Five Approaches to Insuring Cyber Risks

Cyber risks are some of the most dangerous risks of the twenty-first century. Many types of businesses, including retail stores, healthcare entities, and financial institutions, as well as government entities, are the targets of cyber attacks. The simple reality is that no computer security system is completely safe. They all can be breached if the hackers are skilled enough and determined. Consequently, the worldwide damages caused by cyber attacks are predicted to reach $10.5 trillion by 2025. Insuring such risks is a monumental task. The cyber insurance market currently is fragmented with hundreds of insurers selling their own cyber risk insurance policies that cover different types of cyber risks. This means the purchasers of cyber insurance must be experts in both insurance and cyber security in order to make a knowledgeable purchase. And, even knowledgeable purchasers of cyber insurance can only obtain limited coverage for cyber risks. This is because the insurance is sold on a named peril, as opposed to all-risk, basis and the policies contain numerous exclusions. Cyber policies also have relatively low policy limits in comparison to other lines of insurance and the enormity of the risks presented. This Article explores ways the cyber insurance market could be improved. In doing so, it analyzes the current cyber insurance market, including the history of cyber insurance and the challenges that insuring cyber risks present. The Article then offers five different approaches to insuring cyber risks moving forward that address many of the problems with the current cyber insurance market. Ultimately, the Article concludes the fifth approach, the novel “All-Risk Private-Public” approach, would be the best one

Cyber Risks, Potential Liabilities and Insurance Responses in the Marine Sector

The marine sector is vulnerable to cyber-attacks as it becomes more dependent on information and operational technology systems connected to the internet. While this allows for greater efficiency, the interconnected nature of such systems will expose the sector to new and evolving cyber risks. The research begins by briefly examining the nature of cyber risks, identifying likely threat actors and the motivation behind such attacks. Through the use of hypothetical scenarios, the researcher identified; i) some of the cybersecurity vulnerabilities particular to the marine sector, ii) the potential losses and liabilities from a cyber-attack / incident and iii) analysed how insurance may be used to mitigate the risks focusing specifically on the adequacy of traditional marine policies as well as cyber insurance policies to cover such risks. Traditional marine policies were analysed to identify the gaps in cyber coverage in addition to the recognition that without a clearly written cyber exclusion clause, insurers will be exposed to risks and liabilities they did not intend to cover. As for Assureds, while traditional hull and cargo insurance policies may cover some risk, they will not fully cover losses unique to cyber risks such as network failure, data loss, business interruption, cyber espionage and reputational damage so they too may not have adequate coverage against cyber-attacks. The main conclusion from the research is that marine and cyber insurance policies currently available do not adequately protect against cyber related losses and liabilities particularly those unique to the marine sector. This is primarily due to the extensive list of exclusions found in cyber insurance policies and commonly used cyber exclusions clauses usually attached to traditional marine policies. The coverage limits are also inadequate to cover the potential losses to marine facilities and assets which are usually connected to a complex supply chain

