Cyber insurance has a role to play in setting standards for cyber resilience

The best underwriting practices have the potential to actively help increase cyber resilience and reduce the likelihood and impact of a cyber incident, according to the green paper from the Actuaries Institute titled Cyber Risk and the role of insurance, which looked at the role of cyber insurance in setting best practices for cyber resilience as part of a robust risk management framework.

The study found that despite an increasing cyber spend by both government and business, government entities were “a long way off baseline standards of cyber security”.

On top of that, the support for small to medium enterprises (SMEs) was inconsistent, with low awareness of educational materials.

As far as economic losses were concerned, the study found that only 20% of small to medium enterprises (SMEs) had cyber insurance compared with 35% to 70% for larger organisations, even though in 2021 75% of ransomware attacks affected companies with fewer than 1,000 people.

What is more, the report found that in order for cyber insurance to influence best practice in a major way, there were several gaps needed to be addressed by government, business and insurers.

These included:

  • A skills gap and severe shortage of qualified cyber security personnel
  • A shortage of board directors and executive management with a strong understanding of cyber risks and insurance
  • A need for better engagement of SMEs in education on cyber risks, in an environment where attacks are increasingly shifting towards smaller companies
  • Achieving sufficient capacity and profitability in the market, with reduced appetite for this class following the losses over the past two years
  • Management of the accumulation risk for insurers, with the potential for a single event to trigger numerous losses
  • Cyber hesitancy in seeking the right insurance solutions, from misconceptions such as the fear of relinquishing control or being a bigger target

The report also highlighted that the issues were “too vast to be solved in isolation and collaboration between all shareholders” which included government, business and insurers.

The examples of such collaboration would include scenario analyses and stress test of potential risk exposures, government and insurers partnerships towards managing accumulation risks as well as collaboration between government, insurers and businesses to bolster skills, with the high demand on cyber security personnel from all quarters.

“Another area with further collaborative potential is the increasing regulatory obligations and penal environment imposing fines and penalties for cyber breaches (the stick). An opportunity exists for this to better align with building up the structures needed for a coordinated focus on research and innovation, and to develop the cyber security expertise to fix issues and lift standards (the carrot),” the report said.

“In meeting the challenges, cyber insurance has great potential to play a key role as part of robust risk management. At the centre of its success will be collaboration between all stakeholders and a collective use of skills in creating an effective sustainable insurance market and uplifting the cyber security of the nation as a whole.”