CYBER RISK INSURANCE COLLABORATION, INCENTIVES MALERAPASO / GETTY IMAGES Innovation and new ways of thinking are the key to the future role of cyber risk insurance, writes Phil Huggins C yber insurance is a new market full of opportunity for the brave but with pitfalls for the unwary. However, as RMProfessionals spring issue Cyber cover story feature underscored, there is still some way to go before the aspirations of insurers and the needs of clients converge. According to research by the IRMs cyber and information management (CIM) special interest group, only 20 per cent of UK organisations have cyber insurance, even though more than 70 new cyber insurance products have emerged during the last two years. And it is not all plain sailing for organisations looking to better understand and manage such risks, with Stephen Catlin founder of one of Lloyds of Londons largest specialist members warning that cyber security represents the biggest, most systemic risk facing both underwriters and their clients. The magnitude of the challenge has seen governments take a greater role in promoting cyber insurance, with the UK government launching its own report, UK cyber security: the role of insurance in managing and mitigating the risk. Viewing the market as a lever with which to drive much-needed private sector cyber security improvements, the expectation is that this will help align risk assessments with good practice, while incentivising good risk management. The hope, from a government perspective, is that the need for direct involvement and regulation will be less likely. Innovation While any initiative to raise awareness should be welcomed, there is a more fundamental issue to address. As the market develops, there is an urgent need for joint innovation by insurers and cyber security specialists, to ensure future pitfalls are avoided. Most insureds are interdependent for their security but, currently, they are not incentivised to invest if they believe they will be harmed by lack of investment by another firm, especially if that investment can be used to grow the business. This leads to a race to the bottom for cyber security, as firms invest less in protection than their peers. The widespread dependency on outsourced services also creates a correlation in cyber risk, as the outsourcers become the common factor across industry sectors and geographies. Similarly, the technology being used is highly homogenous; technology monocultures also exist across industry sectors and geographies, which means a single technology flaw could catastrophically affect swathes of businesses. These make portfolio segmentation problematic. Assessing the cyber risks of individual organisations is, therefore, one of the key challenges facing insurers and underwriters. Despite the cyber security industry having ready access to data on the growing numbers and types of security breaches, alongside information on the competing security frameworks and standards all claiming to be best practices, there is no reliable quantification of the effectiveness of the differing cyber security measures. Without a clear correlation between implemented cyber security measures and improved risk outcomes, it is very difficult to differentiate insureds. From a premium perspective, they each get a general market cost, rather than an individual tailored cost. This incentivises no-one to improve and that, to insurers, is akin to a lemon market for selling cyber risk. There is also a moral hazard at play. Purchasers of cyber risk insurance are not closely involved in day-to-day cyber risk management, commonly performed by IT staff, focused on delivering business benefits over business protection, out of the sight of risk professionals. Incentives While large-scale, systemic, cyber threats may require government backing, there are opportunities for insurers to provide innovative products that help reduce the frequency and impact of incidents, while incentivising behaviours that minimise the potential for harm. Some of the areas where opportunities for innovation exist include: n A focus on measuring cyber resilience, rather than cyber security of insureds. This addresses: situational awareness; diversity of cyber capacity; pace of decisionmaking; technical agility and adaptation; organisational readiness; and problemsolving. By improving these areas, organisations are more likely to weather catastrophic cyber events. n Insurers monitoring the external indicators of cyber hygiene and regularly feeding these back to their customers, potentially tying this to a variable level of cover. This would incentivise risk professionals and help IT specialists to focus on measures that could reduce the frequency of claims. n Insurers acting as aggregators of cyber risk data across their portfolios and using new analytics techniques to develop insights to be shared with clients, which will reduce uncertainty in making cyber risk decisions. n Insurers providing trusted forums for information-sharing among their portfolio, to spread the knowledge of adversary activities. Such measures would enable businesses to respond faster, reducing the size of claims. n Insurers developing capability-sharing groups across their portfolios. This could take inspiration from the Nato model, where an attack on one is treated as an attack on all. It is a strategy that would address the capability and any cyber skills shortage among the client base. Phil Huggins is vice president of security science at Stroz Friedberg www. strozfriedberg.com Cyber risks and the consequences of an attack cannot be managed with insurance alone a view echoed by IRMs CIM SIG report, which points out that insurance is important but it doesnt cover everything. However, as the magnitude of the threat increases, cyber insurance is set to play an increasingly important role in allowing organisations to manage risk. For insurers, significant opportunities exist for calculated risk takers attuned to innovation across the cyber security profession, which will allow the uncertainty and impact of cyber risk to be managed more effectively. Assessing the cyber risks of individual organisations is, therefore, one of the key challenges facing insurers and underwriters