Skip to main content

Article

Investing in cybersecurity ensures long-term resilience

Cyber risk and exposure will keep changing, and as such, the industry should be prepared for both known and unknown cyber risks.

Cyber risks are typically cited as among organizations’ top five concerns, according to a panel at the “Global Programmes — Europe 2023 Conference” in London on 13 September.

Cyber risk and exposure will keep changing, and as such, the industry should be prepared for both known and unknown cyber risks. And given the prominence of cyber concerns, the insurance market needs to keep cyber coverage relevant, the panellists agreed.

The Global Risks Report 2023, published by the World Economic Forum in collaboration with Marsh McLennan, concurs that risks from cybersecurity will remain a constant concern for businesses and governments.

The way to cyber resilience

Investment in cyber security controls and training and incident response can have a meaningful impact on their cyber resilience in the long term, Marsh’s Yue Yang said in the session. But convincing organizations to invest in cyber defense, and the optimal way to doing so, largely depend on their unique specificities and the perceived tangible benefits they may gain.

Understanding a company, its data and systems, and the effectiveness of its controls, is a key starting point to determining a company’s cyber maturity. Marsh can help streamline the cyber insurance process by ensuring that organizations can provide the best answers to insurers’ concerns and queries, Yue added. From an insurers’ standpoint, the main difference between organizations is often in their cyber preparedness and resilience. Improved communication between insurers, insured, and brokers can help organizations with their cyber preparedness and cyber resilience. This ultimately helps organizations achieved better insurance conditions, sometimes very meaningfully.

Cyber quantification has greatly developed over the past five years, Yue continued, helped in part by an increase in cyber claims activity and market penetration, enabling the insurance market to enhance cyber modelling, and more importantly, to help organizations be able to better understand the financial impact of a cyber event for their operations.

Additionally, companies are exploring innovative risk management solutions, including the likes of alternative risk transfer solutions and captives. Parametric solutions, for instance, have been evaluated to protect against losses caused by cyber downtime. Yue cited the example of cloud outage that is a main concern for the industry as a whole due to its potential systematic impact.

However, these solutions should be seen as a complement but not a replacement for traditional cyber insurance policies in light of the depth of the risk and coverage.

Bridging uncertainty

Discussing the European context, Philippe Cotelle, Head of Insurance Risk Management and Cyber Insurance Management at Airbus Defence and Space and board member of the Federation of European Risk Management Associations (FERMA), said two issues in the cyber insurance market remain difficult to address: systemic cyber risk and the high number of SMEs who are insufficiently insured for cyber.

Systemic cyber risk could be one of the defining issues of the next decade for the (re)insurance sector, creating some uncertainty in the market. On the second point, Philippe noted that many SMEs don’t have the financial means or technical expertise to understand the extent of cyber risk to their company.

With these two challenges in mind, FERMA recently released a report calling for a combined and collective effort to develop an improved cyber insurance market. The report explores ways to better help SMEs grasp the issue of cyber risk and show that prevention pays off.

Overall, there is a need to help organizations better understand the level of cyber security appropriate for their size and activity. Governments and the insurance sector could do more to better help SMEs grasp the issue of cyber risk and show that prevention methods can pay off, Philippe said.

Opportunities for cyber protection

In terms of the cyber insurance marketplace, the salient increase in appetite for cyber risk and the sector’s ability to resolve challenges and propose solutions is leading to progress.

It was said that there is currently sufficient capacity to satisfy most organizations in Europe. Variables may include the type of industry and history of loss claims, but to date, the market has been able to fulfil most requirements.

A lot of preparation has helped the cyber insurance market get to this point. There is more interest in cyber insurance from organizations, and appetite is expected to continue to grow. Strict underwriting rules have helped make the cyber insurance market more accessible to some clients and in turn, helped organizations better prepared to face the next cyber risk.

Regarding the Mutual Insurance and Reinsurance for Information Systems (MIRIS), which aims to provide additional cyber insurance capacity for its members, Phillipe said the organization is a “partner, not a threat.” The setting up of MIRIS is a response to an awareness that we live in a digital world and digital risk is part of enterprise risk and one of the largest risks facing companies today, he added.

The panel also discussed war exclusions in cyber policies, with one panellist describing cyber war as: “the tree that hides the forest of systemic risk.” Marsh has published an analysis of the Lloyd’s Market Association’s (LMA) model war, cyber war, and cyber operations exclusions, and continues to have discussions with Lloyd’s syndicates, insurers, the LMA and their legal advisors, and other market participants regarding some of the concerns.

Related insights