, ,

The relationship between cyber security regulation and cyber insurance

Regulation almost always has the side effect of increasing risk to an organization's interests.


As of March 1, financial institutions in New York State became obligated to comply with the nation’s first cyber security regulation. In broad strokes, the New York Department of Financial Services now requires that financial institutions structure a formal cyber security policy based on periodic risk assessments.

The immediate priority for financial institutions in New York is to create a risk management framework to sustain ongoing compliance with the new regulation. Also important, according to Law360 contributor Jeff Sistrunk, is having a backup plan in the event that a financial institution experiences a data breach. This is because the regulation gives litigators more leverage as a result of the added liability of the data security rule, or failure to comply entirely with it.

That backup plan, according to Sistrunk, is cyber security insurance.

A burgeoning market

“Investment in cyber insurance is expected to increase in 2017.”

Cyber liability insurance has been a hot-button issue in the past few months. As the fallout from cyberattacks increases – the Yahoo intrusion alone cost $350 million – so does the incentive to invest in cyber insurance. According to PricewaterhouseCoopers, the value of annual gross written premium will cap out at $7.5 billion by 2020.

That said, the market is still relatively young and must undergo a certain amount of maturation. At the moment, there is a significant lack of readily available data pertaining to the actual financial damage caused by cyberattacks, which makes it difficult to assess actual risk exposure. For example, we know that ransomware raked in a whopping $1 billion in 2016. While that information is helpful, there may not be enough of it just yet.

But even with those caveats, investment in cyber insurance is expected to increase in 2017, if for no other reason than that cyberattacks are continuing to become increasingly sophisticated. Meanwhile, digitization and even automation are becoming more central to business operations in a variety of industries. And as this happens, the potential for loss spikes – not just in terms of reputational damage and IT downtime, but also in the form of class-action lawsuits.

More regulation: Does it help or hurt? 

“Cyber security regulation is a form of ammunition that could someday guide liability.”

Sistrunk’s argument seems to be that greater cyber security regulation gives litigators something to really sink their hooks into as they bring data breach-related cases to court. In this sense, the regulation does ultimately create an added layer of risk for financial institutions.

The opposite is also true. Showing that an organization has complied with specific cyber security standards laid out by a state-sponsored regulatory body could undercut plaintiffs’ claims. At a minimum, this may serve to limit some of the damages imposed by the court.

Either way, the only certainly seems to be that cyber security regulation is a form of ammunition that could eventually guide liability. It’s also worth noting that New York’s pioneering cyber security regulation could influence regulators in other states to follow suit, which is certainly a development worth following.

At the end of the day, though, cyber risk continues to be a very real threat to financial institutions, regardless of what form that risk takes. As long as this is the case, cyber insurance will continue to have a place in America’s financial institutions.

, ,

Finding business stability in a time of economic uncertainty

In times of economic stability, trade credit between organizations is a saving grace. Buyers such as retailers and manufacturers can purchase raw materials on credit, and execute their business initiatives the moment an opportunity presents itself. On the other side of the table, suppliers can lock down a customer's business and ultimately generate their revenue in the form of accounts receivable.

But in times of economic and political uncertainty, like the one we're living in, trade credit becomes a significant risk for both parties involved. If a buyer becomes insolvent and cannot repay a debt, the supplier will have to eat those losses. At the same time, entire enterprises are constructed on the value they derive from trade credit. Jack Cowley, partner at Trade Risk Group, put it best:

"Trade and trade credit is literally the lifeblood of business in the United States."

If domestic and global suppliers pulled out of the trade credit game, they'd be pulling the rug out from the under their own feet, and for that matter, the global economy's. In other words, risk avoidance simply isn't an option.

Suppliers need to keep playing the game, and they need to play it well. The best way to do that is to manage their trade risk.

Trading on a tightrope
"The market place hasn't had a lot of experience with bad debt in the recent past," Gene Ferraiolo, TRG partner, said in a recent interview. "But there's a tremendous amount of uncertainly about what will happen in the future."

