Cyber ‘perception gap’ exists in industry’s understanding of risks – Lockton Re

Cyber is often seen as either “confusing or scary” by large (re)insurers, but the “reality is quite different”.

That was according to Oliver Brew, Lockton Re’s cyber practice leader, who spoke to Global Reinsurance this morning (9 September 2024) at RVS 2024 in Monte Carlo.

Brew explained: “Although cyber risk is global, conceptually it is very segmented from a network and technology perspective and the way it is actually deployed is not homogenous and uniform.

“So, the possibility that you could have this sort of global outage is extremely remote and that gap [in perception] is part of our job [to close].”

Brew spoke to the media as Lockton Re released its new The Art and Science of Cyber Risk Scoring Technologies report today, which he said was an exploration and evaluation of a selection of the industry’s emerging cyber risk scanning technologies.

Jacquelien Yeo, lead author of the report and cyber analytics lead at Lockton Re, added: “The development of this specialist technology illustrates the pace of innovation taking place in the cyber insurance industry.

“There is still a wide range of techniques deployed [for risk scanning], as well as outcomes delivered, and users should be aware of the limitations of these tools.”

The report added that while cyber risk data provided for (re)insurance underwriting was a useful addition to a toolset, best practices in exposure management would require more than one view of risk.

A Sophos paper “The State of Ransomware 2024”, referred to in Lockton Re’s report, illustrates the root cause of ransomware attacks by company size (see chart).

It shows that exploited vulnerabilities are the leading cause of attacks across companies of almost every size, Lockton added.

Cyber investment

Speaking to the media at RVS, Brew added that Lockton Re had been “investing heavily” in its cyber practice’s “models, capabilities and people”.

This is part of a conscious strategy to offer advisory services to (re)insurers in cyber lines, “some of who are relatively new in the space and focused on SMEs”.

He explained: “We have deliberately built a very multidisciplinary practice so we can bring to bear the analytics, actuarial skills and primary insurance experience to really help address the whole range of issues, whether that’s technology, portfolio management or claims and wordings based.”

Brew also explained that while cyber was often seen as a problematic or challenging line to work in, the development of such a dynamic cyber insurance market should be seen as a success for the industry.

He added: “Cyber is interesting because it’s one of the few perils where the threat is always morphing and the threat actors are always pivoting in cyber space – so it’s a more challenging line.

“But, at the same time, the defences are also improving and there’s a broader perception that there’s more global connectivity than we believe actually exists in the line.

“While the tail is still very real, it isn’t quite as dire as people often fear.”

Report conclusions

Lockton Re’s report concluded that cyber risk data providers can play a valuable part in assessing cyber security risk, providing sensitivity tests for the exposure data used in the catastrophe models, and also provide a key second view of risk.

“Best practices in portfolio management, like those promoted by regulatory bodies and Lloyd’s of London in their regulatory capability matrix, promote using more than one view of risk.

“In the uncertain world of cyber modelling, combining tools for a more comprehensive view of risk is an important way to benefit from the technological developments in vulnerability scanning, whilst avoiding some of the pitfalls of over-reliance on one model.

“Historically, the natural catastrophe world has seen several examples where outsized losses have occurred where models were found to be missing potential exposure. Scanning tools can be a useful addition to the modelled view of risk, to help mitigate this pitfall.”