While on a recent business trip to Russia, RIAC web editor Anastasia Tolstukhina met up with Dr. Andreas Kuehn, Senior Program Associate of the EastWest Institute to discuss the EastWest Institute’s recent report “Cyber Insurance and Systemic Market Risk.” The report jointly developed with industry leaders Microsoft, Marsh & McLennan, and areco.ai, provides a framework to better understand and address the systemic nature of cyber risk and the challenges it presents to the burgeoning cyber insurance industry. It features an overview of the current state of the cyber insurance market along with proposals to help the market mature in a healthy, stable manner while promoting increased cybersecurity. The report is available in English here.
While on a recent business trip to Russia, RIAC web editor Anastasia Tolstukhina met up with Dr. Andreas Kuehn, Senior Program Associate of the EastWest Institute to discuss the EastWest Institute’s recent report “Cyber Insurance and Systemic Market Risk”. The report jointly developed with industry leaders Microsoft, Marsh & McLennan, and areco.ai, provides a framework to better understand and address the systemic nature of cyber risk and the challenges it presents to the burgeoning cyber insurance industry. It features an overview of the current state of the cyber insurance market along with proposals to help the market mature in a healthy, stable manner while promoting increased cybersecurity. The report is available in English here.
Let us start with the basics, what is cyber insurance and why does it matter?
In its essence, cyber insurance is a simple concept, and the reasons for why one would buy cyber insurance is not different from other instances when we purchase traditional insurance for our car or home. Car insurance covers against financial losses that occur when your you are in involved in a car accident or when the car gets stolen. The car insurance pays for fixing the car, covers medical costs, or protects you against liability claims. If you have a house, you buy insurance to shield you against catastrophic financial losses from fire, flooding, and other disasters.
The same applies to the digital world. If you do business and you rely heavily on the Internet to conduct your operations, to sell your goods, communicate with your vendors, or process large amounts of personal or other sensitive information, cyber insurance exists to protect against specific cyber risk When cyber-related incidents may occur such as critical business services go down, sensitive business information is stolen, ransomware holds your operation hostage, or protected personal information is accidentally leaked, cyber insurance may cover financial losses, legal expenses and protect you against third party liability claims.
With an ever increasing trend of digitalization, such as Russia’s digital economy program, and a growing cyber threat landscape, it’s very likely that we will see an increase in the number of cyber incidents with large scale and costly effects. In our report, we tracked a number of recent major incidents. The 2017 NotPetya incident alone caused total damages of an estimated USD 10 billion. Even for a large, well-resourced global company, a devastating cyber incident can prove devastating, financially and operationally. Furthermore, due to the interconnected nature of cyber systems and the global economy, there is a risk that a severe cyber incident could have shocks that spill over beyond the initial victim, destabilizing global markets and having a negative impact on the world’s economy.
But the NotPetya incident also revealed that the fast-growing cyber insurance sector has to grapple with open questions as cyber events increasingly involve sophisticated state actors. An insurer who denied coverage to its client based on the contractually stated war exclusion was faced with a lawsuit. The pending case is closely watched as its outcome could have significant implications for the insurance industry.
Insurance solutions provide one important approach – but not the only one – to mitigate distress and reduce financial risk following a destructive cyber incident. While cyber insurance provides some relief, it is important to emphasize that insurance is only complementary to and not a substitute for effective cybersecurity.
What triggered you writing this report, why now?
While cyber insurance is a straightforward and logical offering, there is an important caveat. Cyber risk assessment and adequate pricing is a challenge – and as such is quite different from insuring a car or a house. Insurance companies have limited actuarial data of cyber incidents, and the constant change in new ICT technologies and varied attack vectors keeps underwriters on their toes. This uncertainty complicates the development of a healthy cyber insurance market. In theory, if an insurance company charges too high of a premium, it will not be competitive in the market. If they price the risk too low, over time large losses may accumulate and possibly threaten the survival of the insurer.
