by Christos Adamantiadis ,
Chief Executive Officer, Marsh MEA
24/02/2022 · 3 minute read
With so many companies in the region making permanent changes to working patterns, the need for strong cyber security and risk mitigation policies is becoming increasingly important. Right now, the corporate world is still adjusting – and as it does, it opens up windows of opportunity for cybercriminals to take advantage.
This has resulted in increased exposure to cyber risk events, such as phishing, bugs, bots, spyware, adware and digital worms – all exacerbated by working from home and changes in the flow of data. Stronger, more resilient risk management practices are therefore necessary to avoid cyber risk and achieve sustained growth – but this new normal is also reshaping how the re/insurance sector operates.
Cyber is fast becoming a systemic risk. The insurability of systemic risk is going to be one of the defining issues of the next decade for the re/insurance sector. As cyber risk is one of the most dynamic perils in the industry, carriers must carefully evaluate, manage, and quantify exposures. As regulators formalize capital requirements and mandate how risk appetite is measured, re/insurance companies are increasingly having to enhance cyber underwriting and reinsurance strategies.
That means investing in the development of innovative modelling capabilities and developing technical and underwriting cyber-risk talent. The latter is particularly important if insurers are to offer their clients the best security possible.
Yet delivering the best security is especially difficult in technologically advanced and rapidly changing markets like the Gulf Cooperation Council (GCC). The pace of change is a challenge in itself: right across the region, accelerated digitalisation, innovation hubs, smart city developments, cryptocurrency exchanges and the emergence of Blockchain conspire to form a digital landscape that is constantly in flux. And in an environment of perpetual change, gaps can be found. Examples of exciting but potentially vulnerable areas of innovation in the GCC include the UAE-based gold-backed cryptocurrency Melecoin, or Bahrain’s cloud-first policy, which mandates cloud adoption for government agencies and entities.
For re/insurers, the complexity of this era of disruption makes it more challenging to formulate a cyber risk management strategy. Other challenges include divergent views of the potential silent cyber exposure on property, casualty, aviation, transportation, marine and other policies.
As technology has come to define much of the modern business era, cyber-attacks have progressed beyond simple data breaches to sophisticated schemes designed to disrupt business operations and supply chains. As a result, traditional lines insurers have expressed concern that claims stemming from cyber risks — risks they contend they have neither underwritten to nor charged for — are creating unmeasured exposure in their portfolios. In this context, we define cyber risk as the possibility of loss or injury relating to or involving data or technology. This phenomenon of non-affirmative coverage for cyber risk in non-cyber policies is known as silent cyber.
Silent cyber can arise in a number of ways, for example, if:
This is compounded by the fact that carriers must constantly re-evaluate underwriting strategies to stay abreast of the latest cybersecurity innovations, software patches and attack vectors, all while the market demand for cyber products is exponentially increasing.
Despite the challenges, a variety of growth strategies exist for insurers looking to explore the space. Some companies are targeting only large corporate risks, while some are looking exclusively at small-and medium-sized enterprises (SMEs) – to avoid the risk that larger corporate claims might be destabilizing their portfolios. Others are attempting to balance their large corporate cyber with SME business through white-labelling or supporting managing general agents.
Insurers can take heart that businesses of all sizes and all industries are on their side. Our new research report shows that while COVID-19 recovery remains a deep concern for companies, the region’s overall business continuity response has been swift and effective. Cyber risk also featured very highly amongst the next critical risks for respondents, with cyber-attacks ranked second, and data fraud and theft ranked fifth.
The report - MEA Risk Management and Insurance Perception Survey - captures the concerns of more than 150 senior business leaders in the region from across 18 industries, identifying gaps in expectations and operational performance. The results serve to showcase what makes for a more resilient business, highlighting that successful growth is closely linked to the adoption of stronger, more resilient risk management practices.
With so much at stake for businesses and their customers, companies in the region must act decisively. They should continue to strengthen key performance indicators for risk response times – like risk identification, assessment, and reporting. Companies can work with insurers to utilize data and analytics, which are widely acknowledged as an essential business enabler rather than just a compliance activity. Risk advisors can harness artificial intelligence, for example, to evaluate potential silent cyber exposure at an individual policy level.
The number – and diversity - of companies purchasing cyber insurance continued to increase before COVID-19 in 2019, driven by growing recognition of cyber threats as a critical business risk. Now, as we adjust to the new normal in 2022 and beyond, we must work together to win the battle against cyber risk.