Because the relatively young cyber insurance industry only covers a small portion of the potential economic impacts of cyber risk, the most significant "insurer" of cyber risk is corporate America, along with all companies around the world. The vast majority of the potential economic impact related to cyber risk is self-insured by the companies themselves.

Cyber risk continues to grow

Federal Reserve Chair Jerome Powell recently said in an interview: "... the risk that we keep our eyes on the most now is cyber risk." Powell also talked about a potential systemic failure of the electronic payments system and how it could negatively impact the broader financial system. The prevalence and unique nature of systemic risk in complex digital systems is challenging how companies and the federal government view and approach cyber risk management and governance.  

With cyber insurers raising premiums and tightening coverage terms and limits, the most important 'insurance policy' for companies is their cyber risk governance and management activities. This is because cyber insurance essentially covers the first layer of risk, or what could be viewed as the "predictable" layer. Companies are self-insured for the catastrophic impacts of cyber, and in some cases, such as with intellectual property or reputational risk, effectively not insured at all.

JP Morgan Chase, Chairman and CEO Jamie Dimon listed cybersecurity risk first in his 2020 letter to shareholders on his list of specific issues facing the company, declaring, "Cybersecurity risk remains a significant threat." He went on the disclose how much JP Morgan Chase spends on its cybersecurity defenses to protect the bank and its customers, saying: "We cannot overemphasize the importance of cyber risk, not just to our bank (we spend more than US$ 600 million a year on cybersecurity) but also to our customers, countries, economies, and critical industries (i.e., telecom and power)Much of our extraordinary cyber capabilities are also used to train and protect our customers, particularly in the areas of risk and fraud."

The risks are real and systemic

These issues place a difficult responsibility on boards and management teams to understand the potential economic impacts of their unique cyber risk profile. As Dimon pointed out, JP Morgan Chase has also extended mitigation to its customers in recognition of the systemic threats and risks that exist throughout complex digital business systems.

New York's Department of Financial Services, the state's insurance regulator, recently issued its first Cyber Insurance Risk Framework, which specifically advises cyber insurers to understand the systemic risks they are underwriting. The agency warned: "In addition to overall rising costs, insurers must account for the systemic risk that occurs when a widespread cyber incident damages many insureds at the same time, potentially swamping insurers with massive losses. "

<<< Start >>>

The cyber risk buck ultimately stops with every company's boardroom and management team. The vast majority of the economic impacts of cyber risk cannot be insured away.

<<< End >>>

The agency also commented on the insurance industry vs. self-insurance dynamic, adding: "Insurers that don't effectively measure the risk of their insureds also risk insuring organizations that use cyber insurance as a substitute for improving cybersecurity, and pass the cost of cyber incidents on to the insurer." 

The cyber risk buck ultimately stops with every company's boardroom and management team. The vast majority of the economic impacts of cyber risk cannot be insured away by transferring them to a third party, which presents companies with a growing cyber self-insurance challenge.

While many boards receive various threat intelligence and other cyber risk metrics from their management teams, the connection between cyber threats and their potential economic impacts is usually less developed. The economic and non-economic impacts of cyber risks take many forms and range from the direct loss of revenue to reputational damage. Cyber threats can generally be segmented into four main categories: data breaches, business interruptions, asset misappropriations, and cyber ransom and extortion.

As a result of each of these primary threats, there are wide ranges of economic impacts and losses that can arise from cyber risks.

An effective cyber risk governance and management approach includes understanding the connection between an organization's cyber risk management practices and each of these potential types of threats, together with their potential impacts. Deciding to transfer a portion of cyber risk to a third party or self-insuring is an output of that cyber risk management process.

Aside from rigorously reviewing policies, here are the top three actions board members can take to govern the far-reaching economic impacts of their self-insured cyber risk profile:

  1. Reassess cyber competence, starting at the very top: The first and most critical cyber risk control for every company starts at the top with high-performing and cybersecurity-competent corporate directors and leaders. Proposed legislation, i.e., S. 808 would put a disclosure requirement on cybersecurity expertise or experience on the boardroom. This is the fourth time Congress that has proposed this bill, reflecting U.S. regulatory persistence in making this a boardroom baseline. To gauge the effectiveness of your cyber risk governance as a critical control, assess corporate director cyber skills, the boardroom structure around cyber risk oversight and the scope of cyber-related or dependent risk factor disclosures.
  2. Extend the cybersecurity risk management landscape to systemic risk areas: Follow JP Morgan Chase's lead—review and consider expanding your cybersecurity risk management footprint to include other stakeholders throughout the digital business system. In addition, follow the advice of the New York Department of Financial Services and the insurance industry: understand the self-insurance exposure levels to systemic cyber risk within your business ecosystem.
  3. Align economic impact to your cyber risk profile: Cyber risk mitigation metrics are only half the story. They need to be assessed alongside the potential economic impacts of the organization’s cyber risk profile to identify self-insurance exposure levels and inform the overall cyber risk mitigation strategy, i.e., accept, transfer, mitigate and eliminate.

There are no precedents that will accurately project future losses in cyber risk. Cyber insurance is only one small part of an overall cyber risk management and mitigation strategy. Understanding the entire cyber risk profile in the boardroom requires a deep understanding of the organization’s self-insured cyber risk exposures.

 

 

Accenture Security 

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defence, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report. 

Copyright © 2021 Accenture. All rights reserved. 

Robert Kress

Managing Director – Accenture Security, Global Quality and Risk Lead

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog