Zurich’s 4 step path to a cyber-insurance growth spurt

Digital, data and cyberArticleJuly 12, 2018

Cyber insurance is a key component of cyber resilience. But despite its fast development in Europe, the cyber insurance market is still in its infancy. Zurich believes there are four key steps to taking cyber insurance market growth to the next level.

Share this

1. More transparency for cyber-related events - The lack of qualitative data and data sharing about attempted or actual cyber-incidents are the key factors limiting the development of a mature cyber insurance market. Data availability would allow: (1) accumulation risk to be simulated, (2) appropriate risk premia for cyber insurance to be determined, and (3) cyber risk awareness and resilience to be fostered. We therefore welcome the Cybersecurity Strategy published in 2017 as a first step. Nevertheless, the EU Commission must be more ambitious in urgently tackling this important global issue.

Moreover, incident reporting should be required across all industry sectors. Unfortunately, the GDPR guideline on personal data breach notification neither has promoted centralized information sharing, nor contains the pertinent data to be reported from a cyber-insurance underwriting perspective.

We advocate for the creation of a comprehensive, centralized cyber-risk and incident related data repository allowing the industry to better understand the frequency and severity of incidents and propagation channels. This repository could be created taking into account the learnings of a 2016 pilot of the Chief Risk Officers’ Forum and the taxonomy developed at the time.

2. A more consistent taxonomy - Fragmentation in the taxonomies of cyber incidents need to be reduced. It is important to achieve the development of a common global taxonomy, which has the ability to evolve. For this, the support of policymakers is needed. As captured by the CEPS-ECRI report, high fragmentation can be observed as regards to rules in taxonomy for reporting, reporting time frames, the template to be used and the threshold to trigger an incident. This is an issue, given that cyber-attacks do not respect country borders and increasingly different regulatory reporting requirements are emerging (e.g., GDPR, NIS Directive, PSD2).

There are different ways we could proceed: CEPS recommends agreement at EU level on a small set of common taxonomies for specific use cases. The CRO Forum developed a methodology for a common cyber risk categorization to promote the capturing of data on cyber incidents (incidents both leading to losses as well as near misses) and to raise awareness and understanding of cyber exposures. Other institutions, such as the OECD and FSB, are also working on this.

3. Address attribution & responsibility - For the purpose of cyber insurance underwriting, attribution is key - designating who committed the attack. Generally, attribution of cyber-attacks is not straightforward. It often results from a complex, costly and lengthy process, frequently involving external experts and authorities. Some attacks are uncovered late. And even if attribution is possible, cyber-attacks perpetrated by organizations connected to - and funded by - nation states cannot be prevented. This is due to their level of sophistication. Implementation of measures to prevent IP masking would be very helpful in addressing attribution of a cyber attack1 In addition, better detection, prevention and more efficient combating of all forms of cybercrime on a national, regional and global level is required. Zurich has worked with the World Economic Forum on the foundations of a public-private cooperation for fighting cybercrime. Through this initiative, we hope that alliances can be created.

4. Consider a State backed insurance scheme - Large accumulation and/or aggregation risks are of significant concern. Loss events could reach such a large scale that they may be beyond the capital base of private insurance carriers. This is relevant to cyber events such as cyber terrorism, i.e. cyber-attacks upon national critical infrastructure like power grids, public transport (road, rail, sea, and air transport), stock markets, central banks, etc. For now, insurers can cope with the current premium volume. However, given the high demand and expected market growth, government-backed insurance schemes similar to those existing for natural disasters should be considered.  Considering that the cyber insurance market is not yet established, defining the set-up of state backed funds is challenging. The respective roles of insurers, reinsurers and governments should be clarified. Improved data should help inform the parties of where the respective limits would need to lie.

Zurich welcomes that the EU Commission has made cyber security one of its priorities. We look forward to further engaging with EU stakeholders; to help contribute to and tackle some of the key issues and further develop the cyber insurance market.

1See Larry Greenemeier, Seeking Address: Why Cyber Attacks are so Difficult to Trace Back to Hackers, Scientific American (Jun. 11, 2011), https://www.scientificamerican.com/article/tracking-cyber-hackers/