Zurich, Marsh McLennan call for public partnerships Bridging the cyber divide

A new report from Marsh McLennan and Zurich, titled “Closing the cyber risk protection gap” calls for closer collaboration between the insurance industry and the public sector as cyber insurance coverage gaps exist.

“Both the insurance industry and the public sector are being urged to collaborate, share and innovate to address the growing cyber risk protection gap, promote resilience and protect our society and economy from the growing cyber threat landscape” , the report states. “Building societal cyber resilience is inextricably linked to the evolution of the cyber insurance market.”

This is because 87% of global decision makers in an April 2024 Munich Re cyber risk and insurance survey said they believe their organizations are inadequately protected against cyber attacks as the cost and frequency continue to grow

The cost of cyber attacks is projected to rise to nearly $24 trillion by 2027, up from nearly $8.5 trillion in 2022. Ransomware payouts hit a record $1.1 billion in 2023 as well, according to to a Chainanalysis blog titled “Ransomware Payments Exceed. Billion in 2023, hitting a record after the 2022 decline.”

The cyber insurance market has seen strong growth in recent years despite increasing attacks, with the Munich Re report estimating $14 billion in written premiums in 2023 and projecting it to more than double by 2027.

However, a cyber risk protection gap persists, with the Global Federation of Insurance Associations estimating the gap between insured losses and economic losses due to cyber attacks at $0.9 trillion, or 99% of economic losses. This is according to the AIFM report entitled “Report: Global protection gaps and recommendations to address them”.

Navigating protection gaps without risking too much

Marsh McLennan and Zurich outlined one solution in their report as a closer partnership between industry and government to build cyber resilience. That said, insurers will need to answer one question: How can the cyber insurance market expand without taking on too much exposure?

“Currently, there is concern that the volume of claims arising from a catastrophic cyber incident could overwhelm the resources available to resolve such claims,” ​​the report said. “Government policy facilitators should consider that the expertise and capabilities currently held by the insurance sector provide a strong incentive for government to create a framework in partnership with the industry. In addition, policymakers should consider the tools and resources that government could provide for damage management.”

As part of that partnership, the report says the trigger events for a public-private insurance program will need to be better defined based on what current policies consider uninsurable. The report suggested a solution as a status difference product that is triggered when policy exclusions are applicable and only responds to truly catastrophic losses.

“To provide flexibility and industry buy-in, any government framework should be voluntary for eligible insurers,” the report added. “At the same time, this will require insurers to acknowledge their support and belief in the viability of a cyber framework.”

However, the most pressing need in terms of national preparedness is to address the gap created by war and infrastructure exclusions in insurance policies, the report said.

“Because these risks are subject to exclusions, a cyber incident resulting in these losses would not affect the insurance market, but would require a post-incident government response,” according to the report. “Creating a cyber framework provides the opportunity to engage in planning how such compensation would be applied.”

Geopolitical tensions add fuel to the fire

The challenges in today’s cybersecurity environment are heightened by intensifying geopolitical tensions as technology has also become a larger part of state-sponsored attacks, the report said.

Indeed, a recent article in Carrier Management outlined how insurers are rethinking cyber as an area of ​​coverage in the face of global conflict.

“There are a variety of reasons that can motivate an individual or group to launch a cyber attack. Political ideologies are one of them,” said John Farley, managing director of Gallagher’s cyber practice, in Carrier Management’s August article titled “Geopolitics, Election Risks Have Insurers on High Alert.”

Additionally, when cyber defense resources are focused on avoiding any potential civil unrest or terrorist activity, commercially oriented and opportunistic attacks can occur, added Kellam Radford, senior vice president and national program underwriting leader at DOXA Insurance.

“Three main objectives of any conflict are to control the narrative around the event, ensure the flow of capital to fund activities and minimize any disruptions to the owned supply chain while maximizing disruptions to the other side,” he said. “All three of these goals create opportunities for cybercrime.”

Protecting the space of SMEs

While demand from organizations looking to transfer their cyber risk has grown, according to the Marsh McLennan and Zurich report, this growth has been uneven and remains a trend of uninsured or underinsured small and medium-sized businesses.

“Despite the prevalence of cyber risk, a significant proportion of SMEs remain uninsured or underinsured,” the report said. “These companies often lack the funds to invest in cyber security, in the same way that they may forego purchasing insurance due to affordability, lack of risk awareness or misunderstanding of coverage. To overcome such challenges, our industry should seek to simplify all elements of the procurement process, provide holistic solutions and support and enable public-private partnerships.”

The report added that it is important to provide policyholders with adequate coverage while avoiding unnecessary limitations and exclusive language that may lack universal consensus on applicability and create new protection gaps.

A growing need

Making the general case for public partnerships to address cyber risk, the report draws analogies to the risks of nuclear power, flooding and terrorism, saying that cyber risk is now similar to them.

“The need for a public-private approach to cyber risk has arisen from the ongoing transformation of the digital economy, the blending of physical processes with virtual control, and the increasing role and scalability of new technologies, most recently, generative AI.” the report said. “It is clear that there is an urgent need to address these risks due to both their volatile nature and the pervasive use of technology. At the same time, we must foster societies that are innovative, resilient and adaptable, while safeguarding economic prosperity and national security.”

“The insurance industry, with its proven track record of advancing societal goals by providing its risk management and transfer capabilities, plays a critical role in this endeavor from both a risk transfer and cyber resilience perspective.”

TOPICS
Cyber