Specifically, Ferraiolo referred to the political and economic changes that are leaving the future of global markets up in the air. Businesses in the U.S., for instance, are figuring out where they stand in the wake of Donald Trump's darkhorse victory. Across the pond, Brexit has upended countless companies' supply chains, and will continue to be a source of uncertainly as trade agreements are renegotiated between the remaining EU members. To cap it all off, economists predict a slowdown in global economic growth within the next 50 years.

"The most resilient buffer against trade risk is trade credit insurance."

In total, these circumstances increase the likelihood of insolvency, according to Ferraiolo. Beyond that, Cowley added that these conditions may encourage businesses to act more conservatively out of wariness, thereby causing many of them to miss critical opportunities for profit and growth.

On a positive note, there are ways to manage this risk. Ferraiolo and Cowley agreed that the most resilient buffer against trade risk is trade credit insurance.

Creating credible credit
Ferraiolo and Cowley contend that by insuring accounts receivable, suppliers have more liberty within their own market, for several key reasons.

  1. Risk mitigation: In the event that a customer becomes insolvent, suppliers won't have to self-insure their loss. This is the primary benefit of trade credit insurance.
  2. Market credibility: "Buyers have great comfort in knowing that their supplier is in a financially stable position to deliver goods," Cowley said. "Part of that financial stability is the use of trade credit insurance, knowing that the supplier will not fail or go out of business because they were not paid by another company."
  3. Increased sales opportunities: As Cowley worded it, "If I'm willing to sell a customer $100,000 worth of merchandise at my own risk, what would I be willing to sell if I could insure it?" The safety net of a trade insurance policy could give businesses the security they need to pursue new opportunities.
  4. Flexibility: "There is a tremendous amount of customization for these policies," Ferraiolo said. "A company can insure all of their accounts, one account, and anything in between the two." Cowley added: "The product is for them. It's designed for how they do business, not how the insurance company wants them to do business."

Ferraiolo added that there's a backend benefit in the event that insolvency occurs, which is freedom from having to waste management time and effort to chase after salvage – the underwriter will do that for the insured.

The only challenge that Cowley sees in the trade credit insurance market is the competition for coverage. Now more than ever, businesses are scrambling to insure their accounts receivable, which makes it difficult to actually secure coverage, and to make sure that an underwritten plan achieves what the organization set out to achieve. 

But Cowley noted that this is hardly a problem as long as businesses choose to seek insurance through a broker, and ideally, one that will help them keep their plan current.

"These generally aren't policies where the insured buys it and sticks in a drawer until they have a problem," Ferraiolo added. "They're very ongoing, service-intensive policies because the nature of the insured's business is always evolving."

As previously mentioned, it's not just businesses that change, but also the economic conditions in which they operate. Under such uncertain circumstances, the best you can do is protect the assets that matter to your business.


Cyber insurance market shows promise going into 2017

The need to shield against cyberattack losses will contribute to growth in cyber insurance.

With 2016 coming to a close, businesses have begun taking stock of losses related to cyberattacks. Ransomware alone is expected to have cost businesses $1 billion by the end of the year. While an official value hasn't been attributed to total cybercrime-related losses for the year, it's a near certainly that 2016 will surpass 2015's staggering $3 trillion in cyberattack costs.

In response to these losses, experts predict that cyber liability insurance will continue to see growth through 2017 and beyond. 

A $7.5 billion market by 2020
According to PricewaterhouseCoopers, the value of annual gross written premiums for cyber insurance will be worth $7.5 billion by 2020, up from a relatively modest $2.5 billion in 2015.

There's little doubt that this expected increase is in response to the the evermore daunting cyberthreat landscape, which continues to hurt corporate margins. In 2016 in particular, the world witnessed multiple unprecedented cyberattacks, including:

  • Multiple hospitals being held ransom by crypto-malware. 
  • An $81 million digital bank heist (initial target was $900 million)
  • Internet-of-things-distributed denial-of-service attacks that affected industry titans such as Amazon, the New York Times and Netflix. 
  • The revelation of Yahoo's massive data beach. 
  • An estimated $1 billion in ransomware losses. 

The U.S. Department of Justice, the Internal Revenue Service and voter registration systems in several states also contended with cyberattacks in 2016.

