Sergio P. Ermotti, Chairman of the Board of Directors, has stressed that, while insurance go some way towards mitigating the impact of cyber risks, it “is not the sole solution” to cyber resilience.
Cyber risks have become even more prominent since the COVID-19 pandemic and Russia’s invasion of Ukraine, as working virtually from home has become the norm, and as the reliance on internet services continues to expand.
Nowadays, cyber operations also form a critical part of any conflict, ranging from classic espionage to disrupting critical infrastructures and military operations, psychological warfare, and misinformation, Ermotti notes.
“Already the sharp increase in cyberattacks in recent years has brought to light two facts that many people were previously unaware of or at least strongly underestimated,” he explained in a recent blog for Swiss Re.
“First, the business world is highly interconnected. And second, the digitalization of business processes is already so advanced that many companies cannot function when data or their systems are not available.”
In the current world of heightened cyber risks, insurance alone is not enough for businesses to be considered resilient, Ermotti added.
Instead, maintain cyber resilience, organizations must have a formal information security program, a dedicated team and a governance system that are integrated with the risk, crisis, business continuity, and education programs.
“I strongly believe that insurance has an important role to play in the cyber resilience of organizations. There is, however, another important principle: Insurance can be part of the solution, it is not the sole solution,” Ermotti wrote.
“The contribution insurance can make is to help mitigate the financial impact from these risks, to deliver concrete cyber risk management service and to help increase overall cyber maturity, all this subject to a proper level of cyber resilience as mentioned above.”
As capacity tightens and cyber market pricing continues to harden, it is now becoming more acceptable for re/insurers to make base resilience requirements of insureds, such as by asking clients to secure better protection and boost their preparedness before insuring a risk.
“Thus, cyber insurance goes beyond pure risk transfer and contributes directly to improved organizational risk management and increased cyber resilience,” Ermotti noted.