“Between September 2017 and August 2018, employers in the United States alone posted 313,735 job openings for cybersecurity professionals. Filling those jobs would mean increasing the country’s current cybersecurity workforce of 715,000 people by more than 40 percent”. These are the opening sentences of an article published in The New York Times on November 14, 2018. What is interesting is that the field is so new that nearly every cybersecurity professional over the age of 30 does not have a degree in cybersecurity – many of them, writes Josephine Wolff in The New York Times, do not even have degrees in computer sciences. Unfortunately, the real problem is not the lack of diploma but the lack of awareness.

Cybersecurity Risk Assessments: Updating the Approach

It is important to note down that the majority of large companies (6 out of 10) lack cyber insurance even if business interruption costs due to data breach is the top cyber risk concern for firms across all industries. And cybercrime costs have been rising exponentially since the Equifax massive security breach that affected as many as 148 million people (Records varyingly included credit-card, driver’s license, and Social Security numbers, date of birth, phone numbers, and email addresses). This particular case of data breach demonstrates how cyber risk can cause a major stock price drop and reputation damage. Nevertheless, the use of cyber risks assessments remains low and comparatively lower to other risk assessments such as financial risk assessments for example, even though companies are more and more aware of its increasing importance. In just a few months, companies have gone from a lack of awareness to a lack of financial means and competencies to manage the risk.  

Are Cyber Risks Insurable?

But... are cyber risks insurable? On the 26th and 27th of July the Singapore Actuarial Society ERM - ESSEC CREAR Cyber Risk Conference “Cyber Risks: threats and opportunities for the Asia Pacific Insurance Industry” lined up renowned speakers to tackle the issue of cyber threat, cyber risk management, cyber modeling techniques, cyber insurance products as well as a panel discussion on cyber trend. The conference came up with some remarkable insights on what continues to be challenging for both insurers and insureds. At the question “are cyber risks insurable”, Dr. Michael Dacorogna replied: “Is that really the question? Isn’t the real question “How are insurers going to insure it?”

Insuring Cyber Is Challenging

The lack of reliable statistical data, the intangibles and losses are difficult to measure. Indeed, because of the risks information systems pose, it is difficult to apply traditional actuarial techniques to forecast future incidents. “Cyber risk is a multi-disciplinary topic, says Dr. Marie Kratz, therefore researchers from  IT, finance, management, etc., should all collaborate and exchange on that topic. Exchanging with industries is also important, she adds, because they are often the first to suffer from cybercrime. They have some important insights and data to deliver for us to assess”.

The territory being quite virgin, research and investigation remain to be done in order to advance reflections on the topic especially since there are companies filing complaints, not knowing they are being victims of cyber attacks. “What we need is a better understanding of the situation, she states, because cyber risk has become one of the key issues driving today’s insurance industry (but also a future business opportunity), with the ability to affect companies of all business types.” The very fact that it is changing rapidly makes it difficult to model. Furthermore, due to its human-induced complexity, it cannot be modeled in the same way as a natural catastrophe risk. In a natural catastrophe risk analysis, one of the components that will matter the most is the geographical location whereas a cyber risk analysis of the situation will bring several factors into play: industry type, company revenue, motivations of threat actors, security protocols, etc. Since cybercrime is regarded as having the potential of being extreme, Dr. Kratz stresses the importance of combining historical data and systemic approach methodology.

Towards the Ability To Measure and Manage Risk Accumulation

Insurers are to track and record their own cyber statistics like claim and loss ratio and use stress test scenarios for exploring possible future events. Dr. Kratz believes that in order to better understand the various aspects of this issue, it is important to include both user and attacker motivations. In line with this, conferences are a good means for attendees (countries for example) to exchange and share cybercrime-related information. It is essential to go beyond technological solutions and investments in cybersecurity. It has to be recognized that countries enforcing cybercrime laws see a decrease in cyber attacks, as perpetrators will shift to target non-enforcing countries.

Blockchain forms another link in the chain; it could help strengthen cybersecurity notably thanks to features like its decentralized distribution of data, data immutability, and cryptography-based digital signatures. Blockchain has its share of challenges of course: the biggest one to its implementation being its scalability in leveling up for large amounts of data. Moreover, there is a true problem with the Internet of Things because of the centralized cloud model it is based on.

Building Cyber Resilience to Tackle Threats

While the term “cybersecurity” is as old as the appearance of computers themselves, the term “cyber resilience” has been gaining momentum. Cybersecurity management is focusing on security alone, but organizations need a more comprehensive strategy. You might ask: “Isn’t cyber resilience the same thing?” Not really. There is a substantial difference in meaning between the two. Security refers to defense, guard, precaution, whereas resilient refers to buoyant, elastic, pliable, quick to recover, and hedging.

Simply put, cyber resilience is a measure of how well an organization can recover and operate its business during a data breach or cyber attack. In other words, it is about how quickly one gets back to the good in the face of a lot of bad.

For Dr. Kratz, the whole thing revolves around the idea of better understanding the business, the IT infrastructure and the risk related to both, in order to protect and insure the company. It is primordial to ensure that there is resilience at the insured level, otherwise cyber will simply become uninsurable.

 − − −

Call for papers: 'Cyber Risk and Security' special issue in the journal Risks.
Guest Editors: Michel Dacorogna (Prime Re Solutions, Switzerland) and Marie Kratz (ESSEC CREAR).
Deadline for manuscript submissions: 3 November 2019

ESSEC Knowledge on X