Cyber risk has hit the prime time -- topping the concerns of risk management specialists and the public in the US for the first time in a poll of 23,000 people by insurance and asset management giant AXA.
In Asia, Africa and Europe, meanwhile, cyber risk lags behind climate risk.
AXA's eighth annual Future Risks Report -- published September 30 and produced with the IPSOS research institute and the geopolitical analysis consultancy Eurasia Group -- found little confidence meanwhile among risk experts that "public authorities are prepared for the emergence of cyber security risks", with just 26% believing that this is the case. The figure has not improved since AXA started asking the question in 2019.
The rise in major security incidents has triggered some growth pains for the insurance industry, as AXA itself admits in the Future Risks Report. (The industry is growing at a blistering pace. In 2019 the US cyber insurance market alone was $3.15 billion but is estimated by Munich Re to be worth over $20 billion by 2025).
"Insurance contracts have traditionally excluded acts of war, and cyber risk insurance is no exception," it notes. "However, the difficulty of attributing cyber attacks can make it hard to distinguish criminal attempts at extortion from acts of cyber war. The distinction is further blurred by the fact that targets of attack may be privately owned but provide services that are essential to the smooth functioning of society, such as water and electricity.
"As this risk continues to evolve", the report emphasises, "insurers should work in cooperation with governments and multinational organizations to establish a common methodology for defining cyber attacks as acts of cyber war, and to improve protection against all kinds of attack." (This issue hit the headlines in 2019 amid a bitter legal clash between Merck and its insurers in the wake of the NotPetya attack, which cost Merck over $870m.)
Cyber risk and cyber insurance: "silent risk" still an issue
In 2021, regulators are still attempting to tighten up how the market is managed, with the New York Department of Financial Services (NYDFS), which regulates insurance in New York issuing new guidelines in its Insurance Circular Letter No. 2 (2021) that urge insurers to take more stringent measures in underwriting cyber risk.
As that circular emphasises, insurers often incur losses from cyber incidents in insurance policies that do not explicitly grant or exclude cyber coverage – so-called “non-affirmative” or “silent” risk.
"Because silent risk can reside in many different types of policies, even insurers that write little or no cyber insurance need to measure and manage silent risk in their non-cyber insurance policies. While the industry has taken steps to address silent risk in recent years, it remains a significant problem for many insurers. According to a global survey in the second quarter of 2020, 65% of underwriters were concerned about cyber coverage exposure in property/casualty policies that do not explicitly cover cyber risks" the NYDFS noted.
Follow The Stack on LinkedIn
"Many insurers still have work to do to develop a rigorous and data driven approach to cyber risk, and experts have expressed concerns that insurers are not yet able to accurately measure cyber risk", the NYDFS added in that circular, adding that "the decision to offer and price cyber insurance for specific organizations should be based on a careful assessment of that organization’s risk. Cyber risk is driven in large part by the caliber of an organization’s cybersecurity program, and so can vary considerably from one organization to the next.
"Insurers that don’t effectively measure the risk of their insureds also risk insuring organizations that use cyber insurance as a substitute for improving cybersecurity, and pass the cost of cyber incidents on to the insurer. Without an effective ability to measure risk, cyber insurance can therefore have the perverse effect of increasing cyber risk – risk that will be borne by the insurer," the watchdog warned industry participants.
"Big Tech" is integrating insurance into its packages
With cyber risk now high on both board and the public's radars, many large technology providers are increasingly bundling cyber insurance into their propositions. Two recent examples can be be seen at Microsoft and AWS.
The former on September 29, 2021 announced a "new multiyear commitment to help the insurance industry create superior and data-driven cyber insurance products backed by Microsoft’s security solutions."
That involved a partnership with cyber insurance company, At-Bay that will see businesses in the US that use Microsoft 365 eligible for savings on At-Bay cyber insurance policy premiums if they implement specific security controls, including multifactor authentication and Microsoft Defender for Office 365.
In the UK meanwhile, Amazon Business, the B2B marketplace, has started offering cyber insurance for SMEs and micro businesses through a partnership with insurer Superscript.
AXA XL Chief Underwriting Officer Nancy Bewla noted in the 2021 AXA Future Risks Report meanwhile that "we are seeing an increase in demand from organisations which traditionally did not purchase cyber insurance coverage. In these cases, we begin by learning about the security measures the organisation has in place already, to assess the extent of their cyber vulnerabilities. From there, we can advise on specific risk management actions to take to prevent a loss, and when a loss occurs, help the client get their organization back up and running."
She added: "As cyber-attacks continue to increase and losses mount, clients' prevention and security measures will be a significant focus of the underwriting process. Buyers with poor security hygiene or those unwilling to improve their security posture may have a tougher time finding coverage."