VIEW 4
The cyber risk in context
In February 2019, the great and the good gathered in Davos at the World Economic Forum to discuss the current state of the world. They examined the threats facing the world economy and ranked them according to their likelihood and impact. So, for example, Weapons of Mass Destruction (WMDs), which were a hot topic a decade previously, were not seen as a pressing concern. Though nuclear bombs going off would clearly have a big impact, it was thought unlikely that this would actually occur. Hence their position in the top left corner of in the diagram to the right: high impact. low likelihood. So, what were the issues of greatest concern? Look in the top right-hand corner. You will see the dots up there are either orange or light blue. In other words, the two issues of greatest concern were climate change and cyber risk.
The recognition of these two risks has been fairly recent. In 2015, cyber-attacks did not even make the top 10 list in terms of impact and five years before that the agenda was dominated by collapsing asset prices and failures in global financial governance. Today both of these threats are given their due prominence in the corporate risk registers when companies file their annual reports with stock exchanges.
In insurance terms, this translates into two main product lines – property and cyber. Climate change is driving an increase in natural catastrophes such as wildfires, hurricanes and tornados which in turn is driving up property damage claims. Cyber-attacks have been growing exponentially and show no sign of peaking yet.
Systemic vs specific risk
We should note, however, that despite having similar prominence in terms of likelihood and impact, property and cyber have an important difference in risk characteristics. This hinges on the difference between specific and systemic risk. Property risk is largely specific and based on geography. The likelihood of three buildings – one in New York, one in London and one in Tokyo – collapsing at the same time is zero. But three computers in each of these locations could easily become corrupted at the same time if they are all connected to the same network. Specific risk can be reduced through diversification, systemic risk cannot. Since the internet connects all computers globally, systemic risk is prevalent in the cyber world.
