There has been a lot of hype around cyber risk with well-publicized scare stories and statistics. Underneath that noise is a real threat that firms are learning to deal with on a daily basis, spurred on by a few, high-profile cases.
The problem with cyber risk is that it is a dynamic risk over which victory can never be declared.
As a result, large firms are doing a lot, in particular around their technology security, to defend against attackers, whether outsiders or employees. With the development of the “Internet-of-Things,” where more products and services are delivered online, companies are increasing both their exposure to cyber attacks and the potential impact. In addition, there is a human counterparty who will evolve the sophistication of attack in response to defensive measures.
Crucially, cyber risk also has the potential to be a “tail risk,” that is one which provokes acute, public and potentially catastrophic damage, whether to data, reputation, property or the ability to trade. The trouble is that few firms are used to dealing with this kind of risk. With the exception of organizations like banks, utilities and other critical infrastructure, operational risk for many firms is managed well below board level through the use of a basic assessment of event impact and likelihood, a risk register and, where available, the purchase of insurance. Cyber risk changes that by bringing tail risk to any firm, large or small. As a result, it obliges firms to think hard about their ability to avoid and withstand a substantial and potentially fatal impact.
With that in mind, Marsh has worked with the UK Government and many of the leading cyber insurers during the past few months to produce a report aimed at practical steps firms can take to manage and mitigate cyber risk. The report, UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk, details the threats to companies and the actions they can take to get on top of these. The government rightly sees value in taking an insurance lens to the problem. While cyber risk may sound wholly new, there are useful lessons that insurance can bring from how firms have dealt with historic crises, many of which could easily have resulted from a cyber trigger. Insurance also crystallizes the cost of cyber risk before losses occur, and so provides an incentive for firms to manage that risk more effectively.
Four Pillars for Assessing Cyber Risk
For companies, the report brings out four main points.
First, firms need to manage cyber risk as a board-level risk with consequences for all aspects of the firm, not just as an IT or security issue. That may invoke a risk sub-committee, a dedicated Chief Risk Officer and support function, but is mainly about board and business ownership of a risk that can touch all parts of the firm, not just IT, even if the latter is the vector for the attack.
Second, firms need to adopt some of the methodologies of risk management appropriate to coping with tail risk. That includes scenario identification, stress-testing, financial capacity assessment and response planning. A particular issue is that many firms see risks as purely operational in terms of how they test and plan for them. For cyber, there is quite likely to be a cash impact that requires a cash-flow assessment of resilience, noting that expected sources of cash can dry-up under stress. That financial measure of resilience can then be how the board holds management to account with respect to risk appetite.
Third, firms need to quality assure their supply chain on cyber risk. Building a fortress around the firm won’t help if businesses that they trade with become the source of the problem. That includes suppliers, customers or—in the case of banks—borrowers. Marsh has worked with insurers and the government to construct an assurance product that combines the government’s “Cyber Essentials” standard with an insurance policy, the latter paying for the accreditation on the former. This will allow large firms and banks to encourage the Cyber Essentials standard into their supply chain, in particular for SMEs who are much less likely to take the necessary actions without this encouragement.
Fourth, firms should look at mitigation through insurance. The challenge here is an insurance market that’s not comfortable much above $100 million of individual exposure and charging a relatively high price for coverage. That makes it hard for boards of large firms to obtain a level of coverage that is material to protecting their viability in a worst-case scenario. Greater innovation is needed and we are, for example, looking at shared limits amongst firms with non-correlated risk, which should allow them to have access to $1 billion or more of coverage and at a fraction of the cost of a stand-alone policy. This would provide real protection against the worst case scenario.
The report goes on to look at what the insurance industry itself needs to do. There is a shocking lack of awareness at the board level of the existence of cyber insurance, reflecting an overly complex and under-promoted insurance offering. Work is now happening between insurers and government to raise awareness. Similarly, we concluded that a lack of data is holding back insurers’ comfort with underwriting and proposed data pooling amongst insurers and with government agencies to encourage competition and improve pricing.
Finally, we see an important opportunity for London as a cyber risk management center in terms of insurance and wider financial and technical services. We are leading a task force with the UK government and industry bodies to mobilize for that opportunity.
Cyber risk has come of age, and firms are acting on it. The newness of the risk has created a clamor of voices offering technical, legal and other services, which makes it hard to focus on the truly important actions. In fact, many aspects of how the risk can play out are familiar from more established tail risks. The heart of the issue is for the board to put in place risk management disciplines fit for the purpose of protecting them from and coping with a fast-moving threat to their viability. That goes well beyond the historic expectations on risk management for many firms and will require a significant elevation and investment in risk.