Cyber breaches are a systemic risk now for insurers

With so many companies in the region making permanent changes to working patterns, the need for strong cyber security and risk mitigation policies is becoming increasingly important. The corporate world is still adjusting – and as it does, it opens up windows of opportunity for cybercriminals to take advantage.

This has resulted in increased exposure to cyber risk events, such as phishing, bugs, bots, spyware, adware and digital worms – all exacerbated by working from home and changes in the flow of data. Stronger, more resilient risk management practices are therefore necessary to avoid cyber risk and achieve sustained growth. But this new normal is also reshaping how the re/insurance sector operates.

Systemic risk

Cyber is fast becoming a systemic risk. The insurability of systemic risk is going to be one of the defining issues of the next decade for the re/insurance sector. Carriers must carefully evaluate, manage, and quantify exposures. As regulators formalize capital requirements and mandate how risk appetite is measured, re/insurance companies are having to enhance cyber underwriting and reinsurance strategies.

That means investing in the development of innovative modelling capabilities and developing technical and underwriting cyber-risk talent. The latter is particularly important if insurers are to offer their clients the best security possible.

Yet, delivering the best security is especially difficult in technologically advanced and rapidly changing markets like the Gulf. The pace of change is a challenge in itself: right across the region, accelerated digitalisation, innovation hubs, smart city developments, cryptocurrency exchanges and the emergence of Blockchain conspire to form a digital landscape constantly in flux. In an environment of perpetual change, gaps can be found.

Examples of exciting, but potentially, vulnerable areas of innovation in the GCC include the UAE-based gold-backed cryptocurrency Melecoin, or Bahrain’s cloud-first policy, which mandates cloud adoption for government agencies and entities. For re/insurers, the complexity of this era of disruption makes it more challenging to formulate a cyber risk management strategy.

Other challenges include divergent views of the potential silent cyber exposure on property, casualty, aviation, transportation, marine and other policies. This is compounded by the fact that carriers must constantly re-evaluate underwriting strategies to stay abreast of the latest cybersecurity innovations, software patches and attack vectors, all while the market demand for cyber products is exponentially increasing.

Opportunity prospects

Despite the challenges, a variety of growth strategies exist for insurers looking to explore the space. Some companies are targeting only large corporate risks, while some are looking exclusively at small-and medium-sized enterprises (SMEs) to avoid the risk that larger corporate claims might destabilize their portfolios. Others are attempting to balance their large corporate cyber with SME business through white-labelling or supporting managing general agents.

Insurers can take heart that businesses of all sizes and all industries are on their side. Our new research report shows that while COVID-19 recovery remains a deep concern for companies, the region’s overall business continuity response has been swift and effective. Cyber risk also featured very highly amongst the next critical risks for respondents, with cyber-attacks ranked second, and data fraud and theft ranked fifth.

The report - MEA Risk Management and Insurance Perception Survey - captures the concerns of more than 150 senior business leaders in the region from across 18 industries, identifying gaps in expectations and operational performance. The results serve to showcase what makes for a more resilient business, highlighting that successful growth is closely linked to the adoption of stronger, more resilient risk management practices.

Combining forces

With so much at stake for businesses and their customers, companies in the region must act decisively. They should continue to strengthen key performance indicators for risk response times – like risk identification, assessment, and reporting. Companies can work with insurers to utilize data and analytics, which are widely acknowledged as an essential business enabler rather than just a compliance activity.

Risk advisors can harness artificial intelligence, for example, to evaluate potential silent cyber exposure at an individual policy level. The number – and diversity - of companies purchasing cyber insurance continued to increase before COVID-19 in 2019, driven by growing recognition of cyber threats as a critical business risk. Now, we must work together to win the battle against cyber risk.