As the damage caused by cyberthreats becomes more apparent, the incentive to shield assets against losses with cyber insurance will invariably be greater. 

Defining risk: The big challenge

"Cyber insurance will play a bigger role in 2017, but it's not without inherent challenges."

According to the Risk and Insurance Management Society, 80 percent of organizations had some form of cyber insurance in 2016. And while those on the front lines agree that cyber insurance will play a bigger, more important role in 2017, many also foresee inherent challenges. 

"It will certainly be more commonplace, but it's still a specialized market with difficulties assessing risk, particularly in the face of a changing cybersecurity attack landscape," Dr. Bruce Roberts, Chief Technology Officer at DomainTools told IT Pro Portal. "I'm just not sure we have enough data to inform an efficient, mature cyber-insurance marketplace."

Dr. Bruce is not alone in this thought, as PwC made specific mention of the challenges associated with developing risk profiles: 

"Part of the challenge is that cyber risk isn't like any other risk insurers and reinsurers have ever had to underwrite," PwC wrote. "There is limited publicly available data on the scale and financial impact of attacks.

That said, PwC hardly sees this as an insurmountable hurdle that will stunt forward momentum of the market, as it added, "We believe there are eight ways insurers, reinsurers and brokers could put cyber insurance on a more sustainable footing and take advantage of the opportunities for profitable growth." These include the implementation of smarter data analytics, rolling policy updates that can be amended in real time, conditional coverage, and partnerships with agencies that can share data and expertise to enhance policy development. 

At the very least, this gives cyber insurance carriers something to work toward in 2017. 

New study identifies 6 catastrophe-prone ports in the US

The most at-risk ports aren't always the largest ports.

A recent report released by a risk management firm has identified the 10 shipping ports that are most at risk for a catastrophic occurrence. The main benchmarks used to measure risk included vulnerability of the location to natural disasters, as well as increasing cargo volumes in that port. The exact rating metric, in a dollar value, was the potential insured losses for a one-in-500-year event. Below is the final list, in order:

  1. Nagoya, Japan ($2.3 billion)
  2. Guangzhou, China ($2 billion)
  3. Plaquemines, Louisiana, U.S. ($1.5 billion)
  4. Bremerhaven, Germany ($1 billion)
  5. New Orleans, U.S. ($1 billion)
  6. Pascagoula, Mississippi, U.S. ($1 billion)
  7. Beaumont, Texas, U.S. ($900 million)
  8. Baton Rouge, Louisiana, U.S. ($800 million)
  9. Houston, U.S. ($800 million)
  10. Le Havre, France ($700 million)

Nagoya, Japan, which is located on Honsho's east coast, was top-ranked primarily because of the vulnerability of the location to earthquakes and windstorms such as typhoons. Meanwhile, the southeastern port city of Guangzhou, China came in second due to "the possibility of wind-related losses and the dangers involving petroleum products and autos," according to Bloomberg Business.

Size isn't everything
In addition to cargo volumes and location, the report considered cargo type, the precise situation of the storage (i.e., coastal, estuarine), the amount of time spent in port and storage type (warehouse, open-air, etc.). As a result, several of the ports that made the list are relatively small. Plaquemines (U.S.), for example, supports significantly less container traffic than Houston, and yet the difference in potential insured losses is a staggering $600 million. This is partly because of the location's exposure to hurricanes, and partly because of the nature of the cargo being transported.

Likewise, Bremerhaven (Germany) and Pascagoula (U.S.) – both of which had potential insured losses of approximately $1 billion – were at risk due to weather events and cargo types. Conversely, China, which is home to most of the world's largest ports, according to Forbes, was only represented once on the list. 

Planning for future disasters

"Not all high risks have previously been as well accounted for as they should have been."

Many factors that could lead to damages in ports are beyond control of the human hand; however, Chris Folkman, director of product management, explained that not all high risks have previously been as well accounted for as they should have been. 

"Our analysis proves what we've long suspected — that outdated techniques and incomplete data have obscured many high-risk locations," Folkman said. "The industry needs to cease its guessing game when determining catastrophe risk and port accumulations."

