Accelerated Digitisation - Emerging from a mothballed economy stronger

What accelerated digitisation means for insurability and risk capital availability

INTRODUCTION

Background

Covid-19 has resulted in the mothballing of the global economy.  The economic fallout will be profound and as yet, is not fully understood.  It is clear that for many, survival is the first order of business and that draconian cost disciplines will remain a pressing imperative for a period well into 2021.  None-the-less, it is equally clear that as they emerge chrysalis-like from this mothballing, organisations will not be able to “Cut their way to success” and for many global-scale organisations, the shift from survive to flourish will be predicated on investment, and particularly, accelerated investment in digitisation.  

Digitisation offers organisations profound opportunities to restructure their businesses in ways that exploit connectivity and cloud technology to drive up efficiencies and drive down costs. The Covid-19 reality for these organisations is that acceleration of digitisation investment is the key to survival and flourishing in this depressed global economy.

Digitisation enables organisations to harness rich business opportunities through digital connectivity.  In evolutionary terms we have seen the Internet Era, the Cloud enabled Era and are looking ahead into a Multi-Cloud Era.  This multi-cloud era is about embracing massively expanded levels of connectivity, particularly in Operational Technology (OT) environments.  This “Hyper-connectivity” enables remote management of operations in highly complex fields of endeavour: as an example, managing offshore exploratory drilling in Oil and Gas from half a world away delivering tremendous improvements in cost, schedule efficiency, supply chain consolidation safety improvements.  These improvements provide the opportunity to change in fundamental ways the supply-demand and cost- profitability models that shape the break-even point for businesses.  These new, technology enabled, hyper-connected value chains are central to broad-based economic recovery and will demand new responses to new risk challenges that new ways of doing business will present.  

Risk Capital and Risk Transfer communities are already wrestling with and addressing some critical issues as it applies to cyber risk.  It is highly likely that the additional burden of complexity associated with digitisation will challenge the insurability of Hyper-Connected value chains and amplify the risk capital availability issue already in play.  Meaningful incorporation of cyber risk management and quantification within well understood ERM frameworks and disciplines, will be a critical indigenous capability that organisations will have to evolve and embrace in order to ensure favourable access to risk capital and make risk capital mobile across the balance sheet.

PROBLEM SPACE

Quantification of cyber risk and the availability of cyber risk capital 

Let’s quickly look at the broader risk capital issue as it pertains to cyber risk.  The issue has two lenses, creating both a micro view and a macro view.  

Micro View

Viewed through a micro lens, sophisticated (in Enterprise Risk Management terms) individual organisations are seeking to normalise the management of cyber risk capital associated with cyber risk such that cyber is managed like other critical enterprise risks.  As organisations begin to discern a difference between discrete cyber risks (single issues) and incremental cyber risks, i.e. where a cyber vulnerability, were it to be exploited, would enable, accelerate or amplify those critical enterprise risks already identified in the risk portfolio.  These really move the needle in the risk portfolio and particularly in the 3rd party supply chains.  It can mean that large incremental cyber risk driven balance sheet exposures are not well understood or quantified.

Macro View

Viewed through a macro lens, the direct cyber insurance market and it’s associated re-insurance market are constrained by available capital capacity.  The constraint is a consequence of the cyber reinsurance market not being able to transfer risk into alternative capital markets in the same way and to the same extent as for other categories of risk.  The reason for this is that it is very difficult to quantify the worst-case scenario for cyber risk.  Why is this the case?

The risk capital and insurance industries are accustomed to assessing the probability of the occurrence of a risk its frequency (in a time period) and the impact of that event.  This probabilistic approach is augmented with historical statistical analysis that sees correlation between risk quality conditions and losses that have occurred over time.  This has led to trusted models with trusted independent parties providing market reported incidence levels to assess risk and against which capital is allocated and the price of that capital set.  This is the first problem in quantifying cyber risk, there are no equivalent de facto adopted models that are trusted and where the risk quantification is of auditable quality.  

There are several factors of this problem and they all come back to the lack of de facto adopted, trusted cyber risk quantification models that can embrace the variables at the front end of a cyber risk.  Without this, it’s difficult to give a meaningful estimate of the cyber worst-case scenario.  

