Is Cyber Insurance the best tool to preserve corporate value?
Feb 14th, 2018
Is Cyber Insurance the best tool to preserve corporate value? That is indeed an appropriate question to ask as Cyber attacks seem to constitute major threats to businesses today.
Cyber liability policies exist to indemnify and cover losses which may generate under an attack. However they generally include numerous exclusions and conditions.
Contrary to natural hazards and many “classic” hazards the frequency of cyber attacks can be/is very high. Consider for example:
- quakes with frequencies in the order of one in hundreds of years,
- flooding with frequencies in the order of one in decades and finally
- cyber attacks with several per day
Also, a well designed and executed cyber attacks may go undetected for months or years. When detected it may very difficult to evaluate its effects. Swisscom, the telecom company from Switzerland underwent such an attack as recently revealed in the media.
Is Cyber Insurance the best tool to preserve corporate value?
The multitude of attacks, from different directions and “enemies”, using techniques going from sophisticated IT to social engineering lead to complex multidimensional consequences, hence complex risk landscapes.
That’s not big news as over time we have shown that most “accidents” lead to combinations of:
- business interruption,
- direct and indirect economic impacts,
- health and safety,
- image and legal costs as well as
- crisis potential.
In the Swisscom case we are also seeing activism being generated under the form of “invitation to write a request for information and damages“.
Accordingly, cyber liability policies cover losses up to a clients’ defined amount. Considered losses may include:
- privacy breach liability,
- cyber extortion,
- business interruption losses,
- liability from multimedia and public relations costs,
- legal expenses and finally
- data theft liability.
However, as indicated earlier, coverage generally includes numerous significant conditions and exclusions.
Furthermore difficulties may arise if the insured cannot monetize the value of data loss.
How can organizations minimize their cyber risks?
It becomes obvious that cyber insurance alone cannot preserve corporate value due to its own necessary limitations, designed to protect the insurer.
It is also obvious that IT alone can’t do that either as risks arise from system’s elements that can be far removed from IT. For example: the best way to crash a computer remains pulling the plug or cutting the network cable… and in the Swisscom case cited above subcontractors vulnerabilities were exploited.
So, it all boils down to risk-based decision-making support for mitigation that most often will not be IT based, but “holistic” in nature. Audits and checks cannot solve this type of problems.
What is needed is a 360 risk management approach based on convergent, scalable, updatable and drillable multi-hazard risk assessment. That’s the only way to avoid capex squandering and promote reasonable operational, tactical and strategic planning.
Reasonable planning should also allow for interesting discussions with the insurers in order to find win-win solutions around excessive exclusions, denials and conditions.
Understanding operational, tactical and strategic risks
Riskope use our “universal” platform called ORE (Optimum Risk Estimates, © Oboni Riskope Associates Inc., 2014-*) to perform the risk assessments required by cyber aware companies.
Ore follows a continuous loop as shown below in Fig. 1.
Figure 1 ORE continuous loop of holistic quantitative risk assessment.
Figure 2 Dashboard of holistic risks for a M&A (real example, confidential client).
We have developed ORE over the last few decades. ORE allows to include uncertainties, inter-dependencies, societal and corporate risk tolerance and is ISO31000 compatible. ORE makes it possible to communicate risks to management and the public thanks to very clear and explicit graphic dashboards (Fig. 2, prior page).
Figure 3 displays holistic, quantitative corporate risks in a probability-consequence quadrant. The graph shows in horizontal aggregate losses C (M$) from various corporate risk scenarios including cyber hazards. The respective annual probabilities p are in the vertical axis.
For the sake of graphic simplification we have omitted the uncertainties. Some risks display as a dot (at their centroid), but should really appear as “bubbles” due to their respective uncertainties in p,C.
In the graph (Fig. 3) you see three groups of risks:
- the “blue” ones are tolerable (they are below the orange line which is the risk tolerance of that specific corporate client).
- The “yellow” are intolerable (above the orange line), but manageable as they could receive mitigation (for a cost) which pushes them down, below the threshold.
- The “red” family are intolerable and unmanageable. They cannot be pushed below tolerance in the realm of credibility (above p= one in a million).
Figure 3 A real life holistic, quantitative corporate p-C graph with three families of risks: tolerable (blue), intolerable but manageable (yellow), intolerable and unmanageable (red), hence strategic.
Closing remarks on ORE applied to cyber risks and insurance design
It is easy and self-evident how to further split the regions of this graph, or select risks to compose insurance-bundles to cover the needs of a specific client.
That bundle is also designed specifically for a captive insurance program.
Conceptually risk transfers would shift the initial tolerance towards the right.
Thus the applying ORE quantitative risk assessment also allows to evaluate rational coverage for specific risks, captives greatly facilitating the search for win-win rational solutions.
It is interesting to note that ORE is always scalable, drillable and can accommodate increasing level of information during corporate/project life, if necessary in “real time”.
This is particularly interesting when initial (actuarial) data are scarce or nonexistent and we need to rely on ample use of probabilities.
Contact us to learn more.
Tagged with: assessment, corporate value, Cyber Insurance, Cyber liability, decision, decision making, Risk Assessment, Tolerable
Category: Consequences, Hazard, Optimum Risk Estimates, Risk analysis