The UK is the world’s leading financial hub and the financial sector contributes a substantial part of its wealth. However, cybersecurity risk is an ever-growing topic of significance to the sector. With higher numbers of IT and operational risks coming to light, understanding the landscape is increasingly valuable.
Dr Paul Klumpes of Aalborg University has studied markets, risk, and investment across the last three decades. In his latest article he covers the topic of cybersecurity risk management in the UK Insurance sector.
Read the original article: https://doi.org/10.1057/s41288-023-00287-9
Image source: NicoElNino/ Shutterstock
Transcript:
Hello and welcome to ResearchPod. Thank you for listening and joining us today.
Today, we’re looking at the work of Dr Paul Klumpes of Aalborg University. He has studied markets, risk, and investment across the last three decades, and – in his latest article he covers the topic of cybersecurity risk management in the UK Insurance sector. By considering a short case study centred around stakeholders and critical representatives, we delve into the insights of the Bank of England, industry players, and professional bodies to ascertain their industry’s resilience and measures against cybersecurity risks.
The UK is the world’s leading financial hub and the financial sector contributes a substantial part of its wealth. However, cybersecurity risk is an ever-growing topic of significance to the sector. With higher numbers of IT and operational risks coming to light, understanding the landscape is increasingly valuable.
To understand the importance of this, it is necessary to note that the UK has no regulations in place to structure mitigation plans against cyberthreats. Subsequently, there is no formal way of regularly and consistently reporting these risk metrics to boards and key stakeholders. How can we begin to resolve this?
Academically, additional research needs to consider the effectiveness or remediation plans to mitigate cyber risks and threats. Dr Paul Klumpes has carried out a case study to better understand what effort has been made by UK regulators and professionals to increase cyber resiliency. UK Insurance firms need to invest in cyber risk strategies, but with funding prioritised to cyber initiatives such as regulatory compliance, there is a lack of funding to invest in more significant initiatives such as big data and cloud computing.
Becoming non-compliant with UK and EU data protection laws is a considerable risk for insurance companies, and there can be extensive capital and operational costs related to this. Similarly, best practices and risk management are constant ‘in-demand’ topics that regularly come up within audit findings to improve cyber resiliency. From the perspective of UK insurance firms, people need to be able to assess and understand potential cyber threats, and to implement strategies to prevent the loss of personal data and identity fraud.
Dr Klumpes’ research raises questions on the nature of cybersecurity risk management and the scope of UK regulatory co-ordination efforts over the last decade. Has the work been effective? And how could understanding the degree of collaboration between regulators, industry bodies, member organisations and international partners expose or improve working relationships?
The case study assesses the level of participation of gatekeepers in terms of regulatory developments and their level of efficacy in coordinating capabilities within the UK insurance industry. Further to this, Dr Klumpes’ work makes it clear that there is a constant need to expand the current research in the cyber risk insurance category, which makes it exceptionally difficult to identify and analyse the effort required to price its impacts accurately. Moreover, pricing model structures need to consider the impact of public interference or the activities of major players in the sector; this poses a problem. Unless more knowledge and insight is made available to the public concerning the nature and severity of cyber-attacks, limitations to the pricing of cyber risk insurance will remain. This makes understanding the market scale, when compared to the US for example, exceptionally difficult.
Another challenge is the limited amount of prior research on cyber risk in relation to cyber insurance. The available literature showcases the issues within the market due to the lack of data, and information asymmetry. From a European standpoint, compared to the US, there needs to be more cyber transparency, which is currently obscured due to insufficient public policies and hesitancy to divulge breaches. With limited insight into cyber insurance policy underwriting, understanding, and measuring the scale and impacts of cyber-attacks is a tricky but important task.
It is worth noting that the importance of thoroughly understanding cyber risk does not solely apply to the financial sector but is acknowledged by the UK Government as a fundamental requirement. Although UK-based insurance companies are exposed to varying risks, such as loss or misconduct of sensitive consumer data, the foundational elements of cyber security, such as confidentiality, integrity, and availability, are by themselves not enough to thoroughly understand the intricacies of cyber risk.
