Keeping pace with the constant evolution of technology is one of the main challenges associated with cyber risks. As demand for comprehensive cyber risk insurance cover grows, it is important that insurers closely monitor technological changes in order to provide adequate supply and cover.
Market experts and analysts have sought to quantify the size of the cyber market with regard to the amount of premium placed. Speculation has ranged from USD300 million to USD1 billion in global gross written premium for year-end 2012, with more reasoned estimates placing the number at closer to USD600 million. While premium is a solid although sometimes difficult indicator of growth to ascertain, a more instructive metric is the rate of product growth or insurance coverage across industries. Marsh has seen client demand for cyber coverage grow on average over 30 percent annually in the United States over the last several years. While demand varies by industry, the one constant has been that more clients are investigating coverage. There has been a higher uptake in purchasing protection as a result.
Companies manage all forms of risk through a combination of policies and procedures aimed at preventing and mitigating the threat. Intrinsic to these efforts are a process of risk awareness and risk assessment, and an understanding of how these relate to particular aspects of a company’s operations.
The approach to network security and privacy protection should be no different from the approach for general risk management. Unfortunately, companies often assume that merely investing more in technology solutions will help mitigate cyber risk. While IT departments clearly have a role to play in keeping their organizations secure by investing in firewalls and antivirus software, such ass assumptions have been shown to be not just out of date but patently incorrect. Indeed, there is no technological silver bullet that will protect a company.
Although technology is a vital component of the loss prevention and risk management effort, it is only part of the mitigation process. In fact, additional loss prevention policies and technology can do more harm than good in some instances.
Similarly, insurance is not a valid alternative to a solid risk management program. Where insurance is most effective is in providing protection against elements of residual risk that persist and resist any additional proactive efforts. Indeed, risk transfer solutions should often only be considered to deal with structural residual risk. Companies that follow this process have the benefit of identifying their risks and adopting risk management best practices, which in turn will ease the process of finding appropriate cyber insurance that best fits their requirements.