companies today stress the amount of liability from litigation that can be the result of a cyber incident within personal data loss element.
Cyber insurance and risk transfer are critical to any risk management strategy. However, relying solely on these safeguard results in incomplete risk approach. A comprehensive cyber risk management entails cyber risk transfer, cyber risk treatment and mitigation, and acceptance. Tom Bossert, Zurich Cyber Risk Fellow at the Atlantic Council and president of CDS Consulting added that the acceptance of risk has to be informed by facts about level and extent of the risk. Companies can take responsible steps to reduce technical and human vulnerabilities of their systems, but the key to advancing the discussion on cyber issues is the government’s proactive approach to addressing the thorny issue of cyber threats. A more informed public debate on cyber threats would require a move away from a discussion on probability of future cyber attacks to an approach that defines risk as a function of vulnerabilities, threats, and consequences.