Boards Need to Stay on Top of Changing Cyber Insurance Markets
Recent shifts in the way insurers are covering cyber risk may necessitate changes in many organizations’ approaches to insuring this risk. And it’s imperative that board members become more knowledgeable on how insurance market changes can affect their organization’s coverage of those risks.
And yet many organizations have worryingly low board and executive-level engagement around cyber risk, according to the 2019 Marsh Microsoft Global Cyber Risk Perception Survey. Moreover, the practices employed by many firms that lack sufficient senior management engagement to counteract these risks significantly lag in effectiveness relative to the critical nature of cyber risk.
Insurers Move to Affirm or Exclude Cyber Risk
As new technologies and devices add complexity to organizational risk profiles, board members and C-suite executives must be aware that traditional insurance markets are moving to exclude cover for much of that risk under non-cyber policies. The goal is to eliminate the inadvertent coverage of cyber perils in non-cyber policies such as property and casualty – an occurrence known as “silent cyber”.
For example, Lloyd’s of London is now taking the position that all property and casualty insurance policies must either expressly exclude or include cyber coverage as of January 2020.
Faced with a seemingly perfect storm of increasing risk and narrowing coverage, a clearer and more nuanced approach is necessary to manage the risks of doing business — one that includes not just a broad cyber insurance program but also the treatment of cyber issues as operational risks.
Boards and C-Suites “Silent” on Cyber Risk Management
Our 2019 cyber survey findings suggest there is another form of “silent” cyber risk. Cyber risk is now ranked by 80% of organizations as a top 5 risk concern, but many organizations are not devoting the appropriate governance, resources, time, and prioritization of cyber risk to effectively manage it.
Organizations are in many cases “silently” managing cyber risk. For example, only 16% of executives and boards say they spend more than a few days a year on cyber risk issues. And, 88% view Information Technology as a primary owner of cyber risk management, above the C-suite and risk management.
That organizational “silence” about cyber risk translates into low cyber confidence levels. Overall, only 11% of organizations reported high confidence in their ability to understand, prevent, and respond to cyber risks. And, organizations that cite a lack of executive support or mandate to address cyber risk are even less confident about their capabilities to respond appropriately.
The disconnect is striking: Cyber threats call for a rigorous risk management strategy, but many organizations — and their leaders — are delegating or sidelining the issue.
Embracing Cyber Risk at the Board Level
Board members and C-suite executives should take active ownership of cyber risk, and ensure a strategic risk management framework is in place. And, board members and executives should ensure they have a thorough understanding of their insurance programs and the protections these programs can offer.
A good starting point is to ensure they are having the right conversations with risk professionals about their organizations’ cyber exposures, and how their insurance programs will – or won’t – respond.
Equally important is framing cyber risk exposures in economic terms to enable comparison with other enterprise risks; optimizing capital allocation across mitigation, insurance, or other resilience- building areas; and measuring the impact of cyber spending on risk reduction.
Finally, since cyber threats are now a strategic concern requiring executive ownership, the assessment, measurement, and management of cyber risk should be a consistent board meeting agenda item.
Download and read how Staying on Top of the Changing Cyber Insurance Market Is a Necessity for Boards.