CyberRisk: To Insure or To Ensure ?

CyberRisk: To Insure or To Ensure
security increasingly takes center stage in the golden age of the internet

Dr. Dennis Bessant, Specialist Advisor to Megrow, wrote this article in June 2019.

the golden age of the internet

Robert K Merton, an American sociologist, popularised the “the law of unintended consequences” in the 20th century; it says that actions always have effects that are unanticipated or not intended. What has a visionary social scientist got to do with the technical challenges of CyberRisk that besiege enterprises of the 21st century? 
Well, the golden dawn of the internet, the exponential surge of technological change and their benefits have also led to unintended attack by CyberRisks. The days of a simple malfunction of computer hardware or data damage which need a quick IT fix are gone. A new vocabulary emerges: malware, LockerGoga ransomware, state sponsored cyberattacks, NotPetya and so on! 

to insure – is NOT good enough

When significant new risks emerge there is rush to seek insurance solutions to transfer the exposure. But Insurance alone is not Enough! Let’s look closer at what is actually happening in global markets today. 

The impact of technology through cyber has overtaken conventional insurance all risk (or accidental) contract language. The burden of proof lies with Insurers when such CyberRisk claims occur. Based on recently widely reported controversial landmark disputes, these claims are being denied using the conventional war Exclusion in an attempt to understand the nature of their manifestation. There is a lack of contract certainty for cyber claims as insurers attempt to define the right language for these novel and until recently unexpected events. 

Markets are struggling to find a sound foothold for the language to use in insurance contracts. Reinsurers and their retrocessionaires are also having to come to terms with potential aggregation issues and varying contract language. All this creates an air of uncertainty for enterprises facing such complex risks. Of course there is a desire by the insurance markets to respond given the vast potential premium pool globally. But the first port of call for any enterprise….governmental or corporate….is to do the basics themselves with specialist help rather than seek quick fix risk transfer solutions only to find they are exposing their organisations to tens of millions of dollars in potentially unsettled claims.

In Insurance we trust?

Interestingly, research done by the Mactavish group, published here, reveals that a around of third of respondents do NOT think that insurance is the desired solution to their Cyber exposures! Why is that so? Read on…

it is in the contract

Fortunately, attempts to improve the governance of contracts is underway. For example, Mactavish, a well respected adviser in this field in the relatively sophisticated UK market, has suggested the insurance industry eliminate eight ‘flaws’. These ‘flaws’ are prominent in off-the-shelf cyber policies and hence, insurers use them often to deny claims. Insurance is for the unforeseeable. These days, computer and equipment systems, controls, hardware and software are essential components of virtually any enterprise. Critically, the systems intricately link with their human endeavour. Furthermore, their protection is a cost of doing business to Ensure they stay in business. A known and foreseeable necessity is therefore their oversight, governance and control by each enterprise depending on the level of exposure foreseen. 

We need to look the original question of “CyberRisk: To Insure or To Ensure” also from the ensure perspective.

to ensure is better

So what can enterprises do to Ensure CyberRisk is mitigated or reduced without sole dependency to Insure. Find out Tips from the largest global commercial property insurer (FM Global, see below) on where to start and what to do. Think outside the box.

the human factor

Crucially, seventy to eighty percent of cyber deficiencies are human factor related. In other words, the person behind the machine is the weakest link! Awareness and training are vital to reduce risk. Stress testing to ensure business/service continuity and protect customer data is critical. Controls of security, data management, infrastructure oversight and protection will reap huge dividends to Ensure enterprise resilience whilst the insurance industry attempts to wrestle with the complexities of what to Insure in this complex field. The challenge will continue to grow exponentially as local, national, regional and global accumulations and aggregations stack up exacerbated by yet more AI, automation and smart machines! Ensure your enterprise is built to last.

CyberRisk: To Insure or To Ensure

In conclusion, ensurance – in the form of good Cyber hygiene – is a critical component in managing the ever-evolving CyberRisk landscape. In addition, the insurance industry faces significant challenges and opportunities to position itself as a key risk mitigant in the “CyberRisk: To Insure or To Ensure” realm.

references

  • Commercial Risk Europe: Merck Pharma in dispute with insurers over the 2017 NotPetya attack
  • Financial Times: Mondelez sues Zurich in $100mill test for cyber hack insurance; 1,700 servers and 24,000 laptops ‘permanently dysfunctional’
  • The Times UK: Companies at risk as Hiscox rules out DLA Piper’s cyberattack claim
  • Mactavish: Cyber Risk & Insurance Report, November 2018
  • FM Global Insights & Impacts (2018): Cyber Risk: The Answers to Five Big Questions; 5 Questions Every Risk Manager Should Ask; Threats to Physical Security Industrial Controls.”
  • images are used under creative commons license

the author

Dr. Dennis Bessant is Specialist Adviser to Megrow. Find out more about him and read some of his recent publications.