Morley Speed, Managing Director and Carolyn Morley, Chairman, Global Casualty
- Data integrity and availability as critical as data confidentiality
- Limited ability to quantify dependency a major cyber inhibitor
- Challenge to build clearly differentiated cyber portfolio
Diversification is essential for evolving the cyber insurance market, yet expanding the cyber remit beyond data confidentiality and further into areas such as operational technology risk, data availability and integrity demands a common cyber risk currency, according to Morley Speed, Managing Director, and Carolyn Morley, Chairman, Global Casualty, Guy Carpenter.
“Confidentiality and data breach have been the focus of the U.S. cyber market for a number of years primarily due to regulatory requirements,” Speed says. “And while Business Interruption-related cyber cover is more prevalent in the international arena, the implementation of the General Data Protection Regulation and plans for a new U.K. Data Protection Bill will drive greater focus on data confidentiality, especially given the provisions in the legislation for fines of up to four percent of global revenue.”
“The industry needs to expand further into risk areas such as operational technology (OT),” he continues, “which is a major issue for sectors such as manufacturing and one where we are seeing an uptick in customer demand. Yet, while data breach can be packaged due to the growing credibility of per-risk modelling capabilities and the fact that such attacks tend to be company-specific, OT risks, particularly in an ‘Industry 4.0′ environment, have a much greater systemic potential.”
Morley adds, “Growing supply chain dependency - both between companies and suppliers, and across operating systems and internet services - greatly enhances and extends OT vulnerability. However, while we can better model the interconnectedness of these networks, we cannot accurately model the level of dependency nor the inherent resilience a company may have.”
“For example,” Speed notes, “with WannaCry, exposure levels were very much dependent on the degree of reliance of companies on specific operating systems, yet it is very difficult to quantify that dependency. This is a huge inhibitor and without developing a common cyber risk currency to better understand this, we cannot develop an accurate picture of potential exposure levels.”
Using the analogy of property catastrophe, Morley explains, an efficient market provides significant capacity based on a common currency of risk. “This identifies the impact of a given ‘event’ on risks within an exposure zone, taking into account their resilience. This currency is embedded in contract wordings, modelling, rating and capital allocation throughout the insurance and reinsurance value-chain.”
Speed also believes such currency is crucial to understanding the intrinsic value of data. “Current cover can protect against data reconstruction costs, but that often does not cover the true ‘nebulous’ value of that data. And if it has been compromised the information may be worthless. The multi-billion-dollar market valuations of companies such as Apple, Facebook and Google are primarily data-based. We need to provide meaningful cover built on a common risk understanding that recognizes that value and adequately addresses issues of data integrity and availability.”
Without establishing that cyber currency, risk differentiation will continue to be a major challenge. “The big issue is that currently all exposures are in a relatively undifferentiated cyber mix,” Speed concludes. “For many reinsurers, by entering the market, they are taking a share of that mix rather than being able to extract specific risks. To move cyber forward, we need to be able to build clearly differentiated portfolios. That means being able to better understand dependency and resilience levels, establish credible models to quantify non-correlation and define more highly protected risks, all based upon a recognized cyber risk currency.”