Collaboration needed to address insurance protection against cyber attacks

Greater collaboration between government, businesses and insurers is needed to address the insurance gaps in protection against cyber attacks, according to Actuaries Institute’s Green Paper ‘Cyber Risk and the role of insurance’.

The study highlighted the complexity of issues where cyber attacks were ‘super-charged’ by development of crypto currencies enabling untraceable payments as well as severe shortage of qualified cyber security personnel.

The paper, which analysed the role of cyber insurance in setting best practices standards for cyber resilience, confirmed that cyber losses led to reduced insurer appetite for this class, on top of shortage of capacity to provide the levels of protection needed across the market and premium hikes in the double or triple digits over the past two years.

As far as economic losses were concerned, the study found that only 20% of small to medium enterprises (SMEs) had cyber insurance compared with 35% to 70% for larger organisations, even though in 2021 75% of ransomware attacks affected companies with fewer than 1,000 people.

Win-Li Toh, the lead author of the report and a principal at analytics and actuarial consultancy Taylor Fry, stressed that “good cyber hygiene and security – not insurance – are the first line of defence”.

“A vibrant cyber insurance market will do more than provide financial recompense for risks that break through the first line of defence. It can also strengthen that first line, by offering clear signals and incentives to business – in the form of eligibility, pricing and sharing of insights – on best-practice standards,” she said.

The paper also noted that with no geographical boundaries, computer viruses could spread quickly and resulted in many companies making a claim under their cyber insurance policy.

“This is the accumulation risk challenge for an insurer – the potential for a single event to trigger losses across business lines and global borders,” Toh noted.

Another difficulty was in defining acts of cyber war (or terrorism) that were excluded from insurance policies, a finding which emphasised that the right balance between guidance, education, mitigation, cover and regulation would be central in creating a risk management framework for cyber risk and cyber insurance, Toh concluded.

Key gaps in achieving this best-practice approach included:

• A severe shortage of qualified cyber security personnel.
• Limited understanding of the role of cyber insurance among Boards.
• Limited education on cyber risks among SMEs.
• Achieving sufficient capacity and profitability in the market.
• Managing accumulation risks.