Cyber threats are a strategic enterprise risk that require significant focus and time by boards and C-suite members, among other key stakeholders. Yet, many organizations have worryingly low board and executive-level engagement around cyber risk, according to the Marsh Microsoft Global Cyber Risk Perception Survey. Moreover, the practices employed to counteract these risks by many firms that lack sufficient senior management engagement significantly lag in effectiveness relative to the critical nature of cyber risk.
Recent shifts in the way insurers are covering cyber risk may necessitate changes in many organizations’ approaches to insuring this risk. It’s imperative that board members become more knowledgeable on how insurance market changes can affect their organization’s coverage of those risks.
Insurers Move to Affirm or Exclude Cyber Risk
The insurance market for cyber risk has evolved significantly since the first network security policies were offered in 1999. This evolution has mainly been driven by the dynamic, volatile nature of cyber risks and shifting buyer demographics from privacy-driven entities to companies in all industries, most notably the manufacturing sector. This has also fueled the purchase of standalone cyber insurance: 47% of respondents to the 2019 survey by Marsh and Microsoft Corp. said they now have cyber insurance, up from 35% in 2017.
Recently, a third factor in this evolution has emerged as the insurance industry has sought to clarify how property and casualty (P&C) policies might respond to a cyber event. Traditional P&C insurance is intended to respond to physical perils, but policyholders’ evolving risk profiles and the failure of traditional policy language to keep pace have resulted in unintended cyber event coverage, commonly known as “silent cyber” risk.
The insurance industry, led by Lloyd’s of London, is now taking the position that all P&C insurance policies must either expressly exclude or include cyber coverage; effective January 2020, Lloyd’s insurers can no longer remain “silent.” Although it is still unclear what this means for policyholders, traditional P&C markets appear to be moving toward exclusion — not inclusion — of cyber risks.
As new technologies and devices add complexity to organizational risk profiles, board members and C-suite executives must be aware that traditional insurance markets are moving to exclude coverage for much of that risk. Faced with a seemingly perfect storm of increasing risk and decreasing coverage, a clearer and more nuanced approach is necessary to manage the risks of doing business — one that includes not just a broad cyber insurance program, but also the treatment of cyber issues as an operational risk.
Boards and C-Suites ‘Silent’ on Cyber Risk Management
The uncertainty about how and where coverage of cyber risks can be found in insurance policies should stand as a challenge to companies to evolve their cyber risk management strategy. After all, 80% of organizations polled in our survey said cyber threats now rank as a top five risk concern, up from 62% in 2017. Are organizations taking strategic action?
Our findings suggest there is another form of “silent” cyber risk. Despite cyber risk being viewed as of greater concern than any other risk, including adverse weather and earthquakes, organizations’ overall confidence in their ability to manage cyber threats has declined: Only 11% reported high confidence in their ability to understand, prevent and respond to cyber risks.
Source: Global Cyber Risk Perception Survey Report 2019, Marsh
While myriad factors underlie this drop in confidence, two data points are telling:
- Organizations that perceive a lack of executive support or mandate to address cyber risk are significantly less confident about their capabilities to respond appropriately.
- A large majority of organizations — 88% — still view the information technology (IT) department as a primary owner of cyber-risk management, with executive leadership and boards ranking second (named by 65%). But only 16% of executives and boards say they spend more than a few days a year on cyber risk issues.
Source: Global Cyber Risk Perception Survey Report 2019, Marsh
The disconnect is striking: Cyber threats call for a rigorous risk management strategy, but many organizations — and their leaders — are delegating or sidelining the issue.
Boards and C-Suites Should Lead the Charge
Our message is straightforward: Organizations must elevate cyber risk to a board-level issue and apply the same discipline and governance that other critical risks receive. Boards must embrace their oversight role and include all key internal stakeholders in the cyber-risk management process, not just IT. They must also engage in cyber event planning, training and incident response rehearsals; and invest in both cybersecurity technology and insurance, based on quantified measurement of organizational cyber risk.
Our survey shows that organizations that quantify their cyber-risk exposures are more likely to engage in both technological and non-technological actions to manage the risk. For example, 50% of manufacturers that measure their cyber risk economically also engage in loss modeling, compared to 18% of manufacturers that do not quantify their cyber risk but engage in loss modeling. Loss scenario modeling is an essential driver of well-informed investment decisions and return on investment (ROI) measurement, and it strengthens an organization’s ability to approach cyber risk strategically by enabling a shift away from technical jargon toward a dollar-based discussion in language understood across the business.
Likewise, 90% of manufacturers that quantify cyber risk invest in employee training, compared to 62% of manufacturers who don’t quantify cyber risk but still invest in employee training. Those who quantify cyber risk are more than twice as likely to assess supply chain risk than those who do not (55% vs. 25%). Clearly, measuring the actual value at risk from cyber events provides crucial intelligence about the need to invest in actions that build resilience.
The Way Forward
How can board members and C-suite executives take more ownership of cyber risk, and ensure a strategic risk management framework is in place? How can they gain a more thorough understanding of their insurance programs and the protections these programs can offer? A good starting point is to ensure they are having the right conversations with risk professionals about their organizations’ cyber exposures as well as how their insurance programs will or won’t respond.
Equally important are framing cyber-risk exposures in economic terms to enable comparison with other enterprise risks; optimizing capital allocation across mitigation, insurance or other resilience-building areas and measuring the impact of cyber spending on risk reduction.
Finally, since cyber threats are now a strategic concern requiring executive ownership, the assessment, measurement and management of cyber risk should be a consistent board meeting agenda item.
We are entering a new era in the management of cyber threats. As insurance policies will increasingly either affirm or exclude cyber risk, it becomes crucial for board members and C-level executives to understand the potential threats facing their organization and to embrace a strategic risk management approach to combat them.
This piece was first published on the NACD BoardTalk Blog