The rapid digitalisation of all businesses means that the use of technology and the associated cyber risk is now truly a strategic issue. As digitalisation grows, so does vulnerability to the associated risks. Cyber hackers are notoriously opportunistic and continuously create ways to attack new technology and overcome defences. The global ‘WannaCry’ malware attack that took place in May 2017 has demonstrated the growing scale and impact of cyber events. The effective management of cyber risks can help build stakeholder trust, provide customer assurance and deliver competitive advantage.
Cyber risk continues to feature in the top three risk concerns of Airmic members and two-thirds are concerned that a cyber event resulting in business interruption may affect their business in the next three years (Airmic transformation of the risk profession survey, 2017). However, confidence in cyber risk management is low. Less than a third of members are satisfied with their organisation’s ability to manage cyber risks (Airmic transformation of the risk profession survey, 2017).
The cyber insurance market has developed rapidly. Policies with greater limits and an increasing focus on first-party losses are beginning to emerge. There is a sense of developing standardisation of covers across the market, making the purchasing process easier. However, just 38% of organisations are buying relevant cyber insurance cover (PwC Global State of Information Security Survey, 2017).
Airmic members report that the cyber risk is very high on the risk agenda but is often patchily implemented, with little collaboration between the risk, information technology and other related functions. However, the risk manager has a clear role to play. Risk managers should have:
- the understanding of the business at an enterprise level to visualise how a distinct cyber event would be felt across the business and affect internal and external stakeholders
- the internal connections with HR, Audit, the Board, Finance, etc. to develop cyber risk management beyond technical protection into an enterprise-risk management framework
- the understanding of the insurance market and its associated services such as external crisis management support, to provide additional support and risk control beyond internal security.
This paper aims to help risk managers lead the cyber risk conversation. The paper is an update of the 2012 paper, ‘Airmic review of recent developments in the cyber insurance market’ and provides a framework for Airmic members to assess their cyber risks, before summarising the cover available and the underwriting information required to buy such cover.