Systemic Cyber Risks: The Risk of Cyberattacks

 

Insurers are grappling with how to provide adequate coverage for these complex and potentially catastrophic risks, particularly as traditional risk models struggle to keep pace. The increasing reliance on technology and interconnected systems has heightened the risk of cyberattacks. These attacks are no longer limited to individual computers or networks. They can now target critical infrastructure, supply chains and even entire industries, leading to widespread disruption and significant financial losses.

 

This is what we refer to as "systemic cyber risk," and it poses a significant challenge for insurers who are grappling with how to provide adequate coverage for these complex and potentially catastrophic risks.  

 

 

 Systemic Cyber Risk

 

Systemic cyber risk refers to the potential for a single cyber event to trigger cascading failures across multiple organizations, sectors or even countries. Modern systems are highly interconnected, meaning that vulnerability in one system can be exploited to compromise others. Many organizations rely on the same technology providers or platforms, creating a single point of failure that can be exploited to cause widespread damage. The increasing complexity of IT systems makes it difficult to identify and manage all potential vulnerabilities. Cybercriminals are becoming more sophisticated and are constantly developing new attack techniques.

 

 

Insurers face several challenges in providing coverage for systemic cyber risks:

 

Risk Assessment: Traditional risk models are not designed to capture the interconnectedness and cascading effects of systemic cyber events. This makes it difficult to accurately assess the potential losses from such events.

Data Scarcity: There is limited historical data on systemic cyber events, making it difficult to predict the frequency and severity of future attacks.  

Accumulation Risk: A single systemic cyber event can trigger a large number of claims simultaneously, potentially exceeding the insurer's capacity to pay out.  

Correlation Risk: Systemic cyber events can affect multiple policyholders at the same time, leading to correlated losses that are difficult to diversify.  

Exclusions and Limitations: Insurers may exclude or limit coverage for certain types of cyberattacks, such as acts of war or terrorism, which can make it difficult for businesses to obtain adequate coverage.  

 

 

Insurers are working to adapt to the evolving landscape of systemic cyber risk:

 

• Insurers are investing in new risk models that can better capture the interconnectedness and cascading effects of systemic cyber events
• Insurers are working to collect more data on cyberattacks, including information on the types of attacks, the targets and the financial losses
• Insurers are collaborating with cybersecurity experts, technology providers and government agencies to better understand and manage cyber risks
• Insurers are developing new insurance products that provide more comprehensive coverage for cyber risks, including coverage for systemic events
• Insurers are using various techniques to manage their accumulation risk such as setting limits on coverage and diversifying their portfolio of insured risks

 

 

Governments also have a role to play in addressing systemic cyber risk:

 

Governments can set minimum cybersecurity standards for critical infrastructure and other key sectors. Governments can share information about cyber threats with the private sector. Governments can promote collaboration between the public and private sectors to address cyber risks. Governments can provide support to businesses that are affected by cyberattacks.

 

While insurance can help businesses manage the financial impact of cyberattacks, it is not a substitute for good cyber hygiene. Businesses need to take steps to protect themselves from cyberattacks. This includes firewalls, intrusion detection systems and anti-virus software. Employees need to be trained on how to identify and avoid cyber threats. Businesses need to have plans in place to respond to cyberattacks. Software should be regularly updated to patch security vulnerabilities.  

 

Systemic cyber risk is a growing threat that poses a significant challenge for insurers. However, by developing new risk models, collecting data, collaborating with experts and offering new products, insurers are working to adapt to this evolving landscape. Governments also have a role to play in addressing systemic cyber risk. Ultimately, a combination of insurance, government regulation and good cyber hygiene will be needed to protect businesses and critical infrastructure from the potentially catastrophic effects of systemic cyberattacks.