As advancements in technology enhance productivity, develop new businesses, and spur economic growth, malicious actors continue to adapt and adjust their techniques to effectively exploit technology for criminal gain or to promote national interests. In response to these threats, enterprises are refining their security models, modernizing their risk management practices, and working within their respective sectors and with the government to share information. Increasingly, enterprises are also incorporating the traditional practice of risk transfer into their management practices for technology risks by purchasing cyber insurance policies.
Cyber insurance represents an area of growth for the insurance industry, with premiums expected to reach 7.5 billion USD by 2020. This has resulted in a market where an influx of new entrants and incumbents create price competition by offering lower insurance premiums or broader coverage. While recent high-profile cyber events resulted in some carriers tightening their underwriting and risk assessment practices, there is a concern that the current market carries systemic risk that could result in devastating losses for the insurance industry in the wake of a catastrophic cyber event.
Beyond the conventional role in risk transfer, cyber insurance can serve as a key touch point for an organization to assess its cyber practices and coordinate its incident response plan to cyber incidents. Thus, cyber insurance becomes an important risk mitigation tool by requiring a company to identify its most vital assets and potential vulnerabilities.
In June 2019, the breakthrough group released a report, Cyber Insurance and Systemic Market Risk. The report offers a definition and framework to understand systemic cyber risk and how the impacts of a cyber incident could spread across sectors of the economy. Systemic cyber risk is examined from the vantage point of the insurance industry, as a central actor seeking to quantify cyber risks. The report provides an overview of the cyber insurance market and proposes several recommendations to help the market mature in a healthy, stable way that leads to increased cyber resilience and cybersecurity for all.
To inform the report, beginning in October 2016, the EastWest Institute, Microsoft and Marsh & McLennan Companies co-hosted three working roundtables to discuss the impacts of a growing cyber insurance market. These meetings brought together insurance, technology and government leaders to examine the state of the cyber insurance market, discuss what constitutes as systemic cyber risk, and examine how insurance providers can encourage and improve cybersecurity risk management.
Following the release of its report, this breakthrough group is focused on promoting the publication and discussing the recommendations with policymakers and industry leaders. The 2019 report highlights the potential for the insurance industry to play a role in driving better cyber risk management. Accordingly, the breakthrough group will identify opportunities to bring together stakeholders from different sectors to discuss concrete steps to address systemic cyber risk and ensure the cyber insurance market develops in a healthy, risk-informed way.
Cyber Insurance and Systemic Market Risk
Systemic Risk and Cyber Insurance Working Roundtable Summary, January 2018
The Impacts of a Growing Cyber Insurance Market: Working Roundtable Report, October 2016
A Research Agenda for Cyber Risk and Cyber Insurance
Addressing Systemic Cybersecurity Risk
Cyber Insurance Policies: How do carriers write policies and price cyber risk?
Understanding Systemic Cyber Risk