Despite a growing interest in cyber insurance, the organisational structures, workplace culture, and wider risk management ecosystems that combine to minimise cyber threats are still often lacking, cyber experts told S&P Global Ratings.
They also highlighted that insurers are assessing their clients’ cyber preparedness to determine the cost of their premiums, among other things, and that cyber risk management can impact credit ratings.
At the S&P Global Ratings webinar “Cyber Spotlight: 2023 Cyber Trends And Outlooks”, experts highlighted that the interest in insurance is unsurprising given the size of the financial challenges posed by cyber threats and the fast-changing and still nascent nature of the cyber insurance market.
Simon Ashworth, Chief Analytical Officer, Insurance Ratings, S&P Global Ratings, said: “The economic costs of cyber dwarfs any comparable economic loss estimation, including perils such as natural catastrophe, so the potential for this market is huge.
“And in terms of insurance coverage, we are talking about 1% of [potential] economic losses that are currently covered. So there is a huge insurance protection gap.”
According to S&P Global report “Cyber Trends And Credit Risks” – which shares key statistics regarding growth in cybercrime and its impact on economic activity – analysts predict that the global cost of cybercrime will rise to about $10.5 trillion by 2025 (when it will be equal to nearly three quarters of the total annual GDP of China).
The report also noted a 25% increase in ransomware attacks and a 26% increase in average information security budgets in 2022, and S&P’s prediction that annual cyber insurance premiums will rise about 25% a year through to the end of 2025.
Experts also shared that statistics from the past year demonstrated the extent to which cyber security remains a people issue.
Sudeep Kesh, chief innovation officer S&P Global Ratings said: “We found that about 82% of cyber security breaches involved a human element.
“In terms of how to rectify that, staff training can play an important role. Risk management is a team sport and its strength is in the connectedness between the IT community, the security community within IT, risk managers, the general management, employees, and even customers.”
Insurers are assessing clients’ cyber preparedness to determine how they can be assisted, the cost of their premiums, and if coverage should be offered.
Scott Crawford, Research Director for the Information Security Channel at 451 Research, a unit of S&P Global Market Intelligence, explained: “Insurers are asking for the implementation of specific types of controls that are reflective of the issues that contribute to claims.
“They are asking organisations, are you implementing anti-phishing initiatives, email filtration for malware and suspicious domains, sandboxing for remote connectivity, and multifactor authentication, which comes up quite regularly.”
Insurers’ pricing models for cyber coverage are evolving to take account of both individual entity’s cyber exposure and increases in general cyber threat activity. The latter being the main driver of the ongoing increase in premiums, according to cyber experts.
Assessments of individual entities’ cyber preparedness can also have an effect on pricing and form the basis for a conversation with insurers about additional services that could be provided to assist an entity to de-risk with regards to cyber.
Insurers are not the only ones assessing businesses’ cyber risk credentials, S&P noted, as credit rating agencies like them are also incorporating the risks posed by cyber events as part of its credit analysis.
The agency said that cybersecurity is considered as a governance factor, and more specifically as a risk management culture and oversight factor within governance.
How cyber risk impacts ratings is a regular subject of inquiry, for example, many ask if a rating action might be taken directly as a result of an issuer’s weak cyber governance.
To which Tiffany Tribbitt, Senior Director & Lead for Global Cyber Security Research at S&P Global Ratings, answered: “The answer is, potentially yes, however…where cyber risk management is weak there are typically other weaknesses in risk management that make it difficult to tie a rating action to just weak cyber risk management.
“I have never seen an issuer that has slam-dunk risk management, except it is doing nothing for cyber risk management.”