Variability of intent to do harm. Firstly, as a consequence of the unpredictable nature of the malevolent intent of a bad actor to do harm, it means that historical statistical incidence is no predictor of future incidence.  There is variability of intent to do harm across different organisations in similar activities and most importantly, that organisations can be a victim of a structural cyber-attack without being a specific target; collateral damage.  Even with a clear quantification of intent, there are then almost infinitely variable conditions at the front end of a cyber risk that mean it is difficult to reconcile one risk versus another.  

Variability of balance between capability of attack Vs capability of defence.   Different attackers (even using the same exploit) have different levels of capability; different organisation have different levels of effectiveness of security outcomes determined by a number of factors including the effectiveness of the defence technology; the effectiveness of the deployment of the technology and the service management view of the effectiveness of the human and cultural security capabilities.

These issues are essentially a facet of a direct insurance problem, whereas the Reinsurance sector has to reflect these issues and its principal nemesis.

The aggregation of cyber risk across the complete spectrum of the portfolio of risks.  It is extremely difficult to understand the aggregation of exposure across multiple insurers at a market level and the scenarios to be quantified, which would clearly include loss of several critical cloud service providers as an example, or the compromise of an industry level de facto application, or an operating system vulnerability that is ubiquitous and easy to exploit and of course combinations of these things.  This difficulty in quantifying the worst-case scenario, the difficulty at market level of monitoring and reporting aggregations, all mean it is difficult to persuade alternative capital sources to embrace and trade in cyber related Insurance linked securities and thereby allow reinsurance to spread its risk. 

This difficulty in attracting alternative capital to the cyber risk category means that for the direct insurance market insurance towers have not yet reached €1Bn of cover routinely and invariably are less than €250 million.

This capital capacity issue may well be amplified over the next 2-3 years as individual organisations and the insurance and reinsurance industry seek to address the so called “Silent Cyber” challenge.  Silent cyber can be thought of as implicit rather than explicit (Affirmative) cyber cover or the absence of explicit exclusion of cyber cover.  In the real world this has profound implications.  Very many organisations insured for traditional categories of risk, in particular, property and casualty, will have some potential silent cyber issues.  It will mean many more and random examples like the recent incident that led to litigation where a claim was made against a property policy, under an extension designed to address cover for damage or loss of floppy discs (tangible assets) that was used as the trigger to make a property claim following modern-day cyber incident.  There are almost infinite permutations of this kind of uncertainty and quite properly, both the communities of insured organisations and the insurance industry want to evolve to an affirmative model where cover is explicitly included for cyber risk, or where it is explicitly excluded.  

It is likely that more organisations will seek to affirmatively exclude cyber in order to write specific cyber cover, than there will be who look to explicitly include cyber in these other category covers.  However, even a small proportion shifting to affirmative cover will amplify the capital capacity issue.  Certainly, it can be anticipated that very many organisations will seek specific cyber covers as a stand-alone policy and this increased demand may well add pressure to capital capacity and prices.  Competition for available capacity will be high, prices may well respond, although demand is not always stable.

Digitisation changes the scale and profile of risk

The complexity of hyper-connected value chains is significant.  Illustrating this, if we just reflect briefly on autonomous driving vehicles, the complexity and sophistication embedded in the value chain is of a very high order.  Firstly, there is the physical infrastructure provision, roadside technology for the monitoring of macro movements, the monitoring of individual vehicles, the embedded sensors in roads to feed those sensors, the technology onboard the vehicles, the telecoms service provision that allows the communications to take place, the remote condition monitoring of the vehicles and the equipment supporting the processes.  All are critical and potentially provided by many different service providers, drawing different elements of data from multiple (invariably) cloud service providers with potentially thousands of applications supporting the value chain service delivery.  Then we acknowledge that this is not a purely autonomous capable driving environment, in the first years of this evolution, there will be very many more non-autonomous equipped vehicles than those that are enabled.  In this complex world, how do we categorise and allocate responsibility for elements of the value chain, bluntly, how do we manage liability when something goes wrong?  It is difficult to see how liability could start and end with the OEM.  

An alternatively example could be to take a look at when an oil company manages its drilling operations remotely and a bad actor perhaps messes with the instrumentation monitoring well-head bearing temperatures leading to a catastrophic event.  Blame seems clear, but if the connectivity is at fault and has been compromised, or the cloud service provision has been compromised, or the internet connectivity has been compromised any one or combination of which may be responsible who do we segment to a granular level, such a failure when each of these 3rd party service provisions themselves have potentially very complex and cascaded 3rd party value chains supporting their ability to deliver their own service.  This is a much more complex 3rd party world than we have had to deal with before and insurability of business interruption will be a challenge.

