Evaluating cyber risk? Here are some things to consider
The take-up rate in the cyber market has increased dramatically over the past few years. Allied Market Research reports that the size of the global cyber insurance market was valued at $4,852.19 million in 2018, and that it is projected to reach $28,602.10 million by 20261 (Fig. 1). This can be attributed partly to increased awareness about cyber – cyber is a hot topic and news about cyberattacks gets a lot of attention. Also, the regulatory environment for cyber is changing, and businesses large and small are being required to adopt at least some measure of cyber security. In addition, as the number of employees working remotely and using personal devices increases, the cyber risk for companies of all sizes is compounded.
But when insurance companies write cyber policies, they need to look at more than just the size of the business. “The way insurance companies assess cyber risk has evolved greatly over the last five to 10 years,” explains Annamaria Landaverde, Cyber Team Lead, Specialty Lines and Strategic Products at Munich Re US. “Insurance companies are utilizing many more resources than they did previously. For example, in addition to having underwriters look at policy wording, coverage, and rating, we now see more technical loss control experts assisting in the evaluation. There are quantitative models that help insurance companies determine a company’s security rating, enabling them to compare that company to its peers in the same industry and see where they rank.”
So what are some of the things an insurance company should consider when evaluating a company’s cyber risk?
SMEs are advised to equip their employees with cyber security awareness training as it has been shown that human error is still the primary factor in the success of cyberattacks. Cybint Solutions, a global cyber education company, reported that 95% of cybersecurity breaches can be attributed to human error.2
SMEs are particularly susceptible to attacks and fraudulent schemes that begin with an email to poorly prepared employees. An annual SME cyber survey conducted by Zogby Analytics for HSB shows that suspicious emails targeted at small businesses have increased year-over-year with nearly half of recipients (47%) falling for email-based fraudulent schemes. Awareness training is an effective way to reduce these risks.
Larger organizations–ones that handle more data and that are heavily reliant on their networks, for example–need to have not only cybersecurity training for their employees but adequate redundancies, regular updates to their operating systems, and cyber risk management in place. Many large organizations, especially those in regulated industries, require their vendors and affiliates to have the same cyber security controls in place as they do, if not more advanced controls.
The Changing Cyber Threat
Another thing insurance companies should be mindful of when assessing a company’s cyber risk has less to do with the company purchasing coverage and more with how fast cyber threats themselves evolve. “Probably the greatest challenge in underwriting cyber is the rapid pace at which technology and cyber threats evolve,” says Annamaria. “Underwriters are typically assessing risks based on events and scenarios that have already happened. And when we think of what the worst-case scenario could be, the actual cyber event tends to be something very different than what we expected.”
Since cyber insurance covers events that are often initiated by malicious human actors--rather than traditional property perils like fire, wind and water—assessing the threat landscape can be complex. Changes in technology, regulation, and human behavior all have a material impact. For example, changes resulting from the COVID-19 pandemic, like altered working habits, new government programs, and the legitimate worries of consumers and businesses, have been a boon to cyber criminals who have rushed to take advantage of new opportunities to ramp up their attack and fraud activities.
But insurance companies don’t have to enter into the cyber market blindly. Munich Re can offer much-needed guidance. Annamaria explains, “Many insurance companies are concerned about the accumulation issues associated with a widespread cyberattack, such as the risks associated with ransomware attacks. Munich Re can offer consultation on vendor-based modeling tools and evaluate our clients’ portfolios to help determine what their specific accumulation scenario would look like.”
Munich Re can also evaluate and mitigate an insurance company’s silent cyber exposure by providing experts who can assist with developing cyber wording. “Some of the wording topics we specialize in include war, cyber war, infrastructure failure, and contingent business interruption, just to name a few,” Annamaria says.
In this digital age, businesses will always need protection from cyber threats. Munich Re not only provides cyber products but makes it possible for our insurance company clients to be contenders in the market as well.