With over 25 billion devices connected worldwide as of 2014, according to Reuters it was estimated that the global cost of cybercrime was $445 billion. With the number of connected devices expected to increase to 50 billion by 2020, the question of how best to protect businesses, property and the public from cybercrime will become that much more important.
The depth and scope of threats is evolving at such a fast pace that traditional IT security systems no longer suffice. The current set-up of IT security systems tends to be reactionary to threats of cyber-attacks, lacking the ability to foresee new risks. As a result, cyber security must be included in the strategic organization of businesses to determine how and when their products and services are the target of new threats.
The impact of cybercrime is manifold: businesses suffer reputational damage from losing customer data, value chains are interrupted, hackers steal intellectual property, etc. There is also increased cost of litigation to settle claims arising from these crimes.
The main problem of protection against these types of risk is a general lack of understanding of the end effect that cybercrime has, e.g., the type of claims that will be made in regard to stolen data, how to measure the costs associated with denial of services attacks. There is a lack of consistent regulation across countries and regions on how businesses must respond to threats against privacy. The problem is exacerbated because technology companies often have a limited view on the control systems used by clients and restricted access to audit those systems. To further complicate the matter, corporations and policy holders tend to lack the required insurance coverage to mitigate these risks in large part due to their high costs. Lastly, (re-)insurers are only now beginning to understand the frequency and severity of cyber-crime so that their coverage can be appropriately priced and rolled out on the open market.
Countering the threat of cyber-attacks requires an ecosystem comprised of the four main players. This would allow each one of them to contribute to creating uniform regulation, evaluating risks and foreseeing and lessening the consequences of future risks.
1. Regulators would be able to acquire a comprehensive understanding of the risks effecting end-consumers and the industry at large to create a standard regulatory framework that is then implemented across the EU
2. Technology companies, by being at the forefront of new developments, would be able to provide the required expertise to foresee cases of cybercrime and the benefits that implementing (or not) new software, patches or antivirus solutions can have for clients
3. Corporations and policy holders, as the first line of attack, would benefit by acquiring the needed insurance coverage to protect them
4. (Re-)insurers, with their ability to evaluate, quantify and segment these types of risks, would be able to provide insurance products and market capacity to fulfill the needs of the policy holders and corporates
Cyber risk is constantly changing and evolving in its forms of attack. Market needs show a clear differentiation between assurance (when will the attack happen) and insurance (what type of risk have we not foreseen). By establishing a dialogue between the four parties most impacted by cybercrime, the ecosystem would be able to provide the necessary assessment and evaluation of risks to mitigate the damages.