The re/insurance market needs a more effective means of assessing cyber risk if it is to both better insure against and boost resilience to threats, according to respected industry think tank The Geneva Association.
In a research paper, Analysis of the impact of cyber events for cyber insurance, recent cyber losses are analysed and a model for developing more informed cyber insurance policies is proposed.
According to the research, malicious data breaches are the most frequent form of cyber incident across almost all corporate sectors, affecting more individuals or entities than any other type of data breach and are among the most expensive incidents.
Servers, websites and email are most often compromised and the data breached is mostly in the form of financial and personal information (over 90%). The responsible actors are mostly unknown, but approximately 7% of instances are attributed to current or former employees and 2% to hacktivists.
Unintentional data disclosure represents the third most frequent type of data breach. Printed records are most often compromised, followed by email, servers and websites. Financial, health and personal information are almost exclusively exposed.
The Geneva Association paper goes on to suggest that “cyber incidents attributed to hacktivists and foreign nation states have several things in common. They involve mostly malicious data breaches and network disruptions. The loss is mostly personal identity information and corporate business income/services. Incidents attributed to terrorists exhibit a similar pattern”.
It adds that a second cluster is formed by employees, vendors, consultants and trusted third parties, suggesting that these four actors share a similar risk profile.
Meanwhile, it notes, criminal organisations form a singleton cluster. They mostly target financial information via malicious data breaches and network disruptions. Other means include skimming, physical tampering and phishing.
Looking forward, the Geneva Association paper suggests that a more accurate predictive cyber model will require additional data, and that combining existing proprietary data sets (such as that produced by Advisen) with other data sources “is therefore of significant future interest”.
For example, the paper says, data on corporate finance, stock price, news feeds and cyber threat indicators could be included.
The full report can be accessed here: https://link.springer.com/article/10.1057/s41288-020-00171-w