WIXLIB

CYBER INSURANCE AS A RISK MITIGATION STRATEGYExecutive summaryCyber insurance is the fastest growing line of businessin the insurance industry. A combined assault of dailyfront-page news items about cyberattacks, increasinggovernment regulation and insurance industry awarenessare all raising the profile of cyber risk. This is no longerjust an IT-based risk but also a major business risk thatis being considered at company board and ownershiplevels. According to surveys, 99 per cent of all boards ofdirectors discuss cyber risk on a regular basis,1 and 80 percent of CEOs consider cyber risk the number one threatto business growth.2 As more regulations are adopted,including global notification requirements such as finesand penalties, the corporate sector is looking to insuranceto offer mitigation solutions that can effectively deal withthis emerging risk.Risk transfer and servicesThere is indeed a major opportunity for the insuranceindustry to help mainly corporate and commercialcustomers better manage and mitigate cyber risks. Bydoing so, insurers also tap into revenue streams in anentirely new specialised line of business:1.Providing cyber risk transfer in the form of cyberinsurance policies; and2.Providing cyberattack prevention and mitigationservices to help companies reduce the occurrencesand the impact of a cyberattack.In just a few years, cyber insurance premiums have grownto an estimated USD 2 billion in North America and USD3 billion globally. These volumes are expected to continueto grow. Insurers provide a much-needed service forcustomers in terms of cyber risk prevention, mitigationand loss compensation.Cybersecurity services are a new revenue stream forinsurers. There are essentially two phases where insurerscan be active:1261.Pre-breach: Insurers work to design appropriatecyber insurance policies for their future clients.They work with customers to better understandrisks and to prevent breaches based on appropriaterisk management frameworks. Insurers also offerservices to increase cyber awareness in the company,assess clients’ contingency plans, train personnel, orrecommend best practices to reduce the effect and fixthe breach. These services help to reduce the impactof an attack or an incident when it occurs.2.Post-breach: Insurance policies provide servicesthat evaluate the impact, investigate the attack, helpimplement response and recovery plans, provideforensics, public relations and communicationssupport, notify customers, and identify appropriatemitigating actions to strengthen resilience in the future.Services yield data which will fuel growthThe benefits of providing cybersecurity services gobeyond generating an additional revenue stream andintroducing an additional form of protection to customers.Insurers also collect valuable data regarding cyber risks,cyberattacks, successful mitigation strategies, andfinancial impact. This helps to build a critical data setfor rating future customers, modelling cyber risks, andunderwriting and pricing future services.This data is crucial for fuelling the growth of cyberinsurance in a large market for two reasons: first, insurersoften do not have enough data to accurately priceproducts; and second, without sufficient data about lossesand claims payments, it is difficult to explain and sell aproduct to customers.Hypotheses evaluatedIn this paper, we analyse the state of the cyber insurancemarket and the role insurance can play in advancing cyberresilience. To structure our research, we formulated andtested three hypotheses:BCG survey of clients (2015).PwC survey of clients (2016).www.genevaassociation.org@TheGenevaAssoc

1.2.3.Insurance companies operating in the cyberinsurance area are experiencing a transformationalong the value chain. They are moving away fromonly providing risk transfer products to also offeringprevention, mitigation and resolution services.Insurers have the unique opportunity to influence andimprove cyber risk operations for their customers. Thenew collaborative model and the larger presence ofinsurers can be leveraged to create cyber risk awarenessand improve coordination in customer organisations.and develop effective backstop solutions either withgovernments or through public-private partnerships.4.The potential impact of multiple governmentregulations in multiple geographies and jurisdictions(often within the same country) adds significantly tothe uncertainty.5.The effects of technological developments areunknown. This uncertainty is compounded in at leastthree areas:The cyber insurance market is still in its infancy andis in constant transition with potentially importanttipping points.a.MethodologyThe authors of this report used two independent methodsto research the market and to validate the results. Theinitial investigation included a thorough examination ofexisting academic research materials, and documentationfrom various organisations and companies in the cyberrisk and insurance ecosystem. In addition to the literaturereview, information was gathered by conducting morethan 45 interviews with underwriters, brokers, reinsurers,and customers in the U.S., Europe and Asia. The results ofthe literature review and interviews were then analysedby a team of cybersecurity and insurance experts at theMassachusetts Institute of Technology (MIT) and theBoston Consulting Group (BCG).The global trend towards digitisation in manyindustries introduces technologies with unknownvulnerabilities;b. It is unclear how long it will take to developimproved cyber security tools and howsuccessful they will be in protecting digitalindustrial systems. In addition, standards ofcyber governance are still underdeveloped;c.The development of new cyberattack toolsby cybercriminals and nation states is entirelyunpredictable.6.There is a major difference in the cyber awarenessand needs of large enterprises compared to small andmedium-sized enterprises (SME).7.There is confusion in the customer base as to whoshould evaluate and purchase cyber insurance—theChief Information Security Officer (CISO), Chief RiskOfficer (CRO), Chief Technology Officer (CTO), ChiefOperating Officer (COO), Chief Executive Officer(CEO), or the Board of Directors.Key challengesThroughout our research we encountered severalchallenges:1.Many of the cyber risks are not yet well understood.Topics for future research2.There is a prevailing concern about the potential forlarge accumulation and/or aggregation risk.The authors of this paper also identified a number of futureresearch topics, including:3.Lack of data and lack of data sharing are contributingto the uncertainties of how to develop and marketinsurance products, define the limits of insurability, Cyber Insurance as a Risk Mitigation StrategyInsurability—Given the entirely new and stillunexplored features of cyber risk which includes mattersrelating to randomness and attribution (are cyber7

