The global insurance and reinsurance industry needs to develop a common cyber risk currency in order to improve risk differentiation in a rapidly expanding part of the risk transfer space, according to Guy Carpenter’s Morley Speed and Carolyn Morley.
As the cyber risk market continues to evolve, diversification is essential, but so to is the expansion into areas like operational technology risk, data availability and integrity, all of which require a common cyber risk currency.
This is according to Morley Speed, Managing Director, and Carolyn Morley, Chairman, Global Casualty, at reinsurance broker, Guy Carpenter.
“Confidentiality and data breach have been the focus of the U.S. cyber market for a number of years primarily due to regulatory requirement. And while Business Interruption-related cyber cover is more prevalent in the international arena, the implementation of the General Data Protection Regulation and plans for a new UK Data Protection Bill will drive greater focus on data confidentiality, especially given the provisions in the legislation for fines of up to four percent of global revenue,” said Speed.
He called for the cyber industry to move into areas such as operational technology, which has become a huge issue for the manufacturing sector, for example, underlined by growing demand for solutions.
“Yet, while data breach can be packaged due to the growing credibility of per-risk modelling capabilities and the fact that such attacks tend to be company-specific, OT risks, particularly in an ‘Industry 4.0’ environment, have a much greater systemic potential,” continued Speed.
Morley, added; “Growing supply chain dependency – both between companies and suppliers, and across operating systems and internet services – greatly enhances and extends OT vulnerability.
“However, while we can better model the interconnectedness of these networks, we cannot accurately model the level of dependency nor the inherent resilience a company may have.”
Speed highlighted the WannaCry cyber breach as an example, noting how the exposure levels were dependent on the level of reliance companies had on specific operating systems, adding that it remains challenging to assess the dependency.
This, says Speed, is real hindrance, and underlines the need to establish a common cyber currency in order to develop an “accurate picture of potential exposure levels.”
Morley used the property catastrophe sector as an example of how an efficient market offers substantial capacity based on a common currency of risk.
“This identifies the impact of a given ‘event’ on risks within an exposure zone, taking into account their resilience. This currency is embedded in contract wordings, modelling, rating and capital allocation throughout the insurance and reinsurance value-chain,” said Morley.
Furthermore, Speed feels that the development of a common currency in the cyber risk space is needed to better understand the intrinsic value of data, explains Guy Carpenter.
Speed, said; “Current cover can protect against data reconstruction costs, but that often does not cover the true ‘nebulous’ value of that data. And if it has been compromised the information may be worthless. The multi-billion-dollar market valuations of companies such as Apple, Facebook and Google are primarily data-based. We need to provide meaningful cover built on a common risk understanding that recognises that value and adequately addresses issues of data integrity and availability.”
Concluding; “For many reinsurers, by entering the market, they are taking a share of that mix rather than being able to extract specific risks. To move cyber forward, we need to be able to build clearly differentiated portfolios. That means being able to better understand dependency and resilience levels, establish credible models to quantify non-correlation and define more highly protected risks, all based upon a recognised cyber risk currency.”