The Evolution of Cyber Risk
The trade magazine Insurance Journal defines emerging risk as “those that are new and not yet widely recognized, or perhaps recognized but not well understood”. I have been studying cyber risk and insurance for ten years, so it’s no longer new. Judging by the amount of discussion in print and on the Internet, it’s widely recognized although there are still organizations who think, usually wrongly, that it doesn’t affect them. The question is whether we will ever fully understand it because there are always new developments. In my opinion, cyber is an evolving rather than an emerging risk.
I first wrote about cyber insurance in 2008. Since then much has changed. Insurance Journal published industry leaders’ views of current exposures in a recent article (https://www.insurancejournal.com/magazines/mag-features/2018/09/03/499543.htm). I have discussed some of them before, but this is a useful summary.
- The number of data breaches and the average cost of a cyber crime keep rising, and the risk keeps changing. Original concerns were theft of confidential personal and corporate information. Later the focus was on ransomware. Now cyber criminals are hijacking computers to mine cryptocurrency. Businesses who think they’re too small to be targets should note that according to an ISO analysis 80% of cyber breach victims in 2017 were small and medium sized businesses.
- The Internet of Things or IoT has created major cybersecurity risks. There are literally billions of interconnected devices, with minimal or no security. Hacking these devices could cause serious and possibly catastrophic bodly injury and property damage losses.
- As an example of high severity risk, luxury automobiles have 150 or more computer programs impacting vehicle performance, and tractor trailer technology is rapidly advancing. Factor in the development of driverless autos and trucks, and the potential results of hacking their computer systems is frightening.
- Potential property damage is not limited to loss of data. Energy infrastructure facilities and industrial plants have been targeted with cyber attacks causing explosions, wreckage and business interruption. Domestic infrastructure and mass transit are other potential targets.
- As more data accumulates on cyber risk, insurers are partnering with technology companies to assess their customers’ vulnerabilities. Focus will be on on risk mitigation and resilience.
- Accumulation of risk is a threat to the insurability of cyber exposures. Insurers and reinsurers could underestimate the effect of a major cyber attack triggering other coverages. There is not enough data for advanced modeling techniques. Governments fail to provide frameworks to share large scale cyber terrorism losses.
As cyber risk continues to develop, such as increased use of artificial intelligence by hackers, we must be prepared to face the challenges of managing it.