Skip to main content
The Actuary: The magazine of the Institute and Faculty of Actuaries - return to the homepage Logo of The Actuary website
  • Search
  • Visit The Actuary Magazine on Facebook
  • Visit The Actuary Magazine on LinkedIn
  • Visit @TheActuaryMag on Twitter
Visit the website of the Institute and Faculty of Actuaries Logo of the Institute and Faculty of Actuaries

Main navigation

  • News
  • Features
    • General Features
    • Interviews
    • Students
    • Opinion
  • Topics
  • Knowledge
    • Business Skills
    • Careers
    • Events
    • Predictions by The Actuary
    • Whitepapers
    • Moody's - Climate Risk Insurers series
    • Webinars
    • Podcasts
  • Jobs
  • IFoA
    • CEO Comment
    • IFoA News
    • People & Social News
    • President Comment
  • Archive
Quick links:
  • Home
  • The Actuary Issues
  • February 2013
02

Soapbox: Cyber reality - time to quantify risk

Open-access content Thursday 7th February 2013 — updated 5.13pm, Wednesday 29th April 2020

Marie Gemma Dequae calls for improved data to counter the rapidly growing threat to information security

2

Cyber risk is a large and growing threat to business. Quantifying exposure is in its very early stages because of the scant data currently available and the evolving nature of the risks.

But pressure will increase for more precise estimates of exposure. Last autumn, a survey of members of the Federation of European Risk Management Associations (FERMA) revealed a majority saying that board involvement in cyber risk in their companies was growing.

In Europe, draft legislation will add to company obligations on data security breaches, while, in the US, the Securities and Exchange Commission is looking for and sometimes requiring disclosure of security issues.

Information security is a classic "enterprise risk" and should not be viewed as the sole domain of the chief information officer. The ability to assess potential maximum loss will enable companies to judge what financial provision is needed for cyber risks, including whether to buy insurance and what limits are worthwhile. The accuracy of insurers' pricing of cyber risk policies is a separate, but clearly related, issue.

Such risks are a threat to the digital assets of a business: client details, confidential information, intellectual property and operating systems. Most common are attacks on client data to get at financially valuable information. At the other end of the frequency distribution are efforts to capture intangible assets or assaults on operating systems. These do, however, occur, and governments are taking the potential for interference with critical infrastructure organisations seriously.

The cost implications of these risks range from predictable items, such as customer notification and call centre expenses, to open-ended business exposure, including loss of income from intellectual property and loss of competitive advantage.

Data, however, is poor, especially outside the US. Companies do not want to air their problems in public, and, in Europe, notifying customers that their information has been compromised has not been compulsory. Most estimates are based on US cases or have a very wide margin of error. Quoted figures tend to be broad - so many billions a year lost to cyber crime, for example, or an estimated mean loss per company. Businesses cannot rely on this information to benchmark their own exposure except in the simplest way.

The first step in overcoming these limitations is for the risk manager to collaborate on developing scenarios that are truly representative of the company's exposure. They can also draw on examples where the companies involved have disclosed the financial impact of cyber incidents. This can be useful in engaging board interest. In this way, companies can estimate the consequences of cyber risk - from immediate costs to the longer-term impact on reputation.

Next, combining this scenario analysis with suitable quantitative analytical tools will help to estimate probable loss distribution from a wide range of events. The critical issue is that the assumptions underpinning any model are grounded to the specific business model and capture the extraordinarily dynamic nature of cyber risk; the instigators are very inventive.

Ideally, the risk manager will also be able to see how changing various assumptions affects the risk profile, stress-testing the results without rerunning the whole model.

This approach of combining scenario and quantitative analysis could also be useful for communicating cyber risks to senior management. The higher you venture into an organisation's structure, the more straightforward the message needs to be.

Colleagues have told me that they have seen well embedded principles and practices associated with risk management and risk financing discarded when information and cyber security are considered. By working as outlined above, businesses can avoid over-reacting to scare stories about cyber risks while acknowledging the true dangers and bringing them under a proper risk management approach.

Marie Gemma Dequae is scientific advisor to the Federation of European Risk Management Associations. She is a board member of Belfius Bank and Belfius Insurance in Belgium.

More information on the research on cyber risk, conducted in cooperation with Harvard Business Review and sponsored by Zurich Insurance, is available at www.ferma.eu

Digital risks will also be on the programme at the FERMA Forum, which takes place from 29 September to 2 October in Maastricht.

This article appeared in our February 2013 issue of The Actuary .
Click here to view this issue

You may also be interested in...

2

The Actuary Puzzles January/February

Jan/Feb puzzles, including prize puzzle, and Christmas solutions
Thursday 7th February 2013
Open-access content
2

Soapbox: united we stand, divided we fall

Hugh Creasy looks to a future where all the stakeholders involved in corporate pension schemes join forces to surmount their funding challenges
Wednesday 6th March 2013
Open-access content
2

The Actuary Puzzles March 2013

March puzzles, including prize puzzle, and Jan/ Feb solutions
Wednesday 6th March 2013
Open-access content
2

A new actuaries climate risk index

In the first of a series of occasional articles highlighting new research and developments by member interest groups and other communities, Yves Guérard appraises a new report on climate change and its impact on insurance risk
Thursday 7th February 2013
Open-access content
2

Medical underwriting 'could cut de-risking costs by over 10%'

Taking pensioners’ health and lifestyle into account could reduce the cost of de-risking a defined benefit pension scheme by 10% or more, according to research published today by The Pensions Institute.
Monday 4th February 2013
Open-access content
ta

Building resilience to global risk

Rainer Egloff of Swiss Re takes a look at a new report which highlights the changing nature of risk worldwide and identifies ways to tackle emerging threats
Wednesday 13th February 2013
Open-access content
Filed in
02
Topics
Soft skills
Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Latest Jobs

Senior Reserving Analyst

London (City of)
Negotiable
Reference
149485

Senior GI Modeler - Capital and Planning

London (Central)
£ excellent
Reference
149436

Risk Oversight Manager

Flexible / hybrid with a minimum of 2 days per week office-based
£ excellent
Reference
149435
See all jobs »
 
 

Today's top reads

 
 

Sign up to our newsletter

News, jobs and updates

Sign up

Subscribe to The Actuary

Receive the print edition straight to your door

Subscribe
Spread-iPad-slantB-june.png

Topics

  • Data Science
  • Investment
  • Risk & ERM
  • Pensions
  • Environment
  • Soft skills
  • General Insurance
  • Regulation Standards
  • Health care
  • Technology
  • Reinsurance
  • Global
  • Life insurance
​
FOLLOW US
The Actuary on LinkedIn
@TheActuaryMag on Twitter
Facebook: The Actuary Magazine
CONTACT US
The Actuary
Tel: (+44) 020 7880 6200
​

IFoA

About IFoA
Become an actuary
IFoA Events
About membership

Information

Privacy Policy
Terms & Conditions
Cookie Policy
Think Green

Get in touch

Contact us
Advertise with us
Subscribe to The Actuary Magazine
Contribute

The Actuary Jobs

Actuarial job search
Pensions jobs
General insurance jobs
Solvency II jobs

© 2023 The Actuary. The Actuary is published on behalf of the Institute and Faculty of Actuaries by Redactive Publishing Limited. All rights reserved. Reproduction of any part is not allowed without written permission.

Redactive Media Group Ltd, 71-75 Shelton Street, London WC2H 9JQ