Despite increased awareness of rapidly evolving cyber threats, relatively few corporations have integrated cybersecurity into their mainstream risk management programs – a situation that is “unsustainable,” according to Swiss Re’s latest “sigma” report.

The costs of cyber attacks have moved beyond coping with lost, stolen or corrupted data, said the report titled “Cyber: getting to grips with a complex risk.”

Companies now must also contend with potential damage to property and reputation as well as the costs associated with business interruption (BI) or severe disruption to critical infrastructure, cautioned the report.

Further, many jurisdictions are adopting legislation that “will compel firms to introduce enhanced safeguards for their customers’ private information or face heavy fines should they fall short of the required standards.”

As a result of these trends, “firms—large and small—need to invest more in cybersecurity architecture to develop robust pre- and post-loss risk management capabilities,” said Swiss Re Chief Economist Kurt Karl in a company statement.

The report described the need for “greater investment in security technology and robust and comprehensive risk management practices.”

Cyber Insurance

And, of course, risk transfer via insurance also can help companies manage their cyber exposures, sigma noted.

“A dedicated cyber insurance market is developing, and an increasing number of insurers are looking to write more business in this specialty line,” Karl continued. “Dedicated cyber insurance typically provides core protection against data and network security breaches and associated losses, with capacity limits in the market today ranging from around US$5 million to US$100 million,” he said.

“But some significant cyber-related risks remain largely uninsured, and the scale of cover is modest compared with firms’ overall exposures,” the sigma report said.

Underwriting Cyber Risks

The report explained that cyber risks are complex and difficult to understand and quantify, given the fast-changing technological environment, the lack of historical cyber-related claims data from which to extrapolate information about possible future losses and the potential for correlated exposures.

The report noted that insurers and their clients are nevertheless working to develop cyber risk models.

“Yet progress in addressing cyber risk should not be dictated by advances in risk modeling,” the report emphasized. “Product and process innovation in insurance will help make cyber risks more insurable and extend available cover to a wider set of policyholders.”

Common standards “for capturing, sharing and reporting data about cyber incidents” would also help product development, as would “greater use of smart analytics to improve threat detection and risk assessment,” sigma indicated.

Another way to increase loss-absorbing capacity for cyber risk is by developing investment vehicles to enable capital market investors to take some of the exposures, the report continued. “There are currently some initiatives to develop insurance-linked securities (ILS) that cover operational-type risks like cyber.”

Uninsurable Cyber Risks

However, some cyber risks could be too large “for the private re/insurance sector to absorb,” the report said, citing “peak-loss events such as widespread disruption to critical infrastructure or networks which could lead to significant accumulation losses.”

For such risks, a government-sponsored back-stop may be necessary, similar to the state-supported protection against catastrophic terrorism risks, the sigma report continued.

“[A] government-backed cyber catastrophe reinsurance scheme would help promote enhanced market-led protection solutions and boost economy-wide cyber resilience,” the report went on to say.

“More broadly, governments have an important role in promoting cyber resilience, including measures to improve cyber information capture and diffusion and setting laws and regulations about how cyberspace is used and protected,” sigma said.

“By reshaping incentives and increasing awareness of cyber threats, governments can further nudge the private sector into developing improved market-led solutions.”

Source: Swiss Re

Swiss Re’s sigma report, “Cyber: getting to grips with a complex risk,” can be downloaded from its website.

*This story appeared previously in our sister publication Insurance Journal.