Cyberattacks are inevitable say UK CEOs - what are the implications for cyber insurance?

KPMG UK has released a study of UK business leaders that revealed that four in 10 UK chief executives believe a cyberattack on their business is inevitable. Keith Stonell, managing director, EMEA, at Guidewire Software commented on these findings and the role that the insurance sector should take to help British business reduce the risks of cyberattacks:

It is important to note that whilst a cyberattack may be considered inevitable, cyber criminals may not be targeting specific companies. If they are targeting an industry, or any other possible target, those with the weakest cyber security will be the low hanging fruit. As a result, we anticipate significant growth in the cyber insurance market, along with other prevention strategies, and UK CEOs are confirming this by saying it is now a case of ‘when’ as opposed to ‘if’ they will suffer a cyberattack.

We believe that customer data is an important asset for companies but, despite regulatory interventions such as GDPR, it is evident that many CEOs still do not subscribe to the point of view that customer data protection is a key prerogative for long term growth. Guidewire sees a trend towards consumers considering their personal data to be as valuable as physical personal possessions, and with this becoming more prevalent across the consumer base we expect that a poor duty of care towards consumer data could cause significant reputational harm, damaging growth for companies.

A point to stress is that insurers need to find better ways to understand cyber risks so that products that more directly meet the needs of clients can be developed. Modelling cyber risk is difficult compared to other risks. We see three underlying reasons for this:

• Insurers have traditionally built risk models that rely on authoritative providers of data, such as the United States Geological Society (USGS) for earthquake risk, or the National Oceanic and Atmospheric Administration (NOAA) for hurricanes and tropical storms. For cyber risk, there is no authoritative source of data that can supply a large, rich data-set for model creation. The internet is distributed by nature and is increasingly becoming more complex as new technologies emerge. The threat landscape is continuously changing and evolving.
   
• The second challenge in building a cyber risk model is analysing people and processes in addition to technology. Let us be honest, most cyber events have a human element associated with them. A good percentage can be caused or aided by disgruntled insiders, who often have legitimate access to the data being affected. Another big factor is accidents or errors like clicking on a malicious link, or naively giving up information that can lead to unauthorised access.
   
• And finally, the insurance industry requires an economic model around cyber risk. The cybersecurity industry is awash in metrics, benchmarks, scores, and ratings. Unfortunately, these are somewhat tangential to the critical question: how much damage could a cyber event do?

For the insurance industry to respond to business demand for better cyber insurance products, they need to combine data science, cybersecurity, and economics into a single analytics platform that quantifies the financial impact of cyber risk. This requires a revolutionary approach to how insurers utilise data listening and AI to create the right models for tracking risks that are extremely dynamic.

The preceding article was an opinion piece written by Keith Stonell, managing director, EMEA, at Guidewire Software. The views expressed within the article are not necessarily reflective of those of Insurance Business.

Related stories: 
UK businesses facing 'existential crisis' thanks to tech giants
Top predictions for the insurance industry in 2018