There is a constant trade-off between the ethical duties of a company disclosing cyber-attacks and risking the privacy and costs of disclosing it to the public. There is a lack of understanding of what the consequences of doing so are. This issue is further exacerbated by the lack of mandatory disclosures of cyber or data breaches, mainly due to the competitive nature of the market.
The clear need for evidence on the nature, co-ordination and evolution of cyber security risk management in the UK insurance industry is where Prof Klumpes research comes in. It’s especially needed in today’s environment of increasing cyber threats and rising global tensions related to state-based and terrorist cyber attacks. It overviews recent developments in the evolution of UK regulatory interventions and their broader national and international collaboration efforts with other organisations, associations and industry bodies. Multiple research methods are then used to evaluate the effectiveness of these developments, comprising an estimate of the evolution of costs of cyber attacks, estimates of the total investment in computer systems and software intangible assets, and a content analysis of annual reports issued by key UK insurance companies and UK regulatory authorities.
So what did Dr Klumpes’ research find and what can we learn from it? Firstly, both the cost of data breaches and the incidences of systemic state-based attacks has significantly increased over time, resulting in cyber underwriters strengthening their exclusion clauses to exclude state-based cyber attacks.
Next, he noted that the UK government has actually regularly updated its national cyber strategy. Initiatives undertaken by UK financial regulatory authories include expanding the scale and scope of their cyber-related policies, initiating an authorities’ response framework to coordinate with each other, setting up new private-partnerships, and encouraging regulatees to strengthen their operational resilience to deal with such threats. Internationally, UK regulatory authorities have also initiated collaborative coordination efforts, setting up cyber experts troup organizations such as the G-7, creating risk pooling arrangements, as well as participating in joint exercises.
Despite these efforts, Dr Klumpes finds that many regulatory gaps and overlaps remain in the UK regulatory system. There are also limits to the maturity of the UK cybersecurity coordination efforts, such the lack of public disclosure of cyber attack incidents and annual cybersecurity audits. There is a lack of transparency concerning the nature and extent of reporting of cyber-related incidents; unlike the EU, there are no specfic UK standards for timely reporting of cyber incidents. In addition, BREXIT ended the collobaration between UK and EU police authorities in the fight against cyber-crime, increasing the susceptibility of both UK regulatory authorities and insurance firms to cyber attack.
Finally, despite the rising costs of data breaches between 2014 and 2021, investment in computer systems-related intangible assets by UK regulatory authorities has not significantly increased , increasing their potential susceptibility to state-based cyber attacks.
Dr Klumpes’ concludes that while efforts have been apparently successful in avoiding a large-scale, systemic cyberattack on the UK insurance industry, the system of cyber regulatory oversight is inadequate. This case study makes clear that, given the importance of the global insurance industry in both underwriting cyber risk and managing its own exposure to cyberattacks, further collaborative, policy level efforts are needed to develop a publicly available database of both the cost and nature of incidents at the national and international levels.
It’s not all doom and gloom; some good work has begun. There are developments in place to create a robust public database that tracks the cyber incidents affecting both of corporations and public regulatory organisations. This will expand public knowledge of issues and promote further extensive research into this undeveloped and poorly understood topic. This is exceptionally important as this field is rapidly expanding, with the total cost of data breaches and the size of investment in computer systems and software intangibles at risk of cyberattack continuing to increase over time. The degree of engagement with cyber as a reporting issue by both cyber insurers and financial regulators must grow in response.
Dr Paul Klumpes would like to express his gratitude to the RCUK for sponsoring his research and to the Geneva Association for publishing this paper in the April 2023 special issue of their journal Geneva Papers on Risk and Insurance: Issues and Practices.
That’s all for this episode – thanks for listening and be sure to stay subscribed to ResearchPod for more of the latest science. See you again soon.
Leave a Reply