Time to take cyber seriously with more risk budget

There is a distinct whiff of uncertainty and volatility in the air as 2019 gets underway and the big European insurance and reinsurance renewal has completed.

As Europe’s risk managers returned to their desks after a short but hopefully relaxing Christmas and New Year break, they will have no doubt looked at their in-trays in a state of mild panic.

Any hard-working and conscientious risk and insurance manager can surely be forgiven for temporarily closing their minds to all the risks that normally dominate their working lives as they focused on the job of getting the year-end renewal done. But that of course does not mean that those risks go to sleep for a few weeks, far from it, they just seem to grow.

Freelance hackers and state-backed online espionage agents, for example, presumably do not celebrate the year-end in the same way as the rest of us. This is presumably something of a boom period for them as people spend lots of money online using sites they have never visited before, while businesses and government departments go worryingly understaffed and presumably underprotected.

One New Year prediction that will surely not be contested by anyone is the assumption that cyber risk will be bigger and more dramatic than ever before in 2019, as the world’s tech giants continue to entice us into a digital world for which we are frankly not prepared as individuals, businesses or nation-states.

Another prediction difficult to contest is the assumption that the insurance sector will take more cyber insurance premiums in 2019 than it did in 2018, and will probably reach the year-end still not really knowing whether it is pricing the risk correctly.

Many assume risks are being taken and accepted that are not being properly measured and managed, leading to the easy conclusion that someday it will all blow up with some nasty consequences and wake-up calls.

One prediction we are prepared to make that will probably be contested, is that if there is a big catastrophe in 2019 that creates a 2001 to 2002-style dramatic market turn, it will not be natural but rather man-made, and most likely cyber-related.

How much retrocession cover is the market buying from the capital markets for cyber risk and business interruption currently, compared with natural catastrophe risk? How does that level of cover compare with the underlying values at risk?

Despite the nagging fear of cybergeddon, as president of French risk management association AMRAE Brigitte Bouquot explains, cyber provides a clear example of how the risk and insurance management community can really raise its profile and game in 2019.

AMRAE, Ferma and others are doing some really good work on cyber risk identification, measurement, management and transfer. They are importantly working with other representative bodies, and not just insurers, to try and figure out the best way of tackling this multi-headed beast.

They, and insurers and brokers, are also reaching out to companies in the SME and mid-market sector to share their expertise.

But, as Ms Bouquot alluded to in her interview with Commercial Risk Europe, this adds another significant pile of work to an already bulging risk management inbox.

The simple fact is that if the wider business community is really starting to take the cyber threat seriously, risk managers are going to need more support and budget. Companies the world over are shifting to a digital basis because it offers big cost savings. But if companies are benefiting from these cost savings in the short run, then some of those savings need to be allocated to risk management to help avoid future calamity.

The bottom line is that we need more trained and educated risk managers, and more insurance budget not less.

Will the later happen in 2019, or will it be another year of risk cost-cutting? We hope the former, but past experience says otherwise.