CYBER INSURANCE AS A RISK MITIGATION STRATEGYincidents regularly insured events or results of terroror war?), questions relating to insurability and theparameters to enable insurability need to be explored. Accumulation risk—The global nature of cyber riskwith its many interlinkages across industries andsectors raises the issue of accumulation risk. Riskmodelling in this area is still in its infancy. Capacity—Related to accumulation risk is thequestion whether the global (re)insurance industrycan command the capital to absorb what ultimatelymay be a very large probable maximum loss. This alsoleads to the question whether governments will needto provide a backstop (similar to those in terrorisminsurance) and to what extent global capital marketswould be prepared to accept the securitisation ofcyber risk. Understanding cyber risk in terms of otherinsurance—What can we gain by looking at otherinsurance markets and products (e.g. extreme naturalcatastrophe events, terrorism, war)? Understanding market dynamics—Better trackingand prediction methods are needed for cyberinsurance market movements, entry and exit ofplayers, impacts on market pricing, the impact ofcyber events, metrics, and overall learning as themarketplace absorbs more information.8www.genevaassociation.org Creating an effective value chain—Finding the rightmix of services, in-house vs partnering, charging forservices, required vs voluntary services are just a few ofthe issues in building the cyber risk service value chain. Understanding the political, macro- andmicroeconomic impacts of cyber risk—Manyof the aspects of cyber risk are playing out in theinternational community in terms of politics,regulations, and trade policies. How these will impactinsurers today and in the future is a very importantaspect of the insurance marketplace.ConclusionInsurers are uniquely positioned to help their customersimprove cyber awareness, and better understand andmanage cyber risks. In addition to the growth of policiesfor cyber risk transfer, the cyber risk insurance value chainprovides a range of cybersecurity services. This offeringincludes not only risk mitigation and protection servicesfor customers but also valuable data for insurers regardingcyber risks, cyberattacks, successful mitigation strategies,and the financial impact of actual cyber events.@TheGenevaAssoc

