Measures insurers can take to strengthen cyber defense

Fear is powerful – it triggers us to flight, paralysis or fight – for example taking up self-defense. In the case of cyber-attacks, fear has fortunately led many companies, organisations and governments to step up their defenses. 

The strong increase in cyber attacks in recent years has made most organizations and companies realise that they can become a target with serious consequences. This, coupled with the knowledge that the cost of an attack could be far greater than any investment they make in pre-emptive mitigation efforts and cyber hygiene, has prompted them to act. 

First, I'd like to applaud these actions. But I can't ignore the fact that the efforts being undertaken against cyber threats is never enough. As digitalization proliferates and technology advances, so does exposure to cyber threats.  

A new expertise paper from the Swiss Re Institute (SRI) “Cyber: Extending insurability for a rapidly evolving risk” gets to the heart of the problem: “The pace of technological change, the rising awareness of cyber risk and the adoption of cyber hygiene practices to keep data and networks secure, are not synchronised.” Rather, we have a legacy of outdated security protocols and IT systems, and regulatory frameworks are only slowly catching up with technological realities. This lag in cyber defense opens the door to malicious actors seeking to exploit digital vulnerabilities for financial, reputational or geopolitical gain.

In this unfolding environment, every player needs to consider stepping up its game. The insurance industry in particular has great leverage to increase cyber resilience, the SRI researcher's emphasise. Insurance plays a key role, providing not only risk transfer but incentivising cyber risk mitigation – to obtain cyber coverage companies must prove they have a quality cyber risk program in place that supports monitoring and aiding responses to cyber attacks.  

The industry should demonstrate its strength right now, when limited insurability is constraining capacity, despite growing demand, and calling into question the sustainability of the cyber insurance market. The SRI researchers highlight three areas of improvement where the insurance industry can help manage cyber risks more efficiently and increase insurability.

To address these limitations the SRI researchers recommend stakeholders improve cyber resilience by: standardising data and improving  modelling; addressing the cyber talent gap by investing in education; and investing in new sources of capital and private-public collaboration.“ This will help mitigate overall exposures, improve understanding of the risk and help make society more resilient to attacks with devastating and potentially systemic consequences”, SRI concludes. At the same time, it emphasises that the human and networked nature of cyber means the risk will continually evolve and require a coordinated response. Enhancing resilience will require collaboration between corporations, insurers and governments.

• Standardisation: Policy language shortcomings are being addressed with various approaches but risk leaving the market without a solution for the biggest events. The relative youth of the cyber insurance market and the complexity of the risk are reflected in a lack of standardisation around key terms and conditions including exclusion clauses. Unless standard clauses are adopted and widely deployed, insured and insurer may end of in court fighting over the intent. Developing a uniform approach to manage aggregate losses would support sustainable growth by creating better-understood solutions for corporations and bolstering the risk appetite of re/insurers. Associations, individual insurers, and think tanks have taken steps to standardise definitions for cyber war, operations, and attribution - a simple technical process for attributing cyber operations does not yet exist.
• New cooperation models: A developing option for addressing the protection gap that results from hard-to-model and non-diversifying tail risks is cyber insurance-linked securities (ILS). Currently, it is estimated that alternative capital will provide around USD 95 billion additional catastrophe reinsurance capacity in 2022, supplementing dedicated traditional reinsurance capital of USD 435 billion. There is latent interest in growing alternative capital solutions for cyber risks and support a sustainable cyber market.
• Address cyber talent shortage: To remain current on the evolving risk, technology firms and re/insurers must also continually work to develop greater cyber expertise in the work force. As a recent example, in October 2021 Microsoft unveiled an initiative to fill the cybersecurity skills gap by providing access to free curriculum and teaching tools. Re/insurers can also help to tackle the cyber talent shortage by strengthening partnerships with universities to develop education programmes relevant to their business. This would include cyber risk modelling to strengthen the actuarial and technical skills needed for the forensic analysis that is part of underwriting and claims management cycles.

While the uncertainty of future events is an intrinsic feature of the insurance business, aggregations risks add another layer of complexity. It may leave insurers unwilling to cover these extreme tail risks with large loss potential. One solution to fill the protection gap is to design a type of public-private partnership (PPP) insurance scheme where the coverage of systemic risks is split between insurers and a government-backed fund.

Fear often triggers an instinctive response and often can provide humans with strength that they would not have at their disposal under normal circumstances – it can lead to a superhuman reaction. In the context of cyber attacks, we don't need to be afraid, but we must maintain the appropriate respect for a threat that is growing in magnitude. Given that, it is vital for every industry and every stakeholder to contribute its specific expertise and capabilities. A key focus of re/insurers should be data gathering and standardisation, alongside modelling efforts. And frankly, I am quite excited that, by investing in cyber talent, the re/insurance industry can help shape the cyber capabilities of tomorrow.