Do You Know Your “CyberVironment”?

A recent note sent out by the ratings agency Fitch will have been of some interest to cyber liability underwriters and, particularly, reinsurers whose concerns the press release specifically addressed.

The press release, Insurers' Aggregation Risk on Cyber Claims in Check, explains that: “As insurers continue to improve and refine their understanding of cyber risks, Fitch expects the industry to broaden coverage and accept larger and potentially more threatening exposures.”

Fitch acknowledges that: “Although growing rapidly, global cyber insurance premiums are between USD1.5 billion to USD2 billion, according to ACE Ltd., which believes it holds about 8%-9% of the market. As such, a significant increase in cyber events is not likely to generate insured losses that would represent a substantial threat to the capital position of individual insurers or the industry.”

It goes on to theorise, however, that: “What is less clear is how loss aggregation could play out under a severe cyber attack that leads to insurable events covered by non-cyber-related catastrophe policies, including standard commercial liability, business interruption and professional liability.”

As Fifth Step has noted previously, finding the best way to secure data against increasingly more sophisticated attacks is a fresh challenge. According to the UK Government, 81% of large businesses and 60% of small businesses suffered a security breach in the UK in the past 12 months - with the average cost of cyber-attacks on data doubling since 2013. This echos FBI Director Robert Mueller’s thoughts from 2012 when he said “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again”.

It has been reported that cyber-attacks now cost an estimated £260 billion (~$405 billion) in damages each year – with many experts strongly believing that this number will soar in 2015. Clearly, the ongoing monitoring and protection of systems, infrastructure, networks and data should be a top priority for businesses across all sectors.

So it was no surprise to learn from the Fitch cyber claims note that in April 2015, Swiss Re announced that it will partner with IBM to offer cyber risk protection products and services to companies. Fitch believes that such partnerships between tech firms and insurers will become increasingly common over the next years.

Such partnerships are becoming an increasing trend in a legislative and regulatory environment where under formulated EU directives being contemplated, a failure to report a breach in time could lead to fines of up to 5% of total turnover, or EUR100 million (~$109 million, ~£71.9), whichever is greater.

In my conversations with insurers and reinsurers in the UK, Europe, Bermuda and the US there is an insatiable appetite for knowledge on the cyber loss exposure, how to manage it and ultimately mitigate the risks involved.

As a recent Swiss Re cyber comment stated: “More frequent, more high profile and more sophisticated cyber-attacks prove that guaranteed cyber risk protection is impossible. Instead, the focus must be on cyber resilience, including practices for detecting security incidents and ongoing improvement, as well as the more traditional information security practices which concentrate on preparation and protection.”

As technology evolves so rapidly now, the opportunity to take advantage of technological frailties increases, which is leading cyber-criminals, dishonest employees or opportunists to penetrate networks, steal information, and (attempt) to cover their “tracks”.

In such a hostile “cybervironment” our mantra at Fifth Step is that it has never been more important to deliver strategy through continual service improvement. This approach allows organisations to recognise and build upon what they have already done, whilst prioritising what needs to be done next.

Fifth Step takes a pragmatic risk based approach to the ever changing IT, Governance, Risk and Compliance landscapes and our teams bring a data-led approach to prioritising and guiding clients through the challenge and complexity of a changing world and rapidly evolving cybervironment.