In this short summary of the first report from The Geneva Association’s Cyber and Innovation research programme, Ten Key Questions on Cyber Risk and Cyber Risk Insurance, we look at cyber risk, the wide variation of cyber crime cost estimates by experts, how cyber risk management should be organised as well as what the insurance industry and the government can do to prevent cyber risks and to support cyber insurance. Prof Martin Eling and Prof Werner Schnell of the Institute of Insurance Economics, University of St. Gallen are the authors of the full report which is edited by Dr Fabian Sommerrock of The Geneva Association.
Using a database of 211 studies, articles and working papers, this report provides a high-level overview of the insights from, and direction of, current research in cyber risk and cyber risk insurance. In order to provide a structured discussion of the relevant literature, the analysis is structured around three research clusters and 10 key questions (see Figure 1).
What is cyber risk?
Information and communications technology (ICT) has become an essential contributor to our daily lives. It is the engine of trade and of the global financial system, and the networks that provide our water, food, electricity, communications and transportation are all dependent on ICT.
The advent of user-generated content on the Internet, so-called Web 2.0, is also creating vast pools of (individual) specific data, some of which are highly sensitive, not least because they comprise financial, behavioural, health and other personal information. This data is a rich source of insights on individual and collective attitudes and behaviours and can be of tremendous value to both commercial and public institutions who are now harvesting and storing this data.
With our reliance on ICT and the value of this data come security, integrity and failure risks. Currently, cyber risk is still in its infancy, but it has the power to constrain the forward momentum of technology and adversely impact the world economy.
Cyber crime cost estimates
The annual global costs of cyber risk are generally estimated to be above US$1 billion which, emphasises the economic significance of cyber risk. However, the estimates vary quite substantially, which has to some extent to do with the definition applied. The costs per data breach a hacked company faces show less variation and are estimated to be between $2.1 to 3.8 million. Moreover, the loss of each record (eg credit card number) causes costs from $217 to $956.
Anderson et al. (2013) argue that the major part of cyber costs are indirect losses (loss of trust—not attributable to an individual victim) and defence costs (eg antivirus software, insurance) rather than direct losses (eg theft of money).
However, they also point out that the existing cost estimates are far from perfect. They discuss methodological flaws of such estimates and suggest an improved alternative, which, however, in aggregate also yields a number in the hundreds of billions of US dollars.
From a micro perspective, cyber risk can have severe consequences for companies, eg an insurer’s clients. The total costs are potentially a combination of loss of profits, data breach, response costs, reputational damage, contractual damages, and extortion costs. Several studies examined in the paper investigate the effects cyber risk incidents have on companies’ stock prices.
How should cyber risk management be organised?
The classical risk management process consists of five steps: the definition of goals, risk identification, risk evaluation/analysis, the actual risk management (avoidance, mitigation, transfer, retention) and finally the monitoring of risk.
In each step of the classical risk management process, cyber risks show special characteristics. The first and maybe most important aspect for sound cyber risk management is that cyber risk management is not the responsibility of the IT department, but a cross-company risk dialogue is necessary (eg sensitisation, trainings, etc). The topic also should be embedded at the C-level.
What should the insurance industry do to prevent cyber risks and to support cyber insurance?
One of the current problems in the management of cyber risk is the lack of standards, a common vocabulary and best practices. The insurance industry should globally work together with other stakeholders to collect and spread such information. One first idea would be to publish methods (standards and good practices) for cyber risk assessment. An element, for example, could be to provide a common scheme to classify cyber-related loss events.
Besides the management of “daily life” cyber risks, extreme scenarios seem to be of special concern. Here the insurance industry should further intensify the analysis of extreme loss scenarios in order to get a better sense of the loss severities and frequencies. Risk management approaches for complex crises, that is, methodologies, models or tools for mastering complexity are needed.
In this context, one important activity could also be for the insurance industry to initiate, or further intensify, the dialogue on cyber risk with the relevant stakeholders. One important stakeholder, for instance, could be the government. The insurance industry should support the government in the preparation of national cyber risk strategies.
What should the government do to prevent cyber risks and to support cyber insurance?
As a major share of cyber risk losses is caused by cyber criminality, governments could reduce cyber risk threats by imposing more severe punishments and increasing the resources for law enforcement.
As the technological environment is continuously changing and the attacks get more sophisticated, it is especially important that investigative authorities are equipped with sufficient resources in order to keep up. However, as cyber criminality is not restricted by national boundaries, purely national legal frameworks are likely to remain rather ineffective. To some extent, it is the country with the weakest legal system and the highest cyber criminality that determines the global cyber threat level. Therefore, international collaboration, such as some minimal criminal law standards, the exchange of information and interstate rendition, is urgently needed.
The subsidisation of traditional risk transfer mechanisms could also be interesting for a governmental intervention measure. Without intervening directly, the government might provide incentives for private risk transfer mechanisms. One example could be to support the private insurance industry with the implementation of an insurance pool.
Furthermore, the state could incentivise the introduction of capital market solutions by emitting cyber CAT bonds for selected risks. The report does not postulate that all the measures need or can be implemented, but they might be fruitful directions for discussions between the stakeholders to improve the insurability of cyber risks.
Professor Martin Eling and Professor Werner Schnell are both from the Institute of Insurance Economics, University of St. Gallen. Dr Fabian Sommerrock is Deputy Secretary General of The Geneva Association.
This paper is a summary of a report which is available, including a list of the 211 sources, on The Geneva Association website at this link: https://goo.gl/UUFZDB