Subscribe to Our Blog
Co-authored by Tyler Shalitis, Kristen Marshall and Scott Damery
This past March, a ransomware attack caused government operations in Atlanta to come to a complete standstill. It left courts unable to process warrants, residents unable to pay bills online, and travelers unable to use airport Wi-Fi.1 Attacks like these have become the rule rather than the exception for businesses, with former FBI director Robert Mueller saying it best: “…there are only two types of companies: those that have been hacked and those that will be hacked.”2 Everyone is a target, so the seeming inevitability of becoming a hacking victim has now made risk management strategies more important than ever.
Businesses face significant barriers in obtaining adequate cyber insurance. Most companies are not sufficiently informed about cyber coverage; about 40% of businesses believe they do not need it, and 29% believe their existing insurance covers cyber-attacks.3 As a result, the take-up rate for cyber liability policies is disappointingly low, and when organizations do obtain coverage, they still face many challenges. Insurers are conservative due to a lack of historical loss data and offer low policy limits with numerous exclusions. For instance, mobile device loss or theft is typically excluded, despite the fact it is the leading cause of breaches in the healthcare industry.4
While the commercial market leaves gaps in coverage, captives are a promising solution with capacity for higher limits due to greater access to the reinsurance market. Captives offer the flexibility to package highly correlated risks together, like reputational risk and cyber liability. Furthermore, captives provide coverage for more specific cyber risks that are often not found elsewhere, such as coverage for loss of intangible assets.
Some companies’ inability to purchase adequate cyber insurance has led to greater emphasis on a more holistic risk management approach. There is a plethora of private firms and insurance services to assist in reducing a potential attack’s severity. These services include preparing breach protocols with recommendations for IT as well as security training for employees and third-party providers. Breach protocols are useful in efforts to minimize both claim frequency and severity in the event of an incident. Security training is critical since employees are an additional line of defense against cyber-attacks.
There are now tools to help companies quantify risk exposure and identify areas that require additional security resources. The Federal Financial Institutions Examination Council released a Cybersecurity Assessment Tool for businesses to analyze the location and degree of risks across different categories. The completed analysis produces an overall risk score broken down into six groups. Companies are able to assess their current safeguards against these risks using the tool’s maturity feature. Thus businesses can identify weaknesses and learn how to best allocate resources to match their highest-risk areas with the highest protection levels.
There are additional instruments available to assist in managing risk. The Index of Cyber Security is a survey-based tool where practicing security professionals are asked to provide a numerical score of their cyber risk perception. Risk indices provide significant value for firms looking to manage their cybersecurity risk through several mechanisms. Since these indices can be developed for specific sub-classifications, they can be used to ensure both businesses and insurers do not concentrate their exposure within one area. Indices also have the potential to facilitate derivative creation, allowing insurers to hedge their average positions, not dissimilar to catastrophe bonds.
Taking steps to mitigate cyber loss severity is important because, in today’s world, total prevention of cyber-attacks is unfeasible. Quantifying risk facilitates the process of objectively determining which operational areas require additional protective resources relative to the goals and risk appetite of the insured. Financial mechanisms such as risk indices have the potential to allow for risk distribution in the broader market. A versatile risk management strategy incorporating these tools and methods, combined with cyber insurance coverage, empowers a business to become a more elusive target for today’s ever-evolving cyber attackers.
Tyler Shalitis is an Actuarial Analyst with Pinnacle Actuarial Resources, Inc. in the Bloomington, Illinois office. He holds a Bachelor of Science degree in Actuarial Science from Illinois State University and has experience in assignments involving loss reserving, loss cost projections and group captives. Tyler is actively pursuing membership in the Casualty Actuarial Society (CAS) through the examination process.
Kristen Marshall is an Actuarial Intern with Pinnacle Actuarial Resources, Inc. in the Bloomington, Illinois office. She will graduate with a Bachelor of Science degree in Actuarial Science and a Minor in Risk Management & Insurance from Illinois State University in May 2019. She has experience in assignments involving loss reserving, loss cost projections and group captives. Kristen is actively pursuing membership in the Casualty Actuarial Society (CAS) through the examination process.
Scott Damery is pursuing a Bachelor of Science degree in Actuarial Science from Illinois State University, with expected graduation in May 2020. Scott collaborated with Tyler and Kristen to research and present on Risk Management in Cybersecurity as part of the 2018 Pinnacle University event.
« Back to Blog