Companies can come to grips with cyber risk, government back-stop may be needed for certain risks: Swiss Re

Concern about cyber resilience is on the rise – as are the potential costs associated with attacks – but insurers and companies should understand steps can be taken to manage the risk, suggests the latest sigma report from Swiss Re Institute.

That said, businesses must “do much more to integrate cyber security into their risk management programs,” Swiss Re advises in a statement Wednesday announcing the release of Cyber: getting to grips with a complex risk.

The sigma report is the first published under the banner of the Swiss Re Institute, which formally launched Mar. 1 and brings together the company’s various research and outreach capabilities under one roof. There is also a short podcast hitting the main points of the research.

Related: Cyber attack remains top business continuity concern, preparedness for all threats urged: Horizon Scan Report

“Firms are generally ill-prepared to cope with cyber risks. Relatively few firms have integrated cyber security into their mainstream risk management,” Swiss Re chief economist Kurt Karl says in the company statement.

“Firms – large and small – need to invest more in cyber security architecture to develop robust pre-and post-loss risk management capabilities,” Karl cautions.

Recent attacks have demonstrated “the costs of a cyber breach can escalate well beyond managing the fallout of lost or corrupted data,” Swiss Re reports.

Potential damage to company reputation, physical and intellectual property, and disruption to business operations are all factors that now need to be taken into account, it points out.

A dedicated cyber insurance market is quickly developing, but to date, “the scope of cover is modest relative to potential exposure. Product and process innovation, and also advanced analytics, will help foster improved cyber insurance solutions and extend both the boundaries of insurability and reach of cover.”

To expand the boundaries of insurability, Swiss Re advises, “companies will need to work with their insurers to create a sustainable market.”

Despite that progress being made, it may be that some cyber risks – especially those related to extreme catastrophic loss events – may be uninsurable. “For such risks, there may be a case for a government-sponsored back-stop,” Swiss Re suggests.

Related: U.S. private cyber insurance market capable of managing most risks: study

Having government as the re/insurer of last resort is “something akin to the state support for protection against catastrophic terrorism risks,” the statement notes.

“The potential scale of losses from some cyber events could be too great for the private re/insurance sector to absorb, especially peak-loss events such as widespread disruption to critical infrastructure or networks, which could lead to significant accumulated losses,” it points out.

“Governments have an important role in promoting cyber resilience, including measures to improve cyber information capture and diffusion, and setting laws and regulations about how cyberspace is used and protected,” Swiss Re argues.

“By reshaping incentives and increasing awareness of cyber threats, governments can further nudge the private sector into developing improved market-led solutions,” it maintains.

The increasing scope and magnitude of potential costs associated with cyber incidents reflect the ever-evolving cyber risk landscape. This, in turn, is being shaped by the three following main dynamics:

• the growing speed and scope of digital transformation;
• the widening sources of vulnerability from hyper-connectivity, with the rapid spread of, for example, Internet-enabled devices and cloud computing; and
• the growing sophistication of hackers alert to the potential economic gains from successful cyber attacks.

Pointing out that many firms are looking to transfer cyber risks to third parties better-placed to absorb them, Karl reports that “an increasing number of insurers are looking to write more business in this specialty line.”

Dedicated cyber insurance typically provides core protection against data and network security breaches and associated losses, with capacity limits in the market today ranging from around US$ 5 million to US$100 million, Swiss Re notes.

“However, some significant cyber-related risks remain largely uninsured and the scale of existing cover is modest relative to companies’ overall potential exposures,” the company adds.

“A key constraint on the development of insurance solutions is linked to the intrinsic nature of cyber risks,” Swiss Re suggests.

“The experience of other perils, such as natural catastrophes, offers hope that models will continually improve as understanding of the fundamental risk drivers develops and more data about cyber losses becomes available,” the statement offers.

“A crucial factor influencing the pace of innovation will be the capture and analysis of relevant data and threat intelligence needed to underwrite cyber risks accurately,” states Swiss Re.

“For their part, insurers are looking to develop less complex and more flexible insurance products,” including covers that can be tailored to small and medium-sized businesses, the company notes.

“Further, some re/insurers are seeking partnerships with cyber security firms and data analytics vendors to fill knowledge gaps and scale up/provide additional services to their clients,” it adds.