In 2017, the NotPetya malware have cost the industrial group St-Gobain 250 million euros, Reckitt pharmaceutical group 110 million, and the Danish shipping company Maersk between 200 and 300 million dollars. For Fedex the losses are estimated around 300 million dollars. Beyond the financial damage, which some companies or sectors of activity may not be able to bear anymore, there is more at stake: The entire economy and the mode of operation of modern societies, such as democratic expression, have become vulnerable to cyberattacks. Their persistence and scope generate systemic risks with dynamic snowball effects, that could impact everyone. This is in particular due to the interdependencies and interrelationships of digital infrastructures and entities involved. In addition the inadequacy or obsolescence of cybersecurity and cyber resilence mechanisms make the return to normality increasingly complex, expensive, difficult and occasionally impossible. Cyberattacks with large-scale impacts can affect all vital services and thereby the entire population, eroding political and economic stability and exhausting the victims. This raises considerable challenges and critical issues of cyberrisks and crisis governance.
Organizations are increasingly turning to complementary insurance schemes to cover inefficiencies in their strategy and the operational implementation of their cybersecurity measures. The insurance industry is therefore faced with the task of offering instruments adapted to the threats generated by the extensive use of digital technologies, the dependence of organizations on information systems and the reality of cyber incidents, whether they are of malevolent origin or not. But the market for the insurance of digital data and infrastructures is struggling to develop. It must constantly adapt to the reality of cyberthreats, their intensity, and follow the evolution of cyber risks (data theft, scams, disruption, destruction of infrastructures and services, etc.). An increased understanding of vulnerabilities, threats and their impacts, as well as cybersecurity measures and the roles and responsibilities of all actors, is necessary for the proper development of the cyberinsurance market. Therefore, it has become crucial for professionals in the insurance industry to master the conceptual, methodological and practical tools that contribute to:
On the other hand, economic leaders must also understand the means and skills necessary for the steering, governance and control of cybersecurity. Furthermore, they have to know the values that must and can be ensured, and against what to ensure them. Morover, they need to be able to identify the technical, organizational, managerial and legal constraints of cybersecurity. All this must be taken into account when implementing a cybersecurity strategy.
Nevertheless, are all cyberrisks insurable? At what costs, under which conditions and with what guarantees? How to determine the level of insurance coverage in case of a digital blackout affecting a region, a country or a continent? What about reinsurance? This questions need to be answered satisfactorily, because it is important for organizations to rely on the comfort a good insurance can provide. However, the majority of them are still being concerned solely with the symptoms of cyberinsecurity and not with their causes. Consequently they lack the ability to anticipate risk scenarios, prevent them and adapt to the ongoing developments. The insurance approach, however, raises questions about the need to qualify and even certify solutions and security procedures, to assess the maturity of companies with regard to their cybersecurity posture and their capacities for crisis and communication management.
Prof. Dr. Solange Ghernaouti: sgh@unil.ch
Prof. Dr. Solange Ghernaouti is member of SATW and director of the Swiss Cybersecurity Advisory and Research Group at the University of Lausanne. Her newest book «La cybercriminalité - Les nouvelles armes du pouvoir» was shortly released at the Presses polytechniques et universitaires romandes.
