March 13, 2019
March 13, 2019
As recent events have shown, the pace and scale of cyberattacks continue to grow, as do the financial stakes—revenue losses, recovery expenses, liability costs, and potentially severe regulatory fines are all consequences facing companies. The specter of 2017’s NotPetya event, the most devastating cyber event in history, continues to haunt business leaders: the malware caused more than $10 billion in economic damages and disrupted business operations, production, and logistics for major global firms. The insured losses from that attack alone have been estimated at more than $3 billion.
Incidents such as these are forcing companies to make cyber risk a corporate priority. In the recently released Global Risks Report 2019, those in advanced economies again rank cyberattacks among their top risk concerns. That recognition has evolved from viewing cyber risk as a problem to be solved by spending more on technology to seeing it as a risk that must be actively managed across many areas of the company. That shift in mindset has brought cyber insurance into the overall equation of how a firm manages its technology risk.
But cyber risk is an increasing concern not just for c-suites and boards: regulators also are more actively looking at how organizations address cyber risks and how they manage their responsibilities to key stakeholders. So even as the financial costs of cyber threats grow, the regulatory stakes are likewise poised to rise as more regulators—and particularly the US Securities and Exchange Commission (SEC)—begin to impose stricter requirements on businesses.
These two trends—the increasing adoption of insurance to transfer cyber risk and a more rigorous regulatory approach to cyber-risk management—dovetail in numerous ways. Many of the new regulatory requirements and guidance around cyber-risk assessment, prevention, and management, executive and board-level ownership, and event disclosure and response, are the same practices that should inform an organization’s decision-making around cyber insurance investment. These same best practices are what underwriters increasingly expect and value.
Cybersecurity has been on the SEC’s agenda for several years. In 2011, the commission’s Division of Corporation Finance issued guidance calling on companies to assess their disclosure obligations regarding their cybersecurity risks and cyber incidents.
While a good starting point, the guidance did not go far enough in setting clear expectations for both proactive and reactive cyber-risk management and oversight. The SEC’s 2018 interpretative guidance outlines requirements for publicly traded companies to disclose cybersecurity risks and material incidents.
The SEC guidance focuses on five main areas:
The cost of non-compliance can be substantial. Last year the SEC leveled a $35 million penalty against a large technology company it said misled investors when the company failed to disclose the theft of the personal data from hundreds of millions of user accounts.
Congress, which holds the SEC’s purse strings, is placing mounting pressure on the agency to improve cybersecurity, and private investors are also pressing for more stringent cybersecurity controls at the companies they hold. It is, therefore, likely the SEC will start coming down on companies with more vigor, especially in the wake of recent—and, inevitably, future—major breaches.
Given the nature of the majority of risks, businesses recognize that technology and other solutions alone can’t respond to the full spectrum of risks they face. Insurance has historically stepped in to provide the financial backstop for that residual risk that cannot be managed to zero through process, procedure, and mitigation.
Cyber risk is no different in this sense, and organizations are now recognizing that cyber risk also cannot be managed through technology alone. It is an operational risk that needs to be incorporated into the firm’s overall ERM processes—one that includes risk transfer, as well as mitigation and resilience planning.
The insurance market now offers risk transfer solutions for cyber risk that address both ever-evolving technology risk and the recent retreat of traditional insurance products from adequately addressing firms’ evolving cyber-risk profile.
Cyber insurance starts with the premise that all of a firm’s technology-driven risk should be insurable. These risks include both the direct loss that a firm can suffer in terms of lost revenue or assets, as well as the liability that can arise from a data breach or failure to comply with myriad new domestic and international regulations.
Cyber insurance has also been at the forefront of pushing for better understanding of this risk’s financial implications to help the industry improve modeling of potential loss scenarios. That financial assessment is a critical foundation for businesses’ risk management planning as well: Cyber-risk quantification helps the firm assess the economic impact of a range of cyberevents, and on that basis, make informed investments in technology, insurance, and response resources. Quantification of cyber risk also allows for cyber risk to be analyzed within the firm’s overall risk framework and integrated into its overall risk management planning.
The assessment, evaluation, and modeling processes that are essential foundations for purchasing cyber insurance are, in many ways, aligned with the practices called for by the SEC in its recent guidance. Given the likelihood of an increasingly active regulatory agenda, organizations are advised to align their policies and practices to abide by the SEC’s recommendations and to consider insurance market coverage that can help protect against cyberevent-related losses and regulatory liabilities.
Bob Parisi is cyber product leader and Christopher Hetner is managing director of cyber-risk consulting at Marsh.