A dedicated cyber insurance market is developing rapidly, but the scope of cyber cover in the market so far is modestly relative to potential exposure. Businesses need to do much more to integrate cyber security into their risk management programmes and governments may need to step in as a last resort, said Swiss Re’s latest sigma report.
The report, entitled “Cyber: getting to grips with a complex risk”, is the first to be published by the new “Swiss Re Institute”, which was formally launched on 1 March 2017 and will bring together Swiss Re’s research and outreach functions under one roof.
Firms found wanting in cyber risk management
Despite increased awareness of the dangers, firms are generally ill-prepared to cope with cyber risks and relatively few firms have integrated cyber security into their mainstream risk management.
Many firms are looking to transfer cyber risks to third parties better-placed to absorb them, said Swiss Re.
Industry efforts to innovate
Insurers and risk analytics firms are still experimenting with different approaches to cyber risk modelling. They are looking to develop less complex and more flexible insurance products, including covers for hitherto underserved SMEs and less placed to cope with cyber risks than large firms.
Insurers are also seeking partnerships with cyber security firms and data analytics vendors to fill knowledge gaps and offer additional services. Advanced analytics can augment traditional underwriting and help the industry respond quickly to fast-changing underlying risk factors.
The report suggested that another way to increase overall loss-absorbing capacity for cyber risk is by developing investment vehicles that enable capital market investors to take some of the exposures, such as nascent initiatives to develop ILS that cover risks like cyber.
Government has a role
Dedicated cyber insurance typically covers data and network security breaches and associated losses, with capacity limits in the range of US$5 million to $100 million. However, some significant cyber-related risks remain largely uninsured or underinsured.
Swiss Re said some of the “uninsurable risks” – include those related to extreme catastrophic loss events like widespread disruption to critical infrastructure and networks – could lead to accumulated losses, and suggested a role for government-sponsored back-stops in these cases as a (re)insurer
of last resort, akin to the state support for protection against catastrophic terrorism risks.
Regulation could also be a catalyst for change with legislation coming into force in many jurisdictions requiring firms to build enhanced data protection safeguards, the report said. Governments have an important role in promoting cyber resilience, including measures to improve cyber information capture and diffusion, and setting laws and regulations about how cyberspace is used and protected. By reshaping incentives and increasing awareness of cyber threats, they can further nudge the private sector into developing improved market-led solutions.