1. IntroductionDigitisation is a powerful economic and societal forceshaping and improving lives and futures around the globe.Digitisation is in fact fuelling world economic growth.With digitisation comes increased impact and awarenessof cyber risks. If not properly addressed, cyber risks havethe potential to constrain and even reverse the forwardmomentum of digitisation which could adversely impactthe world economy. While cyber insurance is frequently mentioned as anappropriate risk transfer mechanism, it is only recentlythat cyber insurance has become a marketableoffering. Cyber insurance differs from other lines ofbusiness and introduces a number of challenges: cyberinsurance can be considered both a product and aservice, it can be a part of many lines of insurance or itcan be offered as a stand-alone service. As everything is increasingly connected, cyber risk isubiquitous and fluid, making its management difficultand dynamic. Cyber risk involves both tangible and intangible assetsand activities—putting a value on losses involvesjudgment not evidenced and conventions not yetestablished. In most areas, cyber risk will continue to evolve and itwill take time to ‘mature’ into a more stable state. The anonymity that the cyber space provides makesthe attribution of cyber incidents difficult. Because it is not subject to physical world constraints,cyber risk does not conform to insurance risk modelstypically addressing either high severity/low frequencyor low severity/high frequency events that in mostcases are based on the idiosyncratic nature of theinsured risk. Instead, cyber risk has the potential to behighly correlated across industries around the world,and, as a result of risk accumulation and aggregation, itcan produce costly high severity/high frequency events.Cyber Insurance as a Risk Mitigation StrategyThe cyber insurance market is like other markets that arenot yet fully developed in that (1) demand is inconsistentlyinformed; (2) uncertainty and behavioural distortionsimpede decision-making; (3) common vocabularies arenot broadly adopted; (4) suppliers’ solutions are notstandardised; (5) historical knowledge is limited; (6)industry regulators (such as the FCC in the U.S.) are unsureof their role and what to do; and (7) the ecosystem isfragmented. As a result, participants cannot appreciate thenature of the risk and the efficacy of preventive measures.Informational asymmetries create issues related to moralhazard and adverse selection.The recent history of cyber exploits reflects a slowawakening to exposure and a surge of activity based onthe latest headline event. To truly get ahead of the riskrequires principled and visionary leadership, agility andcollaboration.The aim of this research is to provide insights into thecyber insurance market, identify future trends, and suggestareas for market development and improvement.First, the report elaborates on some of the greatestchallenges that insurers active in the cyber space arefacing, from how to deal with accumulation risk to thesharing of incident data to improve risk modelling tools.Second, we will review how insurance companies aretransforming their offerings from strictly risk transferproducts to a comprehensive series of offerings along thecyber risk value chain.Third, we will analyse how insurers can educate customerorganisations and collaborate with them so that they arebetter prepared to manage their risk.Lastly, the report will reflect on the evolution andcurrently limited maturity of the cyber insurance marketby analysing its status and proposing a market model toillustrate possible future developments.9

CYBER INSURANCE AS A RISK MITIGATION STRATEGY2. MethodologyWe conducted our research in three phases: Phase 1: Literature review—We conducted athorough search and review of the published literatureon ‘cyber risk’ and ‘cyber insurance.’ The list ofdocuments includes industry reports, insurance papersand academic papers among others. The primarydocuments consulted are listed in the Referencessection. Phase 2: Internal knowledge—The MIT SloanInterdisciplinary Consortium on Improving CriticalInfrastructure Cybersecurity, MIT-(IC)3 and the BostonConsulting Group, BCG, synthesised experience andmeaningful insights from extensive work done in thecyber risk sector in recent years. Their work helpedidentify the hypotheses and lines of work on which tofocus for this research. This interaction also helped togenerate the interview guidelines for the next stage ofthe project. Phase 3: Insurance and customer interviews—Our initial research is supported by more than30 interviews that BCG Platinion conducted withinsurers, experts and customers. Additionally,another 15 interviews were held to focus on our threeleading hypotheses: (1) insurers are experiencing atransformation as they expand their services alongthe value chain; (2) insurers can significantly influencetheir customers to improve cyber awareness andremove their protection gaps; and (3) cyber insuranceis still in its infancy, but the market is evolving, and itsexpansion is driven by regulation and cyber oc