What's more, these high-risk areas may be soon be facing new threats as a result of changing climate conditions, according to research from the International Finance Corporation. How specific ports will be impacted in the coming years remains to be seen, but IFC noted that there will be "winners and losers."

"For instance, the risks could manifest through changes in the level or patterns of shipping, increased flooding affecting movements within ports and causing damage to goods stored, reduced navigability of access channels and business interruption," the summary stated. "A port's reputation for reliability is key to its success, so ports that are more resilient to disruption from climate events should fare better."

Worldwide cybersecurity changes follow high-profile attacks

Financial institutions throughout the world may see tighter cybersecurity soon.

The world's largest money-transfer system is working on upping its cybersecurity following a series of breaches over recent months.

As The Wall Street Journal reported, the Society for Worldwide Interbank Financial Telecommunication, more commonly known as SWIFT, is the money transfer system used by most banks and other financial institutions worldwide. The Brussels company announced it has hired two cybersecurity firms following attacks on its servers. The cybersecurity firms are tasked with examining customer use of SWIFT systems and detecting attempted hacks.

"Vulnerabilities resulted in cybertheft at SWIFT banks in Ecuador, Vietnam, Bangladesh and the Ukraine."

Vulnerabilities resulted in cybertheft at SWIFT banks in Ecuador, Vietnam, Bangladesh and Ukraine over the past 18 months. The most recent cyberattack on Bangladesh's central bank in February resulted in $81 million in losses. An Ecuadorian bank lost $9 million due to cyberattacks last year.

In addition to creating educational resources for its users, including an inventory of known malicious software and training on recognizing signs of possible intrusion, SWIFT is also forming a new customer security program. The company's new cyberforensics and security-intelligence force is tasked with investigating security incidents at the affected institutions. 

As the Journal noted, more than 11,000 financial institutions through the world use SWIFT and the system carries more than 25 million messages a day on average. 

European cybersecurity changes
Meanwhile, governments throughout the world are making efforts to standardize cybersecurity practices, and businesses conducting international trade will likely need to follow suit. As The National Law Review reported, the European Parliament adopted the Network and Information Security Directive to encourage cybersecurity incident reporting at a national level across all of its member states. The EU also launched a public-private partnership to invest €1.8 billion in cybersecurity by 2020 after an EU commission found 80 percent of European companies had been victims of cyber incidents in 2015.

As the Review noted, U.S. companies offering "essential services," defined as energy, transport, banking, financial markets infrastructure, health, water and digital infrastructure, or as digital service providers, including search engines and cloud software providers, will have to follow the NIS Directive when interacting with member countries. While the details of the NIS Directive are still being worked out, companies will likely have to adopt prescribed cybersecurity methods including both technical and organizational measures, as well as notification systems to be used in the event of a breach.

According to guidelines currently outlined in the NIS Directive, American companies may be required to:

  • Implement EU approved measures for protecting networks and information systems, including training for employees
  • Update digital security to meet EU standards to adequately address known risks
  • Create an incident report system to minimize the effect on individuals in the event of a breach
  • Create a notification system to communicate with relevant national authorities if the incident has a "substantial" or "significant" impact on an essential or digital service

However, American companies will have some time before they need to worry about compliance with the EU's new regulations. Though the NIS Directive goes into effect in August 2016, member countries will have 21 months to implement the directive into their national laws. As a result, the Review noted the EU is not expected to fully harmonize cybersecurity regulations across its countries until May 2018 or later. 

, ,

Wellness programs can promote employee engagement, retention and productivity

Voluntary wellness programs may be increasing employee retention and productivity.

Experts are speaking out on the positive impact employee wellness programs can have on an organization's growth, productivity and retention rates. 

A survey from health care technology company HealthMine Inc. found that 62 percent of the 750 wellness plan participants surveyed felt their programs were helping to lower their medical costs. Additionally, 38 percent felt wellness programs led to a reduction in the number of sick days they took, and 33 percent said their wellness program helped them be more productive.

"Healthier populations carry less risk, have fewer claims and lower premiums," Bryce Williams, CEO and President of HealthMine, said in a statement. "So, it's true that wellness programs have the potential to improve health and lower costs for the entire population, one person at a time. The benefits of successful wellness programs are cumulative."

