What is Cyber Risk?

Janet von Fellenberg Advisory Senior Manager, PwC Switzerland 19 Dec 2019

How do most organisations conduct business and contact prospective customers today? They do it via technology, social media and transactions over the Internet. All of these are obvious gateways to cyberattacks.

“Risks to information and technology assets that have consequences affecting the confidentiality, availability or integrity of information or information systems.”

A classical definition of Cyber Risk

Increased networking of machines and equipment – the Internet of Things - can also give rise to risks such as data theft and disruptions in the interaction between networked machines. This could lead to failure of entire production lines and supply chains. In a nutshell, cyber risks are one of the biggest threats to the networked economy. It is not difficult to see that the economic costs of large-scale cyberattacks could exceed losses caused by natural disasters.

Does cyber risk affect only large organisations? Not really. Symantec found that over 30 per cent of phishing attacks in 2015 were launched against organisations with less than 250 employees.

Now that we understand the size and extent of this risk, is there a way to transfer this risk? How about cyber insurance? What exactly is it and what does it cover?

Cyber insurance covers losses to first parties as well as claims by third parties. The commonly reimbursed losses and expenses fall under the following four categories:

Forensics:

  • Investigation to determine what occurred
  • Damage repair
  • Preventing the breach from occurring again
  • Involving the services of a third-party security firm

Losses to business: A cyber insurance policy may include items that are covered by the following:

  • E&O policy (errors due to negligence and other reasons)
  • Financial losses incurred through network downtime
  • Business interruption
  • Data loss recovery costs and efforts
  • Crisis management costs

Privacy and notification:

  • Data breach notifications to customers and other affected parties
  • Credit monitoring for customers whose information has been breached
  • Psychological support

Legal:

  • Legal expenses associated with the release of confidential information and intellectual property
  • Settlements and regulatory fines 
  • Costs related to cyber extortion e.g. ransomware
Cyber risk is long tail

It takes some time before the ultimate size of the loss is known. The cost of a significant breach can easily reach into hundreds of millions. To date, insurers have managed these risks with relatively low caps and broad exclusions. Although they can cover remediation costs and notification costs, they cannot repair a company's reputation after a security incident or regain lost intellectual property (IP). Most insurers simply cannot underwrite those risks because they don’t have the data to calculate the potential costs yet. Which brings us to the question - what does cyber insurance not cover?

It does not cover events that could have been avoided. Before it even considers offering cyber insurance, an insurance company wants to see that an organisation has assessed its vulnerability to cyberattacks i.e. created a cyber risk profile.

Organisations can prepare for a variety of situations by building cyber resilience. They can do this by enabling defences and controls to protect against cyberattacks. Cyber insurance should not replace a proper security program.

Here are some of the steps a company can take to build cyber resilience:

  • Educate employees regarding security awareness, especially phishing and social engineering topics
  • Perform threat assessments, even if not required by regulations
  • Engage the services of ethical hackers to reveal security weaknesses
  • Figure out what policies are potentially implicated other than cyber policies – the ones most commonly affected are commercial general liability policies, E&O policies, D&O policies and crime insurance
A final report

A recent report by Adroit Market Research claims that the cyber insurance market will exponentially increase from approximately US$4 billion in global premiums in 2019, to a value of over US$23 billion by 2025. Cyber insurance has great potential for development in the insurance and reinsurance sector in the coming years. A clear understanding of the risks and opportunities is crucial.