Alex Petsopoulos, Cyber Security Partner, PwCMany business leaders are beginning to see cyber security as the risk that will define their generation. It can take just one incident – the loss of business data or customer details – to trigger a board-level crisis, and possibly cause the CEO to lose their job. As the Internet of Things accelerates connectivity and data proliferation, vulnerabilities to cyber-attacks can only increase.
PwC's Global State of Information Security® Survey[1] results reflect this. So far in 2015, there has been a 38% increase in detected information security incidents. The survey also reveals that an alarming proportion of participants don’t even know how many attacks they’ve had this year and when they’ve happened. It’s exceptionally difficult to guard against cyber-attacks when the perpetrators are constantly probing for weaknesses and continually changing their tactics.
Once systems are breached, costs can quickly escalate. Systems remediation, informing customers and helping them to deal with the impact is only part of the expense. Even bigger, and certainly much harder to anticipate, is the potential impact of compensation claims and damage to brand equity. It’s little wonder that more and more businesses are looking to insurers for protection. And as only 2% of UK companies have standalone cyber insurance[2] (compared with around a third in the US[3]), the potential for growth in this market is clear.
Uncharted waters for insurers
The problem for insurers is that there is very little actuarial data upon which to base risk evaluation and pricing. To cushion the uncertainty, many are charging high prices – the cost of cyber insurance relative to the limit purchased is typically three-times the cost of cover for more established general liability risks[4]. Many insurers are also seeking to put a ceiling on their potential losses through restrictive limits, exclusions and conditions. With these restrictions in place, many companies are coming to question how much real value these policies offer.
Actively managing the threat
So how can insurers provide better protection for their clients while safeguarding their own balance sheets? Well, the answer lies in a much closer partnership between insurers, clients and cyber risk specialists; with more timely and effective threat intelligence at its heart.
Businesses need to be doing all they can to protect themselves – and at the same time they can’t lock everything down without losing the benefits of digital commerce. It’s vital that boards consider their cyber risk appetite. A key part of this is identifying and concentrating on the ‘crown jewels’ most in need of protection - be this customer data or commercially confidential designs, for example.
Effective threat assessments will allow insurers to offer more customised coverage and risk-based pricing, rather than simply relying on blanket policy restrictions to control exposures. In the absence of actuarial data, assessments should include scenario analysis built around the latest intelligence on the nature, source and imminence of potential attack. Insurers can also take advantage of specialist support in areas such as pre-bind evaluation.
This more informed approach will enable insurers to reduce uncertain exposures while offering the levels of coverage and more attractive premium prices clients want.
To learn more about the topics covered in this blog, please register for the ABI and PwC video webinar: Cyber – Risk vs Revolution. It will be streamed live on 21 October at 15:00.
Alex Petsopoulos is a Cyber Security Partner at PwC