If you are a business insurer, then your clients are typically being exposed to cyber risk. As RMS has discussed previously in our 2019 Cyber Risk Outlook, the digital economy has become more pervasive and now accounts for almost a third of the GDP of developed countries, and e-commerce now represents 14 cents in every U.S. dollar spent in retail. The “attack surface” vulnerable to cyber risk expands as more and more business devices are being connected to the Internet, with technologies become more standardized, homogenized, and cloud dependent.
So, it’s never been more important to understand the cyber risk landscape, whether you are a dedicated affirmative cyber insurer or exposed to “silent-cyber” – where potential cyber-related losses stem from traditional property and liability policies not specifically designed to cover cyber risk.
September, RMS ran a series of cyber risk seminars in London and New York. These
half-day events coincided with the release of RMS Cyber Solutions version 4.0 and
featured both RMS and industry experts discussing cyber risk and the opportunities
for the cyber insurance industry.
At both events, the day kicked off with Dr. Andrew Coburn, senior vice president for RMS, examining recent developments within the cyber risk landscape by outlining the approach RMS takes to tracking and categorizing the wide range of evolving threat actor groups. He also proposed some key future trends, such as the potential impact of a “gloves-off” nation-state cyberattack and its implications for the cyber insurance industry.
What will cyber-risk look like in 2030? Given the rate of change of technology this may seem like an impossible question to answer. But for those making investments that depend on these new technologies and the risk that surround them – either managing or insuring the risk – it’s critical that these investments are being made not only with a 12 month horizon in mind, but with a projection that extends over the next five or even ten years.
To facilitate this important discussion, RMS is delighted to be co-hosting an event at the University of Cambridge Judge Business School on “The Future of Cyber Risk”. To be held on July 24, the event will challenge cyber risk specialists and risk managers to think beyond the next 12 months and to consider how cyber could evolve over a five- to ten-year horizon.
In particular, the event will focus on the potential paradigm shifts that could provide strategic shock, and how business strategies should be developed to cope with this uncertain future.
RMS recently participated in a cyber model comparison exercise at the Cat Risk Management and Modellingconference in London. These types of comparison for natural catastrophe models have been performed at several conferences during the last decade, but this was the first time that losses from multiple cyber models had been compared in this way. The assessment included established cyber model firms such as RMS and Guidewire, as well start-ups including Corax, Kovrr and CyberCube.
This comparison exercise clearly demonstrated that the cyber modeling industry has not reached a consensus on the likelihood and impact of extreme cyber catastrophes. The comparison was run against a small number of accounts – looking at a total of 46 U.S. companies across a range of industry sectors.
This article was originally published in The Insurer, click here to access the original article.
Examples of data theft continue to stream through; no one brand seems immune from having to announce major losses of customer data records. Uber paid US$148 million to settle a legal action over a cyberattack in 2016 that exposed data from 57 million customers and drivers. Forbes reported that Yahoo agreed to pay a US$50 million settlement to roughly 200 million people affected by the email service’s 2013 data breach.
It is still the case that data theft is the leading source of loss for both insurers and reinsurers that cover cyber. The cyber insurance market is still in an early growth stage as the overall economic impact on the global economy from cyberattacks in 2017 was estimated at US$600 billion. Insured loss for standalone cyber policies was a fraction of this, at around US$1 billion to US$1.5 billion. But with cyber risk continually evolving, insurers may have to contend with a new, growing source of loss as cyber attackers are turning to ransomware, as it offers a potentially easier and more lucrative attack method.
Ransomware sees malware infiltrated into the networks of a company and disables servers or locks up data until a ransom is paid. This contagious malware, of which WannaCry and NotPetya are probably the most renowned examples, can even plague companies with high standards of security, and has the ability to scale and to cause systemic loss to thousands of companies. Attackers have also stolen data from a company, and then attempt to extort a ransom from the victim company in return for the data.
Overall, the number of ransomware attacks are increasing each year, and for cyber attackers there is the easy availability of ransomware to buy on the dark web. As outlined in our recent RMS Cyber Risk Outlook Report, estimates of ransomware extorted in 2017 exceed five billion dollars, a 15-fold increase over the previous two years.