Rapid advances in IT
Cyber risks
Digitalisation and interconnection is increasingly affecting the value creation of the global economy. This enables innovations and technology advances but also raises the threat of operational risks being amplified by cyber events.
The rapid advances in information technology over the past decade have introduced an entirely new set of risk exposures for companies that are increasingly dependent on information technology. In 1997, the first cyber risk insurance products began to emerge as carriers started identifying gaps in traditional property and general liability insurance products. Standalone network risk programmes offering affirmative first and third party coverage addressed threats posed by computer cybercrime, malware, and potential liability arising out of information security breaches.
We have come a long way since 1997. Global cybercrime has reached such a high level of sophistication that it represents a mature global business sector, which is continually innovating and growing in efficiency. In 2017, a widespread use of nation-state calibre attack methods by criminals could be observed. Sophisticated self-propagating malware designed to delete or manipulate data, hardware and physical systems has caused major business disruption to companies worldwide with a significant monetary impact. The amount of ransomware attacks has increased significantly. A growing number of attacks have an impact that extends beyond the original target with a wide systemic domino effect.
Economies have high and continuously growing levels of dependency on IT systems, applications and software, hence contributing to the systemic exposure. Growth in connectivity between digital and physical worlds as well as progress in the commercial deployment of Internet of the Things and artificial intelligence will translate into new vectors of cyberattacks and further increase risk aggregation effects. These changes translate into new challenges for the next phase of cyber defence.
Regulations on data protection and storage locations to provide governments with better control over their data are being implemented worldwide. The rationale for this control is grounded in privacy, censorship and anti-terrorism concerns; compliance with new regulations will likely result in operational changes for companies.
To cope with the global cyber threat, however, it is increasingly important for the institutions in this environment – governments, regulatory authorities, law enforcement agencies, the legal and audit professions, the nongovernment policy community, the insurance industry and others – to cooperate. Yet this remains an ambitious goal. Cyber risk defence can only be effective if these groups share a common understanding of the changing nature of the threats, their importance and increasingly interconnected nature. Through their individual and joint efforts, these groups have the ability to boost collective cyber resilience. Therefore, it is vital for all institutions to collaborate and share knowledge.
From the insurance perspective, there is no single standard policy to cover cyber risks as the characteristics of cyber threats vary widely across industries and corporation sizes, whilst the terms and conditions of policies can be complicated at times. Thus, companies need to have a deeper understanding of their own exposure as it will help determine the appropriate type and amount of coverage required based on their risk tolerances. Furthermore, organisations need to be cognisant that a cyber insurance policy is only one of many tools that form a more comprehensive cybersecurity management strategy.
Supporting organisations in identifying the right balance between cybersecurity investments and transferring residual risk by means of comprehensive insurance products is a key task of the insurance industry.