Blog: The five peril categories to better manage cyber risks
Need to know
- The money spent on cyber security hasn’t yet reduced cyber risks
- Cyber incidents come under five categories: data breach, DOS attack, ransomware, IP theft and cyber physical
- Companies need to prioritise their efforts, decide which risks to cover and which losses to take on the chin
- Insurers need to increase capacity and meet regulatory requirements for affirmative and non-affirmative cyber
For almost two decades, the business world has been trying to measure cyber risk as if it’s some unique and isolated risk within an organisation.
This has led to the creation of specific executive-level roles, such as chief information security officers and chief data officers. But, even with these specialised roles, there has been a year-on-year increase in damages related to cyber incidents. As part of an increasingly interconnected and interdependent world, businesses must understand and treat cyber risk as an interconnected and expected risk.
While an increase in cybersecurity awareness and cybersecurity spend are tightly linked, should they be synonymous? Marsh CEO John Doyle summarises this point well: “Awareness is growing. More money is being spent. But, is that leading to a reduction in cyber risk? The answer is: not yet.”
Cyber security awareness and an increase in cyber security spend should not be synonymous, and in fact should vary greatly from one organisation to the next, based on risk appetite and risk-leverage options.
Cyber risk must be viewed beyond the traditional performance metrics and compliance frameworks and translated into something that matters to executives and shareholders. Distilling all cyber incidents over the last decade, there are five primary cyber peril categories:
- Data breach
- Denial-of-service interruption
- Extortion and ransomware
- Misappropriation of intellectual property, trade secrets, and other highly sensitive information
- ‘Cyber physical’ as related to property damage and human casualty.
For each of these cyber peril categories, we must understand probability, impact, and expected loss. The sum of the five expected loss values enables organisations to prioritise risk reduction efforts.
Additionally, it helps organisations to understand whether each cyber risk reduction project will produce a positive return on investment. Firms can then consider which risks should be transferred via an insurance policy, and which should simply be ‘taken on the chin’ as an expected cost of doing business in the digital age.
This is a significant shift in how cyber risk is understood and managed. It will translate into improving the executive function as leaders will finally be able to have an accurate forward view of cyber-related expected losses while actively pursuing strategic goals.
Cyber threats are now the top CEO concern, according to the results of the PWC survey US Business Leadership in the World in 2018. It’s safe to say that part of this concern is based on uncertainty and media hype. Genuine knowledge is the key to understanding the problem and making informed decisions on how to deal with it. Cyber risk must be expressed, understood, and managed in economic terms.
Anticipating an increased need to transfer cyber risk, the insurance industry also recognises that it needs to understand cyber risk in economic terms to increase capacity, open new markets and meet regulatory requirements for affirmative and non-affirmative cyber.
Sponsored
More from sponsor
UK is a few years away from direct cyber market: CIBA 2018
The cyber insurance market is evolving into a more digitally enabled one, which might help it open up to smaller customers where penetration is typically lower.
FCA reveals surge in cyber attacks
The number of reported data hacking attacks against financial services companies has quadrupled in the last year, according to figures from the Financial Conduct Authority.
Cyber Research 2018: The findings
Cyber has come a long way in the past 70 years, yet its meaning has essentially remained the same: it still encompasses the notions of control and communication. Post, in association with Cyberscout, surveyed the insurance market and consumers to find out how well cyber insurance is working
Cyber risk has climbed the agenda for risk managers, says Allianz
Allianz's annual global survey of risk managers reveals cyber risk is an increasing concern.
Pool Re expands cover to include physical damage from cyber terrorism
Pool Re will expand its remit to cover material damage and business interruption resulting from cyber terrorism.
When cyber gets physical
Recent events such as the Wanna Cry ransomware attack and British Airways’ computer outage have helped to drive sales of cyber insurance, but there are concerns that a significant part of the risk is being overlooked
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@postonline.co.uk
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@postonline.co.uk