The cyber ecosystem encompasses all stakeholders and related industries of the cyber risk value chain from risk owners, mostly businesses, but also individuals and the public sector, to the cyber security firms tasked with preventing and mitigating incidents to the insurance sector, that has taken on billions worth of cyber risk in the last few years.
The risk owners of cyber risks are predominantly private firms, but also individuals and the public sectors. In the language of , firms generate value from utilizing information and communications technology (ICT) in their business activity, but are exposed to cyber-attacks via the same avenue. You can find an overview of attack vectors on our page on cyber risks.
While the cyber risk quantification literature and value chain is still primarily focused on the corporate and public sector, private persons and their data are also becoming increasingly targeted in cyber attacks. From the theft of identities and sensitive information like credit card and social security numbers to cyber mobbing (as it has recently occurred in Finland (see ), and even extortion by hackers threatening to expose confidential mental health records. Still, just as little research has ony been done in this area, we will focus on the following on non-natural entities.
Information and communications technology (ICT) encompasses all devices, software, infrastructure, or other entities that store, retrieve, manipulate, transmit, or receive information electronically. Besides IT hard-ware and software, this encompasses phones, CDs, the internet as a whole, photocopiers, and of special importance in the context of cyber risks, the infrastructure of the internet and cloud storage. According to , the global investments into ICT are almost $4.9 Trillion in 2020, projected to grow by about 5% annually till 2023.
While the growing digitalization has added tremendous value to businesses and providers and suppliers of ICT services and products with a lucrative business model, the growing investments and reliance on technology are key drivers of cyber risks. From the perspective of these digital enablers, errors in their software or outages of their cloud solutions represent a cyber risk for their clients and a source of liability or fines for them. While cyber insurance usually covers clients against forms of cyber risks, providers can insure against these risk via a technology errors and omissions (E&O) policy.
The cyber security sector encompasses all services, both IT software and hardware solutions, and physical defenses that protect the confidentiality, integrity and availability of information (the so-called CIA-Triad). These measures are usually divided into organizational and technical. For a detailed description of cyber security services, visit our dedicated site on the topic. For up-to-date figures on the total spending on cyber risks, check out our cyber market statistics.
The cyber insurance market has picked up a lot of steam since the mid-2010s and has grown by 30% annually, to about $6 bn in 2020 gross written premiums. For up-to-date figures, please visit our Market Statistics.
Cyber has so far been a lucrative line of business for insurers, but worries over an accumulative catastrophe event, such as a longer outage of a major cloud provider or an exploitable vulnerability in commonly used software that leads to a plethora of cyber incidents, lingers in the minds of executives. In addition to these accumulation risks of affirmative cyber insurance policies, insurers and marketplaces like Lloyd’s are increasingly worried about silent cyber risks in their non-cyber P&C line of businesses. As described in our Cyber Market Statistics, the total exposure to silent cyber as of the end of 2020 is likely even larger than the exposure to affirmative cyber. The new silent cyber mandate by Lloyd’s, for which phase one came into effect in 2020 (see ) is a step to make these risks more transparent.
As more and more cyber risk gets transferred to the books of insurers, the influence of the insurance industry on the overall cyber hygiene of risk owners is increasingly important. As the number of claims can be expected to grow in step with the market, the sums spentt by the insurance sector on cyber security, forensic and other related services will also increase in the future. The insurance sector might in the future, if it not already, become the biggest principal for cyber security services. The competition to get a piece of this market among cyber security firms will likely increase the influence of cyber insurers even further.
It is important to note, that the insurance sector is not a monolith and the various involved parties along the cyber insurance value chain have varying incentives. While the overall relationship within the insurance sector is symbiotic, reinsurers, for example, are more concerned with accumulation and silent cyber risks than cyber brokers.
The capital market is directly exposed to cyber risks via stocks and bonds. While a cyber incident might cause the stock of a single company to fall, like in the case of Marriot in 2018, where the stock value dropped by 7% when the breach was announced (cf. ), a cyber catastrophe could plunge a whole industry sector and even the entire world economy into crisis. Analysis of such catastrophe scenarios can be found under 1.2.2 in the cyber-economics.com library.
While the capital market is exposed to cyber risk via its risk owners, it is also looking at cyber as an opportunity. One point of interest is stocks of cyber security vendors and service providers, like McAfee, Symantec or Accenture. As the demand for cyber security is increasing, these stocks appear to be future-proof. Also, as the number of stocks in the industry is increasing, there are also passively managed ETFs for cyber security that (cf. ), that tracks the development of the entire industry.
Besides stocks, cyber is also discussed as an underlying for insurance-linked securities (ILS). These financial instruments allow investors to participate in the insurance market without possessing a usually hard and expensive an insurance license. The ILS market has since the 1990s insured an ever-increasing amount of catastrophe risks, mostly hurricane, earthquake and wildfire risks. As of 2020, the global outstanding amount of ILS instruments is about $45 bn (). Cyber has been discussed as an underlying for ILS for more than a decade now. The market was, however, slow to fulfill these promises. But as of 2020, there have been some dedicated cyber-ILS transactions, for example a parametric deal that was facilitated over the digital risk marketplace of Akinova ().
Public authorities are more or less as susceptible to cyber attacks as the corporate sector, as was shown in the past, for example, by the breach of the US Office of Personnel Management in 2015 () or the hack of the German Bundestag 2015 ().
Aside from the direct exposure to cyber risks, the public sector, in its function as the social economic planner, also (at least in theory) incorporate all welfare losses that cyber incidents cause to its constituents and stakeholders. If a ransomware attack, for example, causes harm to an entire business sector and impairs supply chains, the additional, systematic damages that suppliers and purchasers of the directly affected business sector suffer through suboptimal production levels. e.g low availability of raw materials/goods are internalized by the public sector. In addition to the social and political desirability of a cyber state, there is, therefore, a strong incentive for the public sector to assure and mandate good cyber hygiene of its stakeholders, secure systems and protocols, and facilitate an efficient transfer of cyber risks from risk owners to the insurance sector.
The public sector has a tremendous number of instruments at hand to achieve these goals. These include legislative measures, such as regulatory frameworks, including fines for violations, like the general data protection regulation (GDPR), awareness campaigns to spread cyber best practices among its constituents as well as tax incentives for cyber security investments or services. A template for such a public-private partnership is Pool Re, founded and backed by the UK government since the early 2000s to ensure risk owners against terror risks, which insurers were unwilling to take on after the London terror attacks of the 2000s.