The greater the reliance that an organisation places upon the digitised capabilities, then the greater the potential business interruption impact of a failure in the service provision upon which the value chain depends.  Simply, this means that the risk profile of organisations is going to change substantially and that the significance of cyber risk becomes much more profound inside and outside the enterprise.  It is critical that an organisation can quantify this cyber risk with evidence-based, auditable quality, cyber risk numbers in order to make the risk capital associated with this changed risk, mobile across the balance sheet instruments and to work harder for the benefit of the P&L.

It is probably fair to say that accelerated digitisation is a critical means to achieve cost and efficiency gains to emerge from the Covid hiatus.  However, in so doing it changes the organisation’s risk profile potentially increasing the risk capital exposure an organisation faces as a consequence.  There is an insurance challenge in that whilst there is a potential increase in the overall risk portfolio an organisation faces, it becomes more challenging to insure business interruption elements of risk because of the complexity of the hyper-connected value chain that underpins these new and more effective business models upon which the organisation now depends.  This is on top of the reality that cyber risk invariably amplifies the critical risks about which an organisation is already worried and where, invariably organisations are already under-provisioning of risk transfer and risk capital allocation.

If we pull these different facets of the problem space together, we can see a critical need to exploit connectivity technologies and harness digitisation benefits in order to rebound from the Covid hiatus.  In embracing digitisation, the complexity of the hyper-connected value chains that it will stimulate, mean that it will be difficult to attain the level of granular understanding of the completeness of the risk across a potentially very complicated 3rd party value chain landscape.  Understanding liability will be a challenge and insurability of business interruption will be more problematic.  At the same time, a risk capital capacity constraint exacerbated by the structural shift necessary to address the silent cyber issue will make allocation of cyber risk capital more selective towards better quality, more transparent risks.  Simply put, cost and availability of Cyber risk capital is going to be linked at least in part to the effectiveness with which an organisation can manage and demonstrate the effectiveness of their management of cyber risk.  Certainly, the rating agencies are considering how to incorporate effectiveness of cyber defence as a ratings criterion and in recent months, we have seen ratings change consequent upon cyber events. 

Solution Space

This is a difficult problem to solve and cyber insurance may have endured a bad rap.  Surely, it can only be a good thing for organisations to be able to share this increasingly ubiquitous risk through cyber insurance and across all of our available capital instruments necessary to meet the capital demands implicit in this.  There are, many strands of modelling activity, statistical analysis and data science looking at the many facets of the problem.  However, it’s sad but true, there is no single quantification model, globally accepted that is trusted and no single ubiquitously adopted risk platform to give the confidence to a market eager to release capital to stimulate broader and deeper take up of cyber insurance.  This means co-operation and ecosystem responses are essential and that these responses develop evidence-based, better quality (auditable) cyber risk numbers.  These ecosystem capabilities will need to be able to quantify the six or seven critical elements that will quantify the risk balance between an organisation’s effectiveness of its attack surface versus the effectiveness of its defence surface and represent this in financial terms as a component of the organisation’s ERM structure.  This is a critical first step in developing a solution view.  Only with this first step established is there real possibility to develop de facto adopted and trusted sector and market level cyber risk numbers.  These can then begin to provide the confidence to the alternative capital markets to share the cyber risk challenge as a new opportunity risk class and market and eventually, to trade those instruments.

This is an important evolution too in order to be able to start to tackle the issue of the granularity of the aggregated cyber risk in the more complex value chains that are intrinsic to digitisation.  Without confidence in transparent, evidence-based numbers, it will be difficult to identify the granular view of liability and understand and quantify business interruption and other cyber risks for organisations introducing hyper-connected value chains.

Conclusion

If we are to bounce back from the mothballed conditions of the global economy, we must be able to embrace digitisation fully and must understand the implications of the changed profile and overall increase in organisations’ risk portfolios.  We must acknowledge and address the structural challenges of availability of cyber risk capital in order to ensure capital availability to support a global economy increasingly dependent upon technology but threatened by the associated cyber risk.  To do these things, we must embrace the challenge to quantify cyber risk where trust is generated through evidence-based, auditable quality, cyber risk numbers.  Numbers that can then be used to make cyber risk capital mobile across the balance sheet and able to work harder for the benefit of the P&L at these most difficult of times.

Peter Armstrong is a Fellow of the Institute of Directors with 30+ years of cyber and risk management experience