What triggered the convening of several meetings with industry experts, government representatives and scholars, that led ultimately to writing the report, was the insight that cyber is increasingly prone to systemic risk, a fact that has been largely overlooked and remains unaddressed. Systemic cyber risk has the potential to trigger catastrophic failure across multiple industries and eventually cause secondary, destructive effects in the physical world.
The report discusses two underlying mechanisms – common vulnerabilities and concentrated dependencies – that propagate damaging and costly effects, if the quietly aggregated risk is unleashed. In a nutshell, think of this as massive cyber incidents caused by either a common software flaw present in devices of hundreds of millions of users, such as the a widely-used mobile operating system platform, or the dependency of hundreds of thousands of businesses on central providers of Internet infrastructure, such as a major cloud service. It’s important for the insurance industry but also governments to understand the danger of systemic risk. The report discusses a few examples and provides an analytical yet practical framework to examine systemic risk along system and incident attributes.
Strengthening cyber stability is at the heart of the EastWest Institute’s mission of conflict prevention in and outside of cyberspace. Cyber insurance increases resilience and safety in global cyberspace by protecting against financial losses from major cyber incidents and raising the cybersecurity baseline. Thus the report on cyber insurance and systemic risk is strategic and complementary to the Institute’s efforts on cyber norms for state behavior – through the Global Commission on the Stability of Cyberspace – or our technical and policy work around global supply chain security and smart city security and safety through EWI’s international breakthrough groups.
How has the Russian market for cyber insurance developed, and how does it compare internationally?
In Europe and the United States, a healthy market has developed in the past decades that offers a variety of standard and specialty coverages for cyber-related incidents. It’s expected that by next year this market will grow to USD 7.5 billion in size. These insurance products cover cyber-related losses such as financial damages and loss caused by data breaches, business operation interruption, and liability. About one-third of U.S. companies have a comprehensive cyber insurance. The number of total claims made went up 39% to 12.5 million since last year.
In Russia, so far, there has been less demand for cyber insurance products, but in 2017, Sberbank was tasked to develop cyber insurance products and its subsidiary Sberbank Insurance Broker Company announced the sales of corporate insurance products for cyber risk. Russia’s cyber insurance market is just getting started. As of a few years ago, only 20 or so companies in Russia were covered by cyber risk insurance, and they were all covered by foreign insurers. But with the government’s declared priority to develop Russia’s digital economy, this is very likely to change.
Who should buy cyber insurance? Does every company need cyber risk coverage?
Well, this depends on your business model and a company’s exposure to cyber risk. The decision to buy cyber insurance should be preceded by a thorough assessment of your organization’s cyber risk and potential for financial losses. As a rule of thumb, I’d say the larger the business and the more it depends on ICT for its operations, the more the need for the firm’s executive team to have cyber risk mitigation in place and tested. Insurance is only one tool in the proverbial toolbox to handle direct losses, but also third-party claims against you resulting from a cyber incident.
What type of cyber insurance policy and coverage is adequate depends on several factors. Coverage may run from a few hundred thousand US dollars to several hundred million, while the premium varies based on industry sector, exclusions and limitations, and other risk considerations.
Are there any particular takeaways from the report that are relevant to the Russian cyber insurance market?
The report contains a set of recommendations that were written with a particular eye for addressing systemic risk, but I think these contain insights that are universally applicable. An emerging market would be well advised to consider them. One general insight is the need to enhance underwriting abilities for cyber insurance in order to close the gap in risk assessment I mentioned before. This can be achieved by the consistent application of a recognized, industry-wide cyber risk framework, and supported by sharing of cyber incident and loss data. It turns out that the current market suffers from the lack of standards and uniform language in insurance policies. Increased transparency and harmonized terminology would help buyers of cyber insurance better understand what is and what is not covered through their policies.
Another, I believe critical, recommendation in the report is the so-called government “backstop” program which addresses systemic risk in particular. The backstop is a measure of last resort to protect from losses that are above the current capacity the insurance market is able to absorb. Putting a “backstop” in place, it would absorb catastrophic financial damages from major cyber incidents and can help grow a healthy cyber insurance market, which creates positive effects for societies that are increasingly dependent on the secure and safe functioning of cyberspace.