Yemisi Izuora/Agency Report
As Cyber-risk begins to threaten insurance business worldwide, Torsten Jeworrek, Member of Munich Re’s board of management has called on insurance companies to significantly upgrade their knowledge and skills in the cyber risk field.
He also advocated closer cooperation and transparent collaboration with policymakers to tackle this fast-rising exposure.
The reinsurer’s statement came just as US prosecutors announced criminal charges against three men accused of running a huge computer hacking and fraud scheme that included nine leading US financial firms, exposed the personal details of more than 100 million people and generated hundreds of millions of dollars of illegal profit, according to news agency Reuters.
According to some in the private sector, the insurance market is not coming up with solutions fast enough to help its customers identify, prevent, manage and transfer such cyber risks.
The solution to the problem is the creation of state-backed pools as with terror risk in many countries, they argue.
But Jeworrek however opined that state-backed pools are not only the answer, saying that the insurance sector needs to intensify cooperation with customers and policymakers to tackle the risk at source and deliver improved risk transfer solutions as part of that process.
“Cyber risks constitute one of the greatest threats we face, not just to the digital economy but also to a country’s regional and national infrastructure.
The topic is being discussed at all levels in industry and politics.
The insurance industry is already offering solutions to protect companies and private individuals from financial losses,” said Jeworrek.
The reinsurer said the industry needs to seriously upgrade its expertise in many areas of business, not just IT, to gain a far better understanding of the risk.
“This is merely the start of a period of rapid change that will continue over the coming years, and the industry needs to develop a much more in-depth understanding of the processes and circumstances of the companies it insures.
It is not just IT knowhow that needs a significant upgrade: expertise in other areas such as legal issues, logistics, supply chains and production operations must also be further developed in order to better understand and identify the risks involved,” said Jeworrek.
The reinsurer concedes that it is “prudent” to ask whether the private insurance industry is really capable of insuring cyber risks on a large scale in view of the scenarios that could be involved.
But he believes the sector can rise to the challenge and should be allowed to do so.
“By clearly limiting exposure and increasing transparency as regards how insured companies are linked to one another, the insurance industry could undoubtedly assume many more
risks than is currently the case.
Nevertheless, the industry reaches its limit when it comes to systemic risks such as internet failure or a large-scale attack on a state’s critical infrastructure,” he said.
“Calling for state-subsidised pool solutions or greater exchange of information between companies and governments is not the answer.
Our priority should be to prevent risks. The security of systems, production facilities and networks needs to be improved significantly, as certain aspects of security have been left by the wayside amid the euphoria of the possibilities offered by networks,” added Jeworrek.
And the reinsurer said the effort to tackle cyber risk should involve a wider group of stakeholders and experts than currently, not least governments.
“Policymakers should be involved, drawing up security standards and broadening product liability to create an incentive for manufacturers to produce systems and software that work flawlessly and are not susceptible to manipulation,” said Jeworrek.
“Munich Re works together with IT companies that help it to assess risks before it offers coverage. Industry and politics need to join forces to make our interconnected world safer and more secure and to protect critical infrastructure in particular.
Insurance companies could be called upon to use their risk knowledge to help draw up security standards,” he concluded.
Jeworrek’s call to arms will be welcomed by the wider insurance market as there is a growing concern about efforts to try and regulate cyber risk away by policymakers.
Recently, the US Senate finally passed the Cybersecurity Information Sharing Act – or CISA as it is commonly known.
The Act will now pass to Congress with two similar bills in the House before final legislation is passed.
Ben Beeson, Partner, Global Technology & Privacy Practice, at broker Lockton in the US described this move as ‘very positive’ news.
“Sharing cyber security threat information between companies in the private sector – and with the government – is an important means of creating an early warning system against incoming attacks.
Companies will also be able to learn about specific attack vectors, the vulnerabilities that they exploit and patch or prepare before it is too late,” he said.
But Beeson added that further legislation that attempts to create cyber security standards that companies must meet is “very unlikely” to work.
“Where do you set the bar for a large publicly traded company with significant resources versus the small business with no CISO or IT department? Boardrooms tend to view standards as a compliance exercise at a time when cyber security must be viewed as an investment where no investment can be enough,” he explained.
“I am not advocating no regulation, but more than 80% of US critical infrastructure is owned by the private sector and it is the market itself that can do more than anything else to address the cyber domain challenge.
The market can drive incentives for companies to invest in and improve cyber security resilience and arguably there is no greater financial incentive than insurance,” continued Mr Beeson.
In February 2013, US President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity.
The order called for the development of a voluntary, risk-based cybersecurity framework—a set of existing standards, guidelines and practices to help organisations manage cyber risks.
“The resulting framework, created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses,” explained the National Institute of Standards and Technology, a non-regulatory agency of the US Department of Commerce that promotes US innovation and industrial competitiveness through measurement science, standards and technology, and creator of this standard requested by the President.
“Importantly, the federal government understood this framework needed to be voluntary and not mandated,” said Beeson.
“Insurers can reward a strong cybersecurity posture through lower premium and self-insured retentions or broader coverage,” he noted.
The broker agreed with Jewworrek that the cyber insurance market remains “constrained” today.
He said that it is held back by a lack of actuarial data to model risk and is investing heavily to try and rise to this challenge.
But he sees progress and agrees with Jeworrek that now is not the time to panic.
“The good news is that market approach is already starting to work. Companies with payment card data who meet PCI (payment card industry) standards are now finding they must do more to obtain insurance, investing in end-to-end encryption or tokenisation for example.
Expect this approach to evolve further as insurers develop greater technical and analytics capability over the coming years,” concluded Beeson.