Julie Page tells us why the insurance profession cannot allow cyber risk to become an unmet client need
The key theme for my presidential year is how the insurance profession meets clients’ unmet needs, so it would be remiss of me not to look at how cyber is in danger of developing further as an unmet need. Cyber has risk features of epidemic proportions with the hallmarks of a potential pandemic, leaving businesses exposed.
One of the issues is a misplaced perception that cyber is only a big-company problem. Not true. It is moving fast in the middle market and SME space. So, given that every organisation has an exposure, how should our profession respond to help businesses build their cyber resilience, and what can governments do to help manage what has the potential to be a systemic risk?
We know that cyber claims are increasing in frequency, severity and complexity, with three key factors at play. Firstly, there is an increasing interdependency of cyber risk between businesses and their partners and suppliers. Secondly, society is engaging with digital in new and profound ways – whether for working remotely, shopping, entertainment and even virtual health checks – and businesses are having to respond. And thirdly, there has been an explosion in the growth of a criminal fraternity – a blurring of lines between bad actors and nation states – turning to cyberspace and the commoditisation of cybercrime.
Recognising the changing risk profile, insurers are demanding more information from clients to underwrite their cyber risk. But while insurers are (rightly) worried about the aggregation of risk, particularly following so-called ‘zero day’ attacks such as the recent SolarWinds and Microsoft Exchange incidents, the majority of cybercrime today is happening around known vulnerabilities and inside threats that can often be addressed through better cyber hygiene.
We cannot rule out cyber becoming a systemic event like a pandemic if it gets too big and aggregates too much
Our profession must find ways to encourage clients to understand the vulnerabilities in their systems, to help them build cyber resilience and present their risk to the insurance market in the best way possible to reflect this risk. We must respond by understanding the nature of the risk and expressing clearly where and how we are willing to underwrite it, increasing understanding of what information we need to bring our capital to bear.
Of course, we cannot rule out cyber becoming a systemic event like a pandemic if it gets too big and aggregates too much.
There is an opportunity for business and our profession to work in partnership with government(s) to establish standards that become common controls and serve as foundational levels of protection, smoothing some of the challenges. It reminds me of the indirect collaboration between health and safety legislation, for example, and the legal requirement for employers’ liability cover. In time, this partnership has reduced risk in the workplace significantly. Could a variation on this approach be adopted with cyber?
Unlike the coronavirus pandemic, where we did not foresee it and did not have an experienced understanding of how to be resilient, cyber risk is happening now and is largely understood and foreseeable. To stay relevant for our clients we, as a profession, must address the rising tide of this need – to help clients understand and mitigate their risks and build cyber resilience, with the benefit of relevant insurance.
Julie Page is president of the CII