By Annette Hofmann PhD, Director, Lindner Center for Insurance and Risk Management; Associate Professor of Insurance and Risk Management; Virgil M. Schwarm Assoc. Professor of Finance and Investments; Carl H. Lindner College of Business | University of Cincinnati; Annette.Hofmann@uc.edu & Corinna Kulp Senior Manager, IT & Controls Assurance; Audit & Assurance, BDO AG Wirtschaftsprüfungsgesellschaft Hamburg; email@example.com
In today's digitized world, cyber risks have become a pervasive and increasing threat. They affect not only technology companies, but also traditional industries such as insurance and reinsurance carriers. The risk management industry is particularly vulnerable to cyberattacks due to the large amount of sensitive data it manages. Therefore, it is critical that insurance companies develop and implement effective strategies to manage cyber risks.
Cyber risks refer to the potential losses or damages that can be caused by cyberattacks, data breaches, or other types of IT security incidents. They can include financial losses, business interruption, reputational losses, legal consequences and even physical damage. For (re-)insurance companies, cyber risks can present specific challenges, such as the difficulty of quantifying and modeling cyber risk, the rapid evolution of cyber threats, and the complexity of regulatory requirements in different countries. Both the general lack of data and the fact that cyber represents an extremely heavy-tailed risk are the main reasons why the industry faces a significant bottleneck to risk assessment and pricing; the resulting difficulties in the insurability of cyber risks are widely acknowledged (Eling and Wirfs (2015, 2019), Hofmann et al. (2020), Wheatley et al. (2016)).
Cyber risk assessment and management
As well-known, the first step in dealing with cyber risks is to identify the different types of cyber risk and then conduct a thorough risk assessment. This includes identifying the assets that are most at risk (e.g., customer data, financial information, operating systems), assessing current security measures, and identifying potential vulnerabilities. Based on this assessment, insurance companies can then develop a risk management program that includes measures to mitigate, transfer, self-insure, or accept a given risk. This can include implementing security technologies, training employees, developing contingency plans, purchasing insurance, and adhering to industry best practices and standards.
Taking an insurance perspective on data breaches within the class of cyber risks, data breaches at companies in general can lead to theft and identity fraud, business interruption, public relations scandals, and more. While coverage of cyber events is typically excluded by property and liability policies, the market to cover cyber risks is growing, with insurance against data breaches forming the bulk of coverage. Looking at the United States, the graph below shows the 12-year frequency and median severity of information items compromised by U.S. state. As would be expected, the highest frequencies are in the States of New York and California, followed by Texas and Ohio. The highest severity, interestingly, has Nebraska, followed by Nevada and District of Columbia.
Figure A1 taken from Hofmann et al. (2020). Note: States with ≤ 10 cyber incidents over the 12 years were omitted [i.e. Alaska, Arkansas, Delaware, Hawaii, Idaho, Kansas, Louisiana, Maine, Mississippi, New Hampshire, New Mexico, North Dakota, Rhode Island, South Dakota, Vermont, West Virginia, Wyoming]. The inset panel magnifies the cluster near the origin.
Regulation and compliance
Due to the increasing importance of cybersecurity, many governments and regulators have introduced stricter cybersecurity regulations and standards. Insurance companies must therefore ensure that they comply with these requirements to avoid legal repercussions, penalties, and reputational damage. This may include compliance with regulations such as the EU's General Data Protection Regulation (GDPR), U.S. information security laws and other national and international standards. Article 4(12) of the GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access, personal data transmitted, stored or otherwise processed.” It may also include working with regulators, reporting security incidents, and conducting regular audits and reviews.
As a result, managing cyber risk is a complex and ever-changing challenge for the insurance industry. It requires a deep understanding of the risks, effective risk assessment and management, development of cyber insurance products, compliance with regulatory requirements, and constant vigilance against new threats and developments. Despite these challenges, managing cyber risk also presents opportunities, such as the ability to develop new products and services, strengthen their resilience, and build customer trust. With the right strategy and resources, insurance companies will be able to effectively manage these risks and strengthen their role as trusted protectors in the digital world.
- Eling, M. and Wirfs, J. H. (2015). Modelling and management of cyber risk. Available online at: https://www.actuaries.org/oslo2015/papers/IAALS-Wirfs&Eling.pdf.
- Eling, M., and Wirfs, J.H. (2019): "What are the actual costs of cyber risk events?." European Journal of Operational Research 272.3 1109-1119.
- Hofmann, A., Sornette, D., & Wheatley, S. (2020). Addressing Insurance of Data Breach Cyber Risks in the Catastrophe Framework. Geneva Papers on Risk and Insurance - Issues and Practice, 46, 53–78.
- Wheatley, S., Maillart, T., Sornette, D. (2016). The extreme risk of personal data breaches and the erosion of privacy, The European Physical Journal B, 89(7):1-12.