Marsh chief executive John Doyle says insurers are “worried” about cyber insurance, and suggests a new strategy is needed to tackle the growing risk

Addressing the OECD’s Unleashing the Potential of the Cyber Insurance Market conference, Marsh chief executive John Doyle told delegates that a new approach is needed to cyber risk:

He said: “Technology is rapidly transforming our personal lives and our businesses. But as we embrace digital we also recognize there is a cost – including an increase in the frequency and severity of cyber threats.”

The WannaCry and NotPetya cyber attacks resulted in over $1bn in economic losses and, for the first time, cyber attacks and data fraud are both among the top five likeliest global risks according to the World Economic Forum.

While this has made cyber a more visible problem, and led to increased investment, Doyle cautioned: “Awareness is growing. More money is being spent. But, is that leading to a reduction in cyber risk? The answer is: not yet.”

What is the cost of cyber attacks to businesses?

The 2017 WannaCry and NotPetya cyber attacks alone resulted in $1bn of economic losses. Accenture estimates US$2.4m as the average cost of malware attack spend and the top cost to companies. According to Accenture, 50 days is the average time to resolve a malicious insiders attack, while it takes 23 days on average to resolve a ransomware attack

How much is being spent on cyber security?

Gartner says that worldwide cyber security spending will hit $96 billion in 2018. It may top $1 trillion in the years ahead, according to some estimates.

What can the insurance industry do to better tackle cyber risk?

The industry must do more to educate clients about cyber risk, says Doyle. It must also develop better tools and models to help customers. In addition, it must improve key information sharing with key stakeholders and governments.

According to Doyle, although businesses are working to mitigate cyber risk, a Marsh-Microsoft survey reveals that 34% of business perform no cyber risk measurement “at all”, while fewer than half said their organisation estimates financial loss from cyber events.

“It’s difficult to make smart investments if you’re not measuring potential loss,” he added.

“This is where the science of risk management and insurance can add value.”

Cyber insurance “opens the door” to a full view of cyber risk’s potential economic cost, Doyle explained.

This is because cyber insurance prompts companies to evaluate assets and controls, encourages benchmarking and gets companies to calculate losses in “hard financial terms.” In addition, once a policy is in place, insureds “have partners incentivized to improve security.

Doyle continued: “We have only scratched the surface on cyber insurance. Global premiums for stand-alone cyber insurance policies are a fraction of other lines of coverage.

”There is far more to do,” Doyle said, because insurers are “worried” about the risk and buyers are still “confused”.

“The logical conclusion is that what we are doing is not working.”

Doyle called for more public-private partnerships. The private sector must do a “better job” of quantifying cyber risk and achieve cyber resilience, while the insurance sector must work to educate clients and develop tools and models to “help clients keep pace with risk”.

He thinks the sector must also improve information sharing with key stakeholders and governments.

However, it is not just the private sector and insurance industry that must work to mitigate cyber risk. Policymakers and governments must also ensure that national cyber strategies are developed, Doyle said.