Nils Diekmann, Underwriting Manager Cyber, Munich Re
This is no surprise10 as the cybercriminal world is advancing at a fast pace, for example by collaborating or leveraging automation and artificial intelligence to create synergies for greater exploitation of weaknesses, as rapidly and profitably as possible. At the same time, while companies across the board are embracing and scaling digitalization of their businesses, 81% of CEOs in the digital economy believe their companies aren’t adequately protected from cyber threats11.
These are just some of the forces driving growth in cyber insurance, which we expect will become a $20 billion industry by 2025. We also face challenges, however, and overcoming them necessitates a coordinated, multi-industry effort to improve security and mitigate risk.
Assessing and managing risk
Cyber insurers have already proven that they can be part of the solution when it comes to building up resilience and readiness across all industries, but we’re “running into headwinds.”
For digital services to be deployed at scale, insurers must be able to deliver business assurance and that in turn requires insurers have an even deeper understanding of the risk they are underwriting. But given the rapidly changing digital landscape, it can be increasingly difficult to identify and quantify risk.
Why is quantifying risk in this incredibly complex world important? For primary insurers and reinsurers, the ability to understand and quantify risk is vital for offering sustainable insurance and keeping capacity and premiums manageable. It’s also very important for building confidence in order to provide the capacity the insured need for their businesses.
The insurance industry doesn’t insure what it doesn’t understand, and cyber risk is hard to understand because of the almost infinite complexity of devices, software, and systems, as well as the possibilities for foul play.
We need to consider questions such as:
In addition, perhaps the most important question of all is: Who is responsible/liable if something goes wrong? The sophisticated value chains in the internet of things (IoT) area make the transfer of liabilities between suppliers so complex that they often don’t know how responsibility is shared through the chain. To improve our visibility of potential risk, we need to collectively step up and solidify our cross-industry collaboration, which to date has demonstrated some successes but can always be improved.
With different regulatory approaches and jurisdictions around the world, it can be difficult to obtain a coherent view of liability and risk. In Europe, for example, GDPR is established for privacy protection, California has implemented the California Consumer Protection Act (CCPA). To protect IoT, the United States has NIST 8259 and Europe has the ETSI EN 303 645.
Silicon providers are working diligently to create devices with a Root of Trust (RoT), and their customers build additional security using best practices on top of that.
However, given the widely varied regulatory landscape, it can be difficult for providers to ship at scale and conform locally at the same time.
To overcome these challenges and achieve stronger security together, we need stronger collaboration, clearer communication, and better understanding among key stakeholders.
Redefining terms
For many years, we have been talking about shared responsibility when it comes to security, but it’s actually shared fate that we need to focus on. For example, companies must assume greater responsibility for securing their systems and not consider insurance to be a substitute for security implementations.
This important and necessary shift in thinking emerged from our groundbreaking collaboration12 with Google Cloud and Allianz Global Corporate & Specialty (AGCS), focusing on providing cloud-specific coverage for organizations. The starting point for the cooperation was the continuing trend towards cloud usage: for the majority of larger organizations, the cloud has already been embraced as a way of doing business. Furthermore, elements of corporate IT – including core applications – are moving to the cloud as a result of the growing trend toward digitalization. Organizations are therefore striving to create a technically robust security environment for themselves in the cloud. They also seek to mitigate and insure against any remaining risks with the best possible options. The goal of this new partnership is to address the specific needs of Google Cloud customers and focus on leveraging data insights from Google Cloud for creating innovative and sustainable cyber solutions.
Closer collaboration
Meanwhile, ransomware attacks are increasingly common and losses are growing. Insurance companies are becoming much more careful about what they insure and what their customers are doing.
I believe the existing market situation could last for at least another year, and companies might scale back or withdraw coverage for a period of time or increase premiums for riskier aspects of IoT network coverage. Better understanding of the exposure, threats and countermeasures is important to keep the confidence to provide the cover.
We are making progress. Not all that long ago, there was a technology community, a risk community and a regulatory community, and there wasn't really much crossover. Now, there is a lot more exchange. Groups such as the Confidential Computing Consortium, PSA Certified and many others are casting wide nets in the spirit of collaboration. And our industry, which in the past looked more to follow regulatory guidelines, now, in addition, has a role to play in helping everyone understand and more clearly define cyber risk and cyber risk management. As part of that, we need confidence in a certified secure chain of components, built on RoTs to ensure there are no weak links in the chain. And at the same time, the regulatory community needs to provide a framework to apply that black-and-white view of responsibility and shared fate.
Technology is key
As companies scale their digital ambitions in virtually every area, they’re reaching out to the risk industry to understand their potential vulnerability and liability.
For example, to what extent should an automotive manufacturer extend its coverage to take into consideration potential digital hacking of its vehicles once they are on the road? What aspects should they consider regarding the variability of products (hardware and software), field updates and upgrades, and so on? And how long should they support field upgrades to maintain security? In this context, the certification of electronic components can push the boundaries of insurability. This gives us a more solid vantage point from which to view an unbroken chain of components in a system-dependent car that ensures there are no security flaws.
Peter Armstrong, subject matter expert, cyber, Munich Re Group, discusses the challenges insurers have in quantifying cybersecurity risk.
As for technology providers, one of the strengths of the IoT is that the information gathered by such connected devices can be used for more informed decision-making and is often a catalyst for change. Therefore, we must have confidence in the technologies and in the data they generate. Technology is one way to improve security. Here, if we can establish a chain of trust from the device to the data, that will also offer us some assurance with regard to the business-critical services that our products now enable.
A future of trusted data and devices doesn’t rest on the shoulders of any one industry or government. Instead, it is a collective goal, necessitating redoubled efforts to communicate, collaborate, and innovate in technology, insurance, and regulatory environments.
That means putting frameworks in place to give product developers access to world-leading security expertise and helping them meet international legal, regulatory, and baseline requirements. It also involves working together to establish a common security standard that is based on a Root of Trust. So we have made progress in recent years, but we have also seen our adversaries do so as well. Let’s pledge to never let our guard down in this battle.
