Risk management vs reinsurance
Insurance and reinsurance are not alternatives to enterprise risk management (ERM). Risk transfer programmes should be used to address structural residual risk. From EY’s experience, companies can identify risks and adopt risk management leading practices to ease the process of finding the right cover at the right price—with the correct reinsurance optimisation. The insurance industry should insist upon this enterprise level of risk mitigation before it issues cover for large risks and data breaches.
Emerging technology threat
Cyber risk is part and parcel of the transformation of how business is conducted globally, where people interact via smartphones to the commercial internet and social media.
Technology has redrawn the boundaries of modern society. The industry must metricise and model the cyber risk correlated with other risks, including cyber risk in the solvency, risk-based capital arena with long-tail exposure reduction.
It is easy for organisations to be reactive to cyber events and say “it will never happen to us”, but when the event does happen, it is costly in both financial and reputational terms.
This can directly affect the solvency of the organisation by loss of customers, share price and a potential rating downgrade.
An incentive to invest
It is difficult for governments to determine whether a cyber attack is an attack on a company or on a country. They need to know the extent and nature of the data breach, especially when IP theft or loss of private data is involved. The mechanism being introduced is a mandatory data breach law that forces organisations to report data breaches within a specified period.
Heavy fines (up to 10 percent of gross annual income) may be imposed for failure to comply, in addition to reputational risk from which companies may take years to recover. Ignorance that a data breach occurred is not an acceptable excuse: the penalties are the same.
Based on conversations with clients, EY believes that this is an incentive for companies to adopt and invest heavily in risk-mitigating technologies, standards and leading practices closely related to risk assessment and ERM.
To date, the reinsurance industry has followed insurers in looking at what the risk means and how it can be transferred using existing industry mechanisms (ie, reinsurance, captives, catastrophe bonds, sidecars and other special purpose vehicles).
Supply chain risk
Recent natural catastrophe events have shown what can happen to the global supply chain in terms of disruption, especially in emerging nations, where large industrial parks were built in catastrophe-prone areas and developed quickly in order to compete with developed nations. Little thought went into risk management and mitigation.
A severe cyber attack would affect the global supply chain, especially around commercial and industrial internet usage.
Loss of and tampering with data affect the ability to conduct business, disrupt other business contingents, and seriously impact reputation and associated costs of remediation, litigation and notification of compliance, leading to fines and solvency issues.
“These are black swan events, and a parallel can be drawn from physical event damage such as earthquakes and floods, reputational risk in global financial market meltdowns.”
The insurance industry knows that the outsourced service provider is the main cause of supply chain disruption. This often happens simultaneously, when increasing weather disruption brings cyber and climate risks, which are both large and emerging, together in one event. When service providers outsource to each other, it sends a red alert to the industry.
EY believes that data integrity needs to be embedded in the enterprise, as well as with the IT vendors they outsource to and those the outsourcers engage in turn. This is the only way to have an effective subrogation process based on nonrepudiation to recover and share fairly the claims incurred from a data breach. It is appropriate to look at how companies might seek to transfer their cyber risk today and then later in the future.
EY’s information security services help our clients to assess their security strategies, processes and infrastructure to manage risk and enable compliance with applicable laws and regulations. This includes testing for security exposures and business risks created by vulnerabilities or inadequate systems, applications and network devices.
Protection from cyber risk will require transforming and improving existing security programmes and investing in solutions that are yet unknown.
Leading practices should include:
A pragmatic, risk-based information security strategy that integrates solutions to address business needs, compliance requirements and ERM objectives;
Listening to what is going on in the market, understanding security information trends and threats, and adjusting the risk assessment accordingly;
Continually reassessing new technologies and the threat landscape to confirm that focus is on the right priorities;
Executive and board support that leverages the expertise of partners and vendors and defines which security functions sit in-house instead of being outsourced and in the cloud; and
Assurance that information security is an integral part of the risk management function, not a standalone unit that fails to involve the business in the process.
Cyber catastrophe models and databases
Nearly 60 insurers write some form of cyber insurance coverage outside of errors and omissions insurance (E&O).
The reinsurance industry needs to look at the effect of large aggregated cyber attacks that can affect the capital and stability of the risk industry. These are black swan events, and a parallel can be drawn from physical event damage such as earthquakes and floods, reputational risk in global financial market meltdowns, healthcare pandemics and digital data damage caused by large cyber events.
Internal resources have to be deployed to handle the cyber peril. Insurers can offer these services as part of cyber liability cover. Large databases are being developed to access the frequency and severity of attacks containing recent global breaches and recording the associated costs of handling the breach.
These event or cyber catastrophe models will:
Help create cyber excess of loss rates for reinsurance cover and move away from quota share reinsurance that is required only in the early days of reinsuring a new risk;
Cause the cyber reinsurance industry to mature in the same way it did for natural catastrophe lines; and
Include legal expenses, as these are particularly perilous to solvency and to the proper reserving of claims (the ability to pay) over a period.
Like all the perils before cyberspace, risk will be subject to regulation and rating. This will force entities down the ERM path if they have not already gone there and will be the defining force moving forward.
Shaun Crawford is global insurance leader at EY. He can be contacted at: scrawford2@uk.ey.com
