Technology has become very ubiquitous; It's hard to live without her. It offers enormous advantages, but also risks, and here insurers play an increasingly greater role, as the attacks of sophisticated groups are increasingly aggressive.
The idea that cybercrime is restricted to hackers working from a computer in their room has been obsolete for a long time. The hotel chain Marriott recently discovered an attack that affected up to 500 million records, Singapore also suffered an attack in which 1.5 million records were exposed on the health of people, while the NotPetya malware in 2017 impacted different sectors such as the global transport business or basic infrastructures. Last August, the Bank of Spain experienced a distributed attack of denial of service, which left its users without access to its website. In 2017, the WannaCry ransomware attack that affected critical services, including the National Health Service of the United Kingdom, was also felt in our country, since Telefónica was directly affected, while other companies had to assume an expense considerable in the adoption of emergency measures to protect its own IT infrastructure.
The world is becoming more and more digitized, which brings many advantages, but also brings new risks that affect everyone, from people, to small and large companies and also to governments. As our increasingly global and digital economies and societies develop, cyberspace is a challenging and constantly evolving risk for insurers.
The reason why cyberspace is more challenging is the completely different speed at which the changes take place. New technologies create new vulnerabilities, so it is a risk that continually needs to update your perspective. As an industry, we are still developing our knowledge of this risk, a crucial step to compensate for the lack of historical cyber risk data. We have made a lot of progress in recent years. But what are the main challenges facing the insurance and reinsurance sector in relation to cyber risk?
Cyber silence and accumulation of risks
There are two main categories of cyber risk:
- · Affirmative cyber risk: insurance policies that explicitly include cyber risk coverage
- · Cybernetic risk not affirmative, also known as silent cyber risk: liability insurance policies, transport that does not include or explicitly exclude coverage for cyber risk, but which, however, are exposed.
Insurers must define their appetite for the risk of exposure to affirmative cyber risk, at the same time as they must identify what levels of silent cyber risk are accumulating in their portfolios. Currently, the insurance industry is doing an arduous job to detect cybernetic exhibitions, both silent and hidden, in their contracts and make them explicit, in order to evaluate, evaluate, exclude them or, at least, monitor them.
This will allow the industry to take the next big step to define cybernetics as a distinctive business line and meet the demand of a rapidly growing market segment, which is estimated to reach a premium of 10 billion dollars in 2020.
Support for SMEs
While more and more companies are acquiring cyber insurance to manage their risk, it is usually the large multinationals that contract this type of coverage. However, it is often small and medium-sized businesses that need it most. They are as vulnerable as any other company and are less likely to have the necessary resources to design and implement a comprehensive cybersecurity strategy.
This means that insurers must go beyond mere risk transfer (that is, provide financial compensation) and extend their cyber products to more holistic risk management services for SMEs by establishing partnerships with specialized service providers. These services can range from risk prevention and the improvement of a company's cybersecurity posture, to the help of experts such as IT forensics or crisis management dealing with the aftermath of a cyber incident. The smaller the company, the more important the support.
The role of insurance in the creation of a sustainable cyber market
The insurance sector can play a prominent role in supporting all companies, especially in obtaining greater cybernetic resistance. Since industry is built around risk, insurance is uniquely positioned not only to develop the products needed (and understood) by the market, but also to push its current or potential insureds into better employment. cybernetic hygiene and contribute to increase risk awareness through its customer acquisition activities.
You can also engage in a real risk dialogue with customers, provide support with preventive measures and help them if the company is affected by a cyber attack despite all the preventive work that has been carried out. This helps improve customers' overall levels of cyber maturity and minimizes interruptions and claims from both parties.
The situation of constantly changing threats, new experiences in the treatment of cybercrime cases and technological advances will have an impact on the evolution of risk analysis methods. Insurers against cybercrime should determine their premiums based on the results of the objective risk analyzes and the protection measures employed by the insured. In this way, the insurance sector can play an important role in boosting the cyber maturity of an economy as a whole and helping to improve the cybernetic resilience of each company.
Santiago Arechaga is CEO Swiss Re Iberia