Cyber Insurance and the Cyber Security Challenge

Governments and businesses are struggling to cope with the scale and complexity of managing cyber risk. Over the last year, remote working, rapid digitalisation and the need for increased connectivity have emphasised the cyber security challenge. As the pursuit of approaches to prevent, mitigate and recover from malicious cyber activity has progressed, one tool that has gained traction is cyber insurance. If it can follow the path of other insurance classes, it could play a significant role in managing digital risk. This paper explores whether cyber insurance can incentivise better cyber security practices among policyholders. It finds that the shortcomings of cyber insurance mean that its contribution to improving cyber security practices is more limited than policymakers and businesses might hope. Although several means by which cyber insurance can incentivise better cyber security practices are identified, they have significant limitations. Interviewees from across government, industry and business consistently stated that the positive effects of cyber insurance on cyber security have yet to fully materialise. While some mature insurers are moving in the right direction, cyber insurance as a whole is still struggling to move from theory into practice when it comes to incentivising cyber security. If this is to change, the insurance industry must overcome significant challenges. One is the competitiveness of the nascent cyber insurance market over the last two decades. Most of the market has used neither carrots (financial incentives) nor sticks (security obligations) to improve the cyber security practices of policyholders. The industry is also struggling to collect and share reliable cyber risk data that can inform underwriting and risk modelling. The difficulties inherent in understanding cyber risk, which is anthropogenic and systemic, mean insurers and reinsurers are unable to accurately quantify its causes and effects. This limits insurers’ ability to accurately assess an organisation’s risk profile or security practices and price policy premiums accordingly. The spectre of systemic incidents such as NotPetya1 and SolarWinds2 has also limited the availability of capital for cyber insurance markets. However, the most pressing challenge currently facing the industry is ransomware. Although it is a societal problem, cyber insurers have received considerable criticism for facilitating ransom payments to cybercriminals. These add fuel to the fire by incentivising cybercriminals’ engagement in ransomware operations and enabling existing operators to invest in and expand their capabilities. Growing losses from ransomware attacks have also emphasised that the current reality is not sustainable for insurers either. To overcome these challenges and champion the positive effects of cyber insurance, this paper calls for a series of interventions from government and industry. Some in the industry favour allowing the market to mature on its own, but it will not be possible to rely on changing market forces alone. To date, the UK government has taken a light-touch approach to the cyber insurance industry. With the market undergoing changes amid growing losses, more coordinated action by government and regulators is necessary to help the industry reach its full potential. The interventions recommended here are still relatively light, and reflect the fact that cyber insurance is only a potential incentive for managing societal cyber risk. They include: developing guidance for minimum security standards for underwriting; expanding data collection and data sharing; mandating cyber insurance for government suppliers; and creating a new collaborative approach between insurers and intelligence and law enforcement agencies around ransomware. Finally, although a well-functioning cyber insurance industry could improve cyber security practices on a societal scale, it is not a silver bullet for the cyber security challenge. It is important to remember that the primary purpose of cyber insurance is not to improve cyber security, but to transfer residual risk. As such, it should be one of many tools that governments and businesses can draw on to manage cyber risk more effectively

Cyber insurance of information systems: Security and privacy cyber insurance contracts for ICT and helathcare organizations

Nowadays, more-and-more aspects of our daily activities are digitalized. Data and assets in the cyber-space, both for individuals and organizations, must be safeguarded. Thus, the insurance sector must face the challenge of digital transformation in the 5G era with the right set of tools. In this paper, we present CyberSure-an insurance framework for information systems. CyberSure investigates the interplay between certification, risk management, and insurance of cyber processes. It promotes continuous monitoring as the new building block for cyber insurance in order to overcome the current obstacles of identifying in real-time contractual violations by the insured party and receiving early warning notifications prior the violation. Lightweight monitoring modules capture the status of the operating components and send data to the CyberSure backend system which performs the core decision making. Therefore, an insured system is certified dynamically, with the risk and insurance perspectives being evaluated at runtime as the system operation evolves. As new data become available, the risk management and the insurance policies are adjusted and fine-tuned. When an incident occurs, the insurance company possesses adequate information to assess the situation fast, estimate accurately the level of a potential loss, and decrease the required period for compensating the insured customer. The framework is applied in the ICT and healthcare domains, assessing the system of medium-size organizations. GDPR implications are also considered with the overall setting being effective and scalable

The Global Risks Report 2016, 11th Edition

Now in its 11th edition, The Global Risks Report 2016 draws attention to ways that global risks could evolve and interact in the next decade. The year 2016 marks a forceful departure from past findings, as the risks about which the Report has been warning over the past decade are starting to manifest themselves in new, sometimes unexpected ways and harm people, institutions and economies. Warming climate is likely to raise this year's temperature to 1° Celsius above the pre-industrial era, 60 million people, equivalent to the world's 24th largest country and largest number in recent history, are forcibly displaced, and crimes in cyberspace cost the global economy an estimated US$445 billion, higher than many economies' national incomes. In this context, the Reportcalls for action to build resilience – the "resilience imperative" – and identifies practical examples of how it could be done.The Report also steps back and explores how emerging global risks and major trends, such as climate change, the rise of cyber dependence and income and wealth disparity are impacting already-strained societies by highlighting three clusters of risks as Risks in Focus. As resilience building is helped by the ability to analyse global risks from the perspective of specific stakeholders, the Report also analyses the significance of global risks to the business community at a regional and country-level