October 15, 2019
October 15, 2019
Cyber threats are a strategic enterprise risk that requires significant focus and time by boards and C-suite members, among other key stakeholders. And yet many organizations have worryingly low board and executive level engagement around cyber risk, according to the Marsh Microsoft Global Cyber Risk Perception Survey. Moreover, the practices employed to counteract these risks by many firms that lack sufficient senior management engagement significantly lag in effectiveness relative to the critical nature of cyber risk.
Recent shifts in the way insurers are covering cyber risk may necessitate changes in many organizations’ approaches to insuring this risk. And it’s imperative that board members become more knowledgeable on how insurance market changes can affect their organization’s coverage of those risks.
The insurance market for cyber risk has evolved significantly since the first network security policies were offered in 1999. This evolution has mainly been driven by the dynamic, volatile nature of cyber risks and shifting buyer demographics from privacy-driven entities to companies in all industries, most notably the manufacturing sector. This has also fueled the purchase of standalone cyber insurance: 47 percent of respondents to the 2019 survey by Marsh and Microsoft Corp. said they now have cyber insurance, up from 35 percent in 2017.
Recently, a third factor in this evolution has emerged as the insurance industry has sought to clarify how property and casualty (P&C) policies might respond to a cyber event. Traditional P&C insurance is intended to respond to physical perils, but policyholders’ evolving risk profiles and the failure of traditional policy language to keep pace have resulted in unintended cyber event coverage, commonly known as “silent cyber” risk.
The insurance industry, led by Lloyd’s of London, is now taking the position that all P&C insurance policies must either expressly exclude or include cyber coverage; effective January 2020, Lloyd’s insurers can no longer remain “silent.” Although it is still unclear what this means for policyholders, traditional P&C markets appear to be moving toward exclusion—not inclusion—of cyber risks.
As new technologies and devices add complexity to organizational risk profiles, board members and C-suite executives must be aware that traditional insurance markets are moving to exclude cover for much of that risk. Faced with a seemingly perfect storm of increasing risk and decreasing coverage, a clearer and more nuanced approach is necessary to manage the risks of doing business—one that includes not just a broad cyber insurance program but also the treatment of cyber issues as an operational risk.
The uncertainty about how and where coverage of cyber risks can be found in insurance policies should stand as a challenge to companies to evolve their cyber risk management strategy. After all, 80 percent of organizations polled in our survey said cyber threats now rank as a top five risk concern, up from 62 percent in 2017. But are organizations taking strategic action?
Our findings suggest there is another form of “silent” cyber risk. Despite cyber risk being viewed as of greater concern than any other risk, including adverse weather and earthquakes, organizations’ overall confidence in their ability to manage cyber threats has declined: Only 11 percent reported high confidence in their ability to understand, prevent, and respond to cyber risks.
While myriad factors underlie this drop in confidence, two data points are telling.
Organizations that perceive a lack of executive support or mandate to address cyber risk are significantly less confident about their capabilities to respond appropriately.
A large majority of organizations—88 percent—still view the information technology (IT) department as a primary owner of cyber-risk management, with executive leadership and boards ranking second (named by 65 percent). But only 16 percent of executives and boards say they spend more than a few days a year on cyber risk issues.
The disconnect is striking: Cyber threats call for a rigorous risk management strategy, but many organizations—and their leaders—are delegating or sidelining the issue.
Our message is straightforward: Organizations must elevate cyber risk to a board-level issue and apply the same discipline and governance that other critical risks receive. Boards must embrace their oversight role, and include all key internal stakeholders in the cyber-risk management process, not just IT; engage in cyber event planning, training, and incident response rehearsals; and invest in both cybersecurity technology and insurance, based on quantified measurement of organizational cyber risk.
Our survey shows that organizations that quantify their cyber-risk exposures are more likely to engage in both technological and non-technological actions to manage the risk. For example, 50 percent of manufacturers that measure their cyber risk economically also engage in loss modeling, compared to 18 percent of manufacturers that do not quantify their cyber risk but engage in loss modeling. Loss scenario modeling is an essential driver of well-informed investment decisions and return on investment (ROI) measurement, and it strengthens an organization’s ability to approach cyber risk strategically by enabling a shift away from technical jargon toward a dollar-based discussion in language understood across the business.
Likewise, 90 percent of manufacturers that quantify cyber risk invest in employee training, compared to 62 percent of manufacturers who don’t quantify cyber risk but still invest in employee training. And those who quantify cyber risk are more than twice as likely to assess supply chain risk than those who do not (55 percent vs. 25 percent). Clearly, measuring the actual value at risk from cyber events provides crucial intelligence about the need to invest in actions that build resilience.
How can board members and C-suite executives take more ownership of cyber risk, and ensure a strategic risk management framework is in place? How can they gain a more thorough understanding of their insurance programs and the protections these programs can offer? A good starting point is to ensure they are having the right conversations with risk professionals about their organizations’ cyber exposures, and how their insurance programs will or won’t respond.
Equally important are framing cyber risk exposures in economic terms to enable comparison with other enterprise risks; optimizing capital allocation across mitigation, insurance, or other resilience-building areas; and measuring the impact of cyber spending on risk reduction.
Finally, since cyber threats are now a strategic concern requiring executive ownership, the assessment, measurement, and management of cyber risk should be a consistent board meeting agenda item.
We are entering a new era in the management of cyber threats. As insurance policies will increasingly either affirm or exclude cyber risk, it becomes crucial for board members and C-level executives to understand the potential threats facing their organization and to embrace a strategic risk management approach to combat them.
Robert Parisi is the cyber product leader at Marsh.