Another European View of Cyber Insurance
In January I summarized a report by the European Union Agency for Network and Information Security (ENISA) on cyber insurance and its lack of standardization. Now Philippe Cotelle, a member of the board of the Federation of European Risk Management Associations (FERMA) has published an article in the June issue of the European Cybersecurity Journal, “Cyber Insurance and its Increasing Role in the Industry” about the gap between supply and demand for cyber insurance, and what is needed to develop the market. Mr. Cotelle’s observations are relevant for cyber risk and insurance in the United States.
Major points in the article:
- “…the lack of actuarial data and the aggregation of risks pose a serious challenge to the insurance sector and its ability to price cyber risks and manage their exposures.”
- “… company valuations originate mostly from intangible assets. Therefore, it has become necessary to identify, assess and analyse risks in this category of assets to define and implement an appropriate response with a risk management strategy.”
- Organizations must resist the temptation to purchase cyber insurance to “tick the boxes”. They must understand what they purchased and how coverage works when an incident occurs. A knowledgable broker is a valuable resource.
- The ultimate objective of cyber risk management is to maintain and increase the organization’s resilience without seeking absolute security. Reliance on and compliance with standards can create a false sense of security. Sooner or later a hostile party will find a weakness.
According to Cotelle, “…the cyber insurance market will not be able to reach its maximum potential unless its customers adopt cyber risk governance principles”. In 2017 FERMA proposed a cyber risk governance model and identified two challenges: a lack of focus on cyber risk governance and the need for top-down implementation of cyber security. The model argues for a cross-disciplinary group to manage cyber risk. Since risks are rapidly evolving, business and IT units must cooperate in their management.
The challenges for the cyber insurance market:
- Small and medium enterprises need help measuring and managing their exposures. SMEs are more vulnerable to cyber attack than large organizations. There is a role for public-private partnerships.
- A lack of actuarial data is problematic for insurers. Participation of businesses and organizations is necessary to provide useful data.
- Aggregation of cyber risks include reliance of businesses on cloud services; zero day threats; state sponsored cyber attacks on financial systems. There is a debate on the need for a public backup to private insurance.
- The market does not have a good handle on”silent” cyber risk – traditional property and casualty policies that do not address cyber risk. Clear and unambiguous wording is needed in such policies.
To analyze cyber risk properly, organizations need clarity, comparability and certainty in cyber insurance forms. FERMA will partner with brokers and insurers to improve market practices and exchange of information. We should be watching for future developments.