3. General challenges in thecyber insurance marketFrom self-driving cars to smart insulin pumps, technologyis constantly transforming and improving our lives;however, these technologies reveal vulnerabilities that, ifexploited, could result in disaster.3Imagine a case in which a hacker remotely accesses a selfdriving car (an event of this nature has already occurred).4If a hacker were able to redirect a car to collide with astructure, the car, the structure, and everything in it couldbe severely damaged, people could be injured and the carmanufacturer’s reputation could suffer. How can we betterunderstand this cyber event and its associated risks?Cyber risk is defined differently depending on theperspective of those defining it. From the Chief RiskOfficer Forum,5 the definition of cyber risk covers: Any risk arising from the use of electronic data and itstransmission, including technology tools such as theInternet and telecommunications networks. Physical damage that can be caused by cyberattacks. Fraud resulting from the misuse of data. Any liability related to data usage, storage andtransfer. The availability, integrity and confidentiality ofelectronic information, whether related to individuals,companies, or governments.The example of an attack on a self-driving car unequivocallyfits into the above definition of cyber risk, but less clearare the insurance obligations that would come into effectfollowing the incident. Would the car manufacturer’s plant,property & equipment (PP&E) insurance cover damage tothe car? Would the car insurance cover the damage to thestructure and its contents? Which policy would protectdamage to the car manufacturer’s brand? Who would payfor the investigation? Would the answers to these and otherquestions be driven by legislation and regulation?34567This example is not purely theoretical. Hardly a day goesby without another cyberattack mentioned in the press.For example, the price paid by Verizon in its acquisition ofYahoo! decreased by USD 350 million to USD 4.48 billionafter the breaches that Yahoo! had suffered were disclosed.6Insurers are responding to greater frequency andawareness to cyberattacks with the development ofspecific cyber risk insurance policies. In addition totraditional coverage, insurers are also providing servicesto enable their customers to be better prepared overall tomanage cyber risks and quickly address the impacts in theaftermath of attacks or incidents. We will revisit this pointlater in Chapter 4: The insurance role in cyber risk transfer.Despite the evolution of the cyber insurance market,customers struggle to understand their exposureand appetite for risk transfer. Cyber risk policies aretechnical and are complicated by the fact that theyare standardised along a single offering model; someunderwriters offer stand-alone policies, while othersintegrate cyber insurance in current offers withoutmaking any distinction. Customers and insurers arestruggling with the issue of silent risk.7 Moreover,insurance pricing and risk models continue to evolve.Additionally, many customers do not see any value incyber insurance because they do not understand theircyber exposure. In Section 4.2: Coordinating the cyberinsurance ecosystem we will elaborate on how insurerscan help customers reduce their cyber risks to anacceptable level.Customers are demanding more extensive coverage, andinsurers are jumping into the market with new offeringsto satisfy those needs. Large client companies are moremature in their thinking and have developed internalcybersecurity capabilities or have partnered with thirdparty organisations to address their needs. However,small and medium client companies are generally moreexposed as they do not have the resources to address alltheir cybersecurity needs. The insurance market is rapidlychanging to address this range of demands. This paper rg.com, 2017-02-21, Verizon said to reach deal for lowered Yahoo! price after-hacksSilent cyber risk refers to cyber exposures that are not specifically included or excluded by (non-cyber) insurance policies. The silent exposuresinherent in non-cyber policies can be significantly exacerbated by cyber events. It is estimated that silent risk can make up 90 per cent of totalcyber exposures (see E. Kopp et al. (2017), Cyber Risk Market Failures and Financial Stability, IMF).Cyber Insurance as a Risk Mitigation Strategy11

CYBER INSURANCE AS A RISK MITIGATION STRATEGYdiscuss cyber insurance market dynamics in Chapter 5: Thegrowing cyber insurance market.Finally, we consider some of the biggest challenges tothe cyber insurance industry. The following paragraphssynthesise what has already been published in manyindustry reports with insights gleaned from our interviews.3.1 The unique nature of cyber riskInsurance companies are used to dealing with many areasof uncertainty and risk. They offer coverage for naturaldisasters, business interruption, and even damage fromterrorist attacks; however, insurance companies are not usedto dealing with many of the new incidents of cyber risk.One way to conceptualise the implications of acyberattack with regard to damage is to compare it withan earthquake. An earthquake can happen anywhere,anytime. It can cause property damage, personal injuriesand losses, and can interrupt business operations andsupply chains. A cyberattack can cause the same damage.For example, a hacker could target the control system of apressure valve in a nuclear power plant and cause damagecomparable to the earthquake and tsunami that nearlydestroyed the Fukushima nuclear plant in Japan.However, cyber incidents do not only occur with highseverity, they can also occur with high frequencyIn this sense, the nature of a cyber incident is differentto that of a natural disaster (e.g. earthquake). Basedon many years of observations and historical records, weknow that natural disasters occur with a certain frequency.For example, the likelihood of having several simultaneousearthquakes around the world is very small, but cyberattackscan happen to any number of organisations simultaneously.The recent WannaCry attack exemplifies the globaland spontaneous nature of a widespread cyberattack.Experiencing an attack does not necessarily preventthe same company from experiencing a second attackimmediately after the first. This will depend on the speedof identification, analysis, and mitigations, and whetherthe second attack targets the original vulnerabilities ornew unidentified ones. Whereas it is unlikely that a single8912earthquake will occur around the world (although areascould be affected beyond the immediate earthquake zone),the same cannot be said for a cyberattack.Cyberattacks and other cyber events are createdby humans. Attacks are usually directed at specifictargets with a clear outcome in mind (e.g. profitingfrom th

Cyber Insurance as a Risk Mitigation Strategy 1 Cyber Insurance as a Risk Mitigation Strategy List of Authors: Michael Siegel, Principal Research Scientist, MIT Sloan School of Management and Research Director of MIT-(IC)3 Nadya Bartol, Associate Head of Cybersecurity Practice, BCG Platinion Juan Jose Carrascosa Pulido, MBA Graduate Student, MIT Sloan School of Management