The cyberinsurance challenge for cyberrisk governance
WanaCry, NotPetya, Shadowpad: the list of malwares in circulation continues to grow, as well as the number of victims of cyberattacks. Direct and indirect losses due to cyberinsecurity issues are increasingly important and exponential. This arises questions about the insurability of cyber risks. What needs to be done?
In 2017, the NotPetya malware have cost the industrial group St-Gobain 250 million euros, Reckitt pharmaceutical group 110 million, and the Danish shipping company Maersk between 200 and 300 million dollars. For Fedex the losses are estimated around 300 million dollars. Beyond the financial damage, which some companies or sectors of activity may not be able to bear anymore, there is more at stake: The entire economy and the mode of operation of modern societies, such as democratic expression, have become vulnerable to cyberattacks. Their persistence and scope generate systemic risks with dynamic snowball effects, that could impact everyone. This is in particular due to the interdependencies and interrelationships of digital infrastructures and entities involved. In addition the inadequacy or obsolescence of cybersecurity and cyber resilence mechanisms make the return to normality increasingly complex, expensive, difficult and occasionally impossible. Cyberattacks with large-scale impacts can affect all vital services and thereby the entire population, eroding political and economic stability and exhausting the victims. This raises considerable challenges and critical issues of cyberrisks and crisis governance.
Assessing cybersecurity risk
Organizations are increasingly turning to complementary insurance schemes to cover inefficiencies in their strategy and the operational implementation of their cybersecurity measures. The insurance industry is therefore faced with the task of offering instruments adapted to the threats generated by the extensive use of digital technologies, the dependence of organizations on information systems and the reality of cyber incidents, whether they are of malevolent origin or not. But the market for the insurance of digital data and infrastructures is struggling to develop. It must constantly adapt to the reality of cyberthreats, their intensity, and follow the evolution of cyber risks (data theft, scams, disruption, destruction of infrastructures and services, etc.). An increased understanding of vulnerabilities, threats and their impacts, as well as cybersecurity measures and the roles and responsibilities of all actors, is necessary for the proper development of the cyberinsurance market. Therefore, it has become crucial for professionals in the insurance industry to master the conceptual, methodological and practical tools that contribute to:
- designing, developing, commercializing insurance products in the field of cyber risks;
- discussing, advising and assisting clients in the insurance procedures of their information systems, digital infrastructures and data.
On the other hand, economic leaders must also understand the means and skills necessary for the steering, governance and control of cybersecurity. Furthermore, they have to know the values that must and can be ensured, and against what to ensure them. Morover, they need to be able to identify the technical, organizational, managerial and legal constraints of cybersecurity. All this must be taken into account when implementing a cybersecurity strategy.
Insuring cybersecurity risks – what needs to be done?
Nevertheless, are all cyberrisks insurable? At what costs, under which conditions and with what guarantees? How to determine the level of insurance coverage in case of a digital blackout affecting a region, a country or a continent? What about reinsurance? This questions need to be answered satisfactorily, because it is important for organizations to rely on the comfort a good insurance can provide. However, the majority of them are still being concerned solely with the symptoms of cyberinsecurity and not with their causes. Consequently they lack the ability to anticipate risk scenarios, prevent them and adapt to the ongoing developments. The insurance approach, however, raises questions about the need to qualify and even certify solutions and security procedures, to assess the maturity of companies with regard to their cybersecurity posture and their capacities for crisis and communication management.
Prof. Dr. Solange Ghernaouti: sgh(at)unil.ch
Prof. Dr. Solange Ghernaouti is member of SATW and director of the Swiss Cybersecurity Advisory and Research Group at the University of Lausanne. Her newest book «La cybercriminalité - Les nouvelles armes du pouvoir» was shortly released at the Presses polytechniques et universitaires romandes.