Cybersecurity risk transfer is an issue faced by the cyber insurance industry
Cyber-risk is a dynamic and unstable risk that today is poorly managed in general by public and private sector companies. Demonstrated by the frequency, complexity and severity of cyber attacks; the ability of the insurance industry to economically underwrite and mediate cyber insurance claims, and recent interventions by the US government in cyber legislation and cyber regulatory enforcement.
The enclosed paper discusses the dynamic and evolving nature of cyber-risk and its transition from an extreme loss to an expected loss event. The failure of market forces to mitigate cyber-risk and the increased involvement of governments in the creation of cyber legislation and regulatory enforcement regimes. That when combined create significant challenges for the insurance and reinsurance industry in providing suitable policies, to manage cyber-risk. Without which significant pressure will be placed on the private sector as insurance costs increase and coverage falls, eroding a traditional risk mitigation tool. As demonstrated by increased insurance loss ratios (avg. 67% 2020), increased premiums and reduced insurance coverage following the rise in ransomware attacks.
Organizations have relied upon cyber insurance as a tool to mitigate cyber-risk at the expense of implementing appropriate cyber security controls. However the erosion of cyber insurance coverage in 2021 is likely to continue into 2022 forcing insurers, reinsurers and organizations to reconsider the way forward for cyber-risk mitigation. Developments in US cyber legislation and regulatory enforcement are likely to force changes to corporate cybersecurity risk management and regulatory reporting from 2022, providing an opportunity for the cyber insurance industry. In this paper we discuss the opportunity for cyber insurance firms to better oversight and assure the cyber-risk of their clients, and for organizations to implement the appropriate practices to manage cyber-risk. That could be the start of equitable and economic cyber insurance and mitigate cyber-risk appropriately, in line with shareholder and market expectations.