Using wellness programs for positive growth
As Bloomberg BNA reported, human resources professionals speaking at the WorldatWork Total Rewards conference in San Diego said wellness programs can do more than reduce health care costs. A well-designed wellness program can also be used to engage employees and encourage productivity and growth. Experts speaking at the conference noted many businesses are tracking multiple metrics to see how wellness programs positively influence the company's growth. Factors that can be affected by wellness programs include employee engagement, turnover, absenteeism, productivity and recruitment/referral rates.

"Businesses are tracking multiple metrics to see how wellness programs positively influence the company's growth."

"At the end of the day, good health is good business," Lauren Benz, a clinical account manager at MVP Health Care, said at the conference. "We're now in a huge global market, so for you to remain competitive you need to have a healthy workforce because a healthy workforce will outperform an unhealthy workforce time and time again."

A second panelist, Dan Harding, director of employee relations at MVP Health Care, noted that when designing an employee wellness program, human resources professionals should be sure the branding of the program aligns with that of the company. Participation in a wellness program will likely be higher if the program's values and mission echo those of the business, which will likely resonate with its employees.

Harding further noted that while employers will want to see a return on investment for their wellness programs, it's important to track more than reduced health care costs when determining the program's ROI. Wellness programs that focus on employee engagement and well-being tend to have higher ROI than those simply looking at health cost reduction, Harding asserted.

When structuring wellness programs, risk managers should also ensure the program is in compliance with health privacy regulations outlined by the U.S. Equal Employment Opportunity Commission. The Obama administration recently issued rules defining how Title I of the Americans with Disabilities Act and Title II of the Genetic Information Nondiscrimination Act apply to wellness programs offered by employers that request health information from employees and their spouses. These guidelines include regulations for data encryption and breach notification, as well as restrictions on wellness screen programs. The new EEOC wellness plan rules take effect on Jan. 1. 2017, and risk managers can review the full regulations through the Federal Register.

, , ,

OSHA injury reporting changes may affect workers comp insurers

As OSHA makes changes to its injury reporting policies, workers compensation insurers may be affected.

As the Occupational Safety and Health Administration makes changes to its workplace injury and illness reporting guidelines, workers compensation insurers may have to reconsider their internal risk management and accident prevention policies.

OSHA's Improve Tracking of Workplace Injuries and Illnesses rule will require employers in high-hazard industries to meet electronic recordkeeping guidelines for reporting workplace injuries and illnesses. In addition, they must make these records publicly available as data to be posted on OSHA's website. According to a report in Business Insurance, this should provide an additional incentive to workers compensation insurers to prevent workplace safety incidents, as this information is used by OSHA to publicly shame repeated violators and their workers comp insurers.

"OSHA has made a habit of naming both employers and their workers comp insurers in news releases about citations."

Speaking at a National Advisory Committee on Occupational Safety & Health, David Michaels, assistant secretary of Labor for Occupational Safety and Health, said the agency has previously made a habit of naming both employers and their workers comp insurers in news releases about citations and fines issued for violations of safety regulations.

"These are cases in which the employer's actions really were egregious, one or more workers were hurt very seriously and the actions taken by employers should have been stopped long before the workers got hurt," Michaels said. "I had a discussion with one executive at one [insurance] carrier saying, 'Why did you list us on the press release, we had nothing to do with this. I said, 'That's exactly right. The workers compensation carriers should play a role in this.'"

Collaboration between insurer and client crucial 
Business Insurance had previously reported that OSHA has begun naming both cited employers and their workers compensation insurers in instances where citations and fines were above $40,000.

"For some companies, the damage to their corporate image may be more of a deterrent than the fines OSHA may issue," the agency said in a statement released to Business Insurance. "Likewise, we recognize that workers compensation insurers can have a role in influencing companies to implement safety and health management systems and reduce the risk to employees."

Many states require workers comp insurers to provide accident prevention services to employers. However, even if this is not required by law, insurers are encouraged to offer these programs. As PropertyCasuatly 360 reported,  a properly run workers' compensation insurance program is the property and casualty coverage where a business has the most opportunity to reduce its claims and cost.

