Cyber risk and the role of insurance

Ubiquitous technology helped get us through the pandemic. But it’s exposed us to an ever-larger risk of cyber crime. A new Green Paper from the Actuaries Institute looks at this evolving risk and what business, government and insurance can do to manage it.

Cyber risk is not just a problem. It’s a rapidly growing problem. According to the Australia Cyber Security Centre (2021), a cyber-crime incident occurred every eight minutes in Australia in the past financial year – and that’s only the reported incidents.

The economic cost – at $33 billion – is staggering, more than government spends on the NDIS and affecting every level of the Australian economy, from SMEs to big business and government. And the problem is truly global. Just to take one area – ransomware – there were 623 million ransomware attacks reported in 2021 – a 300% increase on 2019.

Figure 1 – Number of ransomware attacks globally

In a new Green Paper, Cyber Risk and the Role of Insurance, commissioned by the Institute, the authors (Win-Li Toh and Ross Simmonds, of Taylor Fry, and Michael Neary, of DXC Technology) argue that cyber risk is a classic example of a ‘wicked problem’. It is, they say, “omnipresent, unpredictably dynamic and its root causes are entangled with other problems”.  The World Economic Forum (WEF) agrees, saying, “Lower barriers to entry for cyber threat actors, more aggressive attack methods, a dearth of cybersecurity professionals and patchwork governance mechanisms are all aggravating the risk[1].”

Win-Li Toh joined the Actuaries Institute podcast to discuss the key points of the Green Paper. Listen below or click here.

Read the transcript.

“Ultimately, any business that utilises technology and/or has access to confidential/ sensitive/valuable data will be at risk of being a target.”

Too big to handle?

Cyber risk is clearly a major problem. And getting to grips with it is proving difficult. While good cyber hygiene and security will always be the first line of defence, insurance is an important second line of defence.

But there are challenges for the insurance sector in addressing the problem. If underinsurance could be tackled, cyber risk would become the largest, or one of the largest, lines of business – exerting pressure on the capacity of the Australian market. As the Green paper asks, is this sustainable given the ‘wickedness’ of the risk?

The wicked nature of the problem is exemplified by the 2017 court battle between Merck and its insurer as a result of the NotPetya malware attack linked to Russian action against Ukraine. The case highlighted the challenge facing insurers in covering cyber-attacks that might be linked to state (or shadow-state) actors. In developments since then, Lloyd’s has directed insurers to provide clarity in their policy wordings of what is (and is not) covered, including through the use of ‘robust wordings’ around Acts of War exclusions.

As the WEF indicates, the global shortage of cyber security professionals adds another layer of wickedness to the problem. According to CyberCX[2], Australia alone needs another 30,000 cyber professionals by 2026. Those professionals are hard to find and train in a world already struggling to fill demand for skilled technologists.

Yet it would be a mistake to assume that the solution to cyber risk can be found solely in more technology – or more technologists. Some 95% of cyber breaches are caused by human error and much of the day-to-day work of CISOs (Chief Information Security Officers) is targeted at instilling a cyber security culture into their organisations.

The difficulty of embedding that cyber security culture has only been heightened by the isolation forced on workers by COVID-lockdowns over the past two years. One often forgotten element of cyber security culture is the importance of embedding it at the Senior Executive and Board level.

Working towards solutions

Whilst the problem of cyber security is big and growing, it is possible to get to grips with it. The paper highlights some of the ways the risk can be managed.

Firstly, business – encouraged by government – needs to be doing much more to protect their operations from cyber threat. That includes the cultural work discussed above, investing in cyber security, insuring their cyber risk and spending time and money on building corporate resilience. As SMEs are an increasing target for cyber-criminals, it’s not just big business that needs to invest in cyber risk management.

The global insurance industry needs to grow capability, profitability and capacity when it comes to protecting its clients from cyber risk. It also needs to deal with the Acts of War and terrorism issues discussed above and manage ‘accumulation risk’ – the potential for a single event to trigger numerous losses across business lines and global borders. These are all issues for the insurance industry, together with other stakeholders, to grapple with – and actuaries certainly have a role here. Intelligent government support and legislative clarity must underpin the insurance sector’s initiatives.

In many ways, the insurance sector has only just started to grapple with cyber risk – but it has proven its ability to deal with seemingly intractable risk issues in the past. The other benefit of  deeper insurance engagement with cyber risk is that insurance – via pricing, policy wordings and knowledge sharing across the industry – can drive better risk management behaviour in its clients. We have seen this throughout the history of the insurance industry – from the plimsoll line in marine insurance to the increasing use of personal health data in life and disability insurance.

Actuaries and cyber risk – the value of scenario analysis

Convincing business to invest in cyber protection technologies, a cyber risk culture, cyber insurance and overall business resilience practices has been difficult in the past. Actuaries and their expertise in scenario analysis and stress testing can play a crucial role.

Data-driven projections can highlight the real potential costs of a cyber-attack – not just operational costs, restitution and potential legal sanctions but also the ongoing financial cost of reputational damage and loss of trust.

As ever, the role of actuaries is to provide data and insights that drive better decision-making. (At the time of writing, the Optus data breach can be considered an ongoing case study in this issue).

Figure 2 – Scenario analysis of cyber incident and effectiveness of insurance

Hydra-headed problem, collaborative solution?

Reducing the risk to a manageable size is likely to take all the ‘good actors’ working together. Governments can provide clarity, drive international co-operation, and support cyber skills training and development. Insurers can devote their capital and innovative thinking to managing the risk. And business – big and small – can invest in cyber security technologies, a cyber security culture and insurance. Collaboration across those three layers offers us the best opportunity to reap the rewards of ever-improving technology, without being overwhelmed by its attendant risks.

“Cyber security issues are too vast to be solved in isolation and collaboration between all stakeholders is needed.”

References

  • [1] Global Risks Report, 2022.
  • [2] CyberCX, Upskilling and expanding the Australian cyber security workforce, 2022
 

CPD: Actuaries Institute Members can claim two CPD points for every podcast listened to.