As insurers embrace digitalisation, cyber risk should no longer be considered an emerging risk, but rather an established and continually evolving risk in the industry that should be managed, the Institute and Faculty of Actuaries has said.
In its latest report, the IFoA said that cyber risk will just continue to grow as malicious actors attempt to exploit weaknesses in the system.
“Data, and its privacy, is fundamental to the financial services world, and this brings a responsibility to ensure safety on behalf of the customers who put their faith in the sector,” IFoA said.
According to a report, the cyber insurance market is estimated to stand at approx $14 billion in gross written premium in 2023, which is expected to almost double in the next three to four years.
This year, several firms have listed cyber risk as among their top risks. The 2024 CRO Emerging Risks Initiative listed it as “high risk,” its highest rating and with a “current” time horizon for the insurance sector. AXA’s Future Risks Reports also listed cyber as a “top three” risk for both industry experts and the public.
This isn’t surprising the report said, as more and more companies shift to digital means of transferring and securing data. However, as ongoing technological advances happen, cyber risk continues to evolve and activity from rogue nation-states or organised crime groups appear to have joined the fold.
Malicious actors are likely to be currently participating in state-sanctioned activities and their skills could easily be used for criminal activity.
Just this year, Crowdstrike faced a non-malicious event arising from issues with security patches that resulted in an insured loss of between $300 million to $1 billion.
According to Frank Cilluffo and Joshua Whitman of the McCrary Institute, a think tank led by cyber experts, ransomware attacks alone are projected to cost the world more than $40 billion this year.
“Nation-states, major corporations, critical infrastructure providers, schools, hospitals and ordinary citizens have all fallen victim,” they said.
However, governments seem to be aware of the risks in the digital world. State agencies are beginning to allot resources in combatting cyber risks and are continuing to improve those risk-mitigating devices as the threat increases. There is also increasing expectation for firms to have appropriate controls and mitigations in place.
Third-party vendors are also contributing to the fight against cyber risk. But, despite the variety of third-party models available to measure cyber risk, there is a lack of consistency in their output and updating these models usually leads to significant changes in the outcomes.
In addressing such a complex issue as cyber risk, the IFoA found that inter-discipline cooperation is essential, especially in the role of actuaries.
According to its report, the IFoA said there is evidence showing the involvement of actuaries in cyber risk work. The participation is in collaboration with other relevant experts and the majority of the work is involved in risk management, as well as scenarios and stress testing activities.
Actuaries also contribute to the bulk of knowledge about cyber risk as they conduct important activities and research related to the field. Such research, when utilised by other experts, improves the capacity to protect oneself against cyber risk. This knowledge also affects the application of standards and guidance in the industry.
Even in the curriculum of current actuarial students, there are already cyber risk materials present, including those that focus on General Insurance and Enterprise Risk Management.
“Given the continual threat to the financial system and beyond, actuaries have an opportunity to utilise their technical skills to extend influence in this field of work for the benefit of businesses and consumers,” IFoA Review Actuary Alan Marshall said.
