Volatile Cyber Risk Landscape Highlights Need for Insurance
Massive data breaches compromising the records of millions of consumers continue to make headlines, despite continued growth in corporate cybersecurity budgets. According to Gartner, companies around the world are expected to spend $124 billion on information security technology in 2019, an 8.7% increase over this year.
But cyber-attackers are adapting to more sophisticated cybersecurity measures and the global cost of cybercrime — currently pegged at around $600 billion annually, according to McAfee — is forecast to increase.
Moving Towards Knowledge-Based Investments
Aside from the massive risk to operational continuity and financial performance posed by cyber-attacks, regulators and governing entities in many jurisdictions require cybersecurity implementation and oversight, starting at the board level. To be effective, a cyber risk management strategy should be implemented at the enterprise level and supported with the necessary investments in mitigation, risk transfer, and resilience planning.
An important first step for businesses is to quantify cyber exposure in terms of its potential economic impact on financials and continuity of operations. This can allow for informed decision-making and a sound cyber risk investment strategy that measures its return relative to the risk it seeks to mitigate. Yet according to a poll conducted during a recent Marsh webcast, many organizations have not quantified their cyber risk.
Technology Investment is Necessary, but not Enough
Despite ongoing escalation in cybersecurity spending, investing in technology alone is not sufficient. While risk mitigation is important, there exists no cybersecurity silver bullet guaranteed to eliminate cyber risk. Human error is often cited as the most frequent and influential factor contributing to cyber events, either because it is the root cause of an event — for example, failure to practice good password hygiene — or because the attack response is mishandled, leading to greater financial impact.
That means organizations must develop cyber risk management strategies that include regularly updated incident response planning and continuous technology upgrades and training. These should be complemented by effective insurance programs that provide organizations with appropriate coverage based on the estimated financial impact they would suffer as a result of a cyber event.
While most cyber policies include a range of basic coverages, they should be tailored to an organization’s unique risk profile, taking into consideration:
Its use of, and dependency on, technology.
Its engagements with and obligations to third parties, including customers, vendors, and suppliers.
How it collects, handles, stores, and transmits the personal and confidential information it collects.
Businesses continue to increase investment in intangible assets, which are more susceptible to cyber-attack. As these intangible assets form a larger proportion of the company’s balance sheet, their destruction or theft becomes more financially devastating. It is therefore incumbent upon business leaders to recognize cyber threats as a risk of doing business, while understanding that this risk can be effectively managed through a joint strategy of mitigation, risk transfer, and resilience planning. Just as the installation of building sprinklers does not negate the need for property insurance, cybersecurity technology should not replace, but rather be a companion to, cyber insurance.