Cyber risk has a growing impact on business and financial risk – and cyber security professionals would benefit from better understanding the relationship and its drivers.
As the frequency of cyberattacks increases, the financial impact of attacks has also accelerated, both in terms of insurance claims and business interruption costs.
While cyber risk increases, the capability to evaluate and mitigate related risks from an insurance, credit and financial perspective has slowly evolved.
In terms of insurance, evaluating and underwriting cyber risk has become a significant challenge, so much so that insurers struggle to fulfill market demand. Just a few years ago, cyber risk insurance was a profitable line of business with loss ratios as low as 10-15%. Rising claims have pushed this loss figure up to 50% in 2020 and well above that mark in 2021. That has caused some insurers to withdraw from the cyber risk market altogether.
Businesses are concerned about this, as cyber risk insurance plays a critical role in mitigating overall business and financial risk related to cyber-attacks. Without the ability to offset and transfer risk, a business, and its investors, are more highly susceptible to financial risk and the repercussions stemming from a ransomware attack.
All these factors are driving cyber risk as a greater, and critical, consideration in evaluating overall financial and credit risk. Some credit rating agencies have publicly warned that cybersecurity will become an increasing area of priority in their analysis going forward.
While businesses and CISOs evaluate their potential cyber risk exposure and tolerances from an IT standpoint – they should also start building greater understanding, and start evaluating, cyber risk from a financial viewpoint.
As a starting point, CISOs should understand and assess their insurance coverage regarding cyber risk and ransomware, and ensure they are clearly and adequately covered. They should understand their potential business interruption and recovery impacts and costs. Financial institutions and credit rating agencies may take insurance into account in their credit assessments, particularly in higher exposure sectors like technology, financial services, retail, and energy-utilities.
Financial institutions and credit rating agencies are becoming increasingly well-versed in cyber risk. They are clearly aware that cyberattacks often succeed because the targeted business failed in one basic, but specific area of cybersecurity. Business interruption and recovery after a cyberattack are responsible for the lion’s share of financial losses, so agencies are increasingly likely to examine an organizations back-up and recovery plans and testing when evaluating them for financial or credit risk.
On a positive note, those with a solid response and recovery plan and give cybersecurity planning a priority create a material credit positive. Other best practices from a financial and credit evaluation standpoint include a record of transparency and clear communication in reporting about cybersecurity and events. Best-in-class companies are adding executives with cybersecurity expertise to corporate boards and as advisors.
From the financial institution and credit rating agency perspective, evaluation of the company’s businesses cyber risk can be quite difficult and complex. It is an evolving field of practice for these entities. Best-in-class insurance and credit rating firms will do the following: examine a high volume of data; refresh that data frequently; and look beyond historical and static data to include behavioral data.
Financial and credit firms understand that cyber risk and ransomware evolution are dynamic. They know that knowledge of past attacks is likely insufficient to inform of future attacks and outcomes. Therefore, they are developing and implementing programs to build cyber risk foresight or predictive capabilities into their cyber risk evaluations.
In short, financial and credit risk analysts strive to become more comprehensive in cybersecurity and cyber risk assessment – and clearer and more effective in quantifying cyber risk.
CISOs should stay abreast of such developments – and understand that their colleagues on the financial side of the business are increasingly interested and impacted by cybersecurity strategy, operations, and outcomes.
Paul Mang, chief innovation officer, Guidewire