As digitalization becomes essential for business success, the determination and treatment of limitations in an industrial company’s cyber risk management is a necessity to keep business operations running smoothly; but is it purely a defensive measure whereby price and affordability have an outsized effect?
The previously mentioned limitations were the:
- Dynamic nature of cyber risks and the challenges on how to address it.
- Data conundrum whereby the procuring of quantitative, auditable, evidence-based exposure data is essential for both risk owners and assumers with a need for that data to be collected in real-time.
- Analysis of systemic cyber risks and observing the potential for their characteristics to become systematic
Two further limitations in the industrial cyber risk space we would propose are specifically related to enabling risk transfer: (a) secure distribution of transparent and relevant data to risk assumers and (b) the ability to create fit-for-purpose risk transfer products.
- Secure Distribution of Data: Industrial companies and especially critical infrastructure companies are understandably reticent to provide data to anyone if they lack confidence in it being handled securely. Unfortunately, the insurance market can suffer from this perception as there may be many parties involved in a transaction from insurance brokers to co-brokers to various insurance carriers to (facultative) reinsurance brokers and reinsurers. All can be in several geographies with each one handling, storing, and passing on data and this elongated chain causes trust issues if there are doubts or obscurity around data access and control. Consequently, this leads to potentially jeopardizing the selection of data to be shared as the lack of trust could be a disincentive to provide information deemed “sensitive”. Yet, such data could increase the insurer’s understanding to validate equitability in pricing, expand appetite for the risk, and, most importantly, the creation of a true fit for purpose product.
- Fit for Purpose Risk Transfer: A complaint we have heard from industrial companies is the cyber risk transfer market’s products are not fit for purpose. If significant investments are being made in cyber risk management, the product should recognize, dovetail, and be an enhancer of this. It would be detrimental if the product conflicts and / or diminishes the work of the CISO and the cyber risk management team. Equally, we have heard from risk assumers that they can only work with the information provided and, if it’s not granular and pertinent enough, terms and conditions, and in particular pricing, will have negative connotations for the buyer.
This brings us back to data. Most, if not all, the data currently provided to the risk transfer market is collected via a questionnaire and an “outside-in” approach such as threat intelligence information gained from sources outside of the industrial company; all of which is gleaned from a particular point in time, making it static and somewhat one dimensional. To fulfill an industrial company’s need for a fit for purpose risk transfer product and the capability of the risk assumer to deliver, the data procurement must include an “inside-out” approach whereby the data is acquired automatically and on a continuous basis from inside the complex and often cyber-vulnerable OT network. There is no full risk picture without it, and it is likely to include the “sensitive” data previously mentioned.
At DeNexus, we have built a SOC2 and ISO/ICE 27001 compliant transactional ecosystem to provide industrial companies with the confidence their data is secure as it is distributed for risk transfer purposes. This involves not just encryption, anonymization, the highest standards of security controls, and the use of FedRAMP, C5:2020 certified infrastructures, but also understanding the legal ramifications of intellectual property protection and data privacy. This ecosystem should give confidence to the industrial companies so that the all-important “inside-out” data is provided.
Turning to the challenge of creating fit for purpose products, it is important to truly assess this phrase. When pertaining to risk transfer, many buyers utilize risk transfer in a defensive manner as it is treated as a contingency and an expense factor. It is a contingency in its purest sense, but DeNexus proffer that fit for purpose includes being a strategic business enabler and value creator. A financial instrument which reduces risk and provides non-recourse funding can be a leveraged resource for strategic purposes. As the constituents influencing an industrial company’s business sharpen their focus on cyber risk management, it could enable (amongst other things):
- Financing capabilities
- Commendatory regulatory and rating agency assessment
- Shareholder confidence and favorable share price analysis
- Credence for greater business digitalization that should lead to reduced costs, increased profitability, and growth
Recognizing such enablement positions the risk transfer product as an asset that can be embedded into the company strategy overall and, with its purchase assessed in relation to its value creation (not just the coverage amount and scope), price and affordability shouldn’t have an outsized effect on it.
To learn more about the DeRISK Platform and how it is a key tool in enabling new strategic business for (re)insurance, request a demo and talk with one of our field experts.