Mandatory reporting of cyber-attacks would improve understanding of cyber risk

The recent call by the Association of British Insurers (ABI) for the U.K. government to mandate the reporting of cyber-attacks is another welcome attempt to improve the collective learning opportunities presented by the continuous stream of cyber events. Every attack provides new data which can be fed into probabilistic models which help build resilience against this growing corporate peril – so long as we are able to find out about those attacks. Thus initiatives like this, which will lead to the sharing of valuable information and insights, are paramount.

Reporting cyber attacks is already mandatory in most U.S. states where laws require companies to notify their customers and regulators as soon they suffer a security breach. In 2018 a similar EU law, The European Network Information Security Directive, will make it mandatory for certain firms to provide alerts of cyber incidents.

However, having more information on data breaches still only provides just part of the picture required to fully understand cyber as a peril.

Current security breach notification laws, where they exist, do not require companies to report the many other types of cyber-attack that are increasingly being used to target organizations. Cyber extortion, for example, is a growing trend. Firms typically choose not to report this type of attack to limit damage to their corporate reputation.

Historical attacks not a good indicator of the future

While having access to data on historical cyber breaches is valuable, the threat is constantly evolving, such that previous attacks have rarely been a good indicator of future events. Even a small shift in the balance between the capabilities of hackers and cyber defenses could lead to a significant shift in the frequency and severity of cyber attacks.

Staying on top of the myriad of threat actors and their motivations and resources, as well as having a broad view of the range of viable attack methods that exist today, is crucial to understanding and managing cyber risk. But is challenging to manage.

As a first step to help insurers better understand their existing cyber risk loss potential, RMS recently launched its Cyber Accumulation Management System. This tool provides insurers with a framework to organize and structure their data, identify their accumulations and correlated risk, and stress test their portfolios against a range of cyber loss methods. Having this capability enables insurers to understand the potential size of cyber catastrophes and set their risk appetite to safely grow capacity for this line of business.

Cyber attacks are an increasingly significant threat to the global economy. The combination of new cyber risk management solutions combined with initiatives such as mandatory reporting will help the insurance industry to continue to play itscrucial role in ensuring the resiliency of our economy.

Contact the RMS cyber team for more information cyberrisk@rms.com.

Product Manager
Tom is a Product Manager within RMS’ Emerging Risks division and since early 2015 has worked together with the Cambridge Centre for Risk Studies and RMS’ development partners to bring the RMS’ Cyber Accumulation Management System to the market. Tom joined RMS in 2013 as a technical sales expert assisting a number of leading (re)insurers further their catastrophe management practices.

Prior to joining RMS, Tom spent 4 years at Hewlett Packard Software within the European presales team working closely with a number of HPS’ IT security products.