PC360 recommended that workers comp insurers work with employers to implement the most current methodologies for evaluating and tracking the performance of the workers' compensation program, including determining what areas of the company have the highest risk for injury. Insurers should also make sure the company's executives understand the cost of a workplace injury beyond immediate compensation, especially as OSHA changes may present public relations challenges. Businesses can also use this information to evaluate their insurer and grade its performance in helping the organization to mitigate its risks.  

, ,

Insurers may re-evaluate driverless car technology following fatal accident

Driverless features should not exclude drivers from safe operation of vehicles, insurers say.

A recent fatal accident involving a Tesla Model S electric sedan using an autopilot system has been called the world's first driverless car fatality and may require insurers to re-evaluate the technology.

The accident occurred after the Tesla failed to apply the brakes when a tractor-trailer made a left turn in front of the vehicle. However, human error may have also played a factor in the accident as the Tesla owner was reportedly watching a movie while operating the vehicle and the tractor-trailer driver had previously been cited for multiple safety violations.

According to Insurance Business America, the accident means insurers will need to factor in human understanding of the technology when determining risks. While some reports had previously claimed driverless cars would all but mitigate the risks of driving, this belief may have overlooked the role human understanding plays in safely operating the vehicles as well as the current capability of the software. Drivers will need to be adequately trained on the limits of the technology, IBA reported.

"Tesla itself has said 'driverless' features do not excuse human drivers from safety obligations."

In fact, Tesla itself has said "driverless" features do not excuse human drivers from safety obligations. In a statement released to The New York times, Tesla spokesperson Khobi Brooklyn said the Model S's Autopilot system "does not turn a Tesla into an autonomous vehicle and does not allow the driver to abdicate responsibility."

Insurers react to the accident
Additionally, many insurers have noted one incident provides insufficient evidence for evaluating the overall risk and innovations of driverless car technology. While this accident will need to inform evaluations of driverless technology moving forward, it should not impede the progress of self-driving vehicles as a way to reduce accidents and improve overall road safety.

"This incident will certainly be incorporated into our ongoing fact gathering efforts and recommendations," the American Association of Managing General Agents said in a statement. "[But] it would be premature to criticize Tesla Motors, the software or other technology provider whose products are part of the beta phase of the Autopilot program, before all of the contributing facts are known and understood."

However, the Times noted, many insurers will likely begin requiring more information about cars that have optional self-driving capabilities. For instance, an insurer may currently be covering a Tesla vehicle without knowing whether the particular car has been equipped with an Autopilot system.  Currently, many insurers use vehicle identification numbers when assigning rates, but this information alone would not inform the insurer of the various options selected for an individual car or whether the driver has activated the driverless software.

Very few cars with self-driving features are currently on the road, the Times reported. Most fully automatic cars are part of fleets, such as those owned by Google, and often carry special insurance and are operated under controlled conditions. Many insurers consider features such as Tesla's Autopilot software to be driver-assisted systems, not true driverless technology, and advise manufacturers to educate drivers that eyes should remain on the road and hands still be kept on the wheel.

Currently, fewer than a dozen states have passed regulations specifically related to self-driving cars.


Turmoil in emerging markets and internet fragmentation led risks for insurers and reinsurers

Risk managers for insurers and reinsurers may need to deal with these risks within the next three years.

Insurers and reinsurers will likely see increased risks emerging across 21 key areas, including crisis in emerging markets, unconventional monetary policies and internet fragmentation, according to a new report from SwissRe. 

In its 2016 SONAR report, SwissRe found political unrest, increased localization of internet networks within country borders and financial repression are the biggest risk factors facing the insurance and reinsurance industry for which the potential impact and scope are not yet fully accounted for.

"The report found the potential impact and scope of these risks is not yet fully accounted for." 

"Risk management is not just about managing risks in the present,"  said Patrick Raaflaub, Swiss Re's group chief risk officer, in a statement. "It is about anticipating future ones to make sure we will be in a position to deal with them. These risks may only fully reveal themselves to future generations. That doesn't mean that we shouldn't act today to reduce uncertainty and alleviate their burden."

Turmoil in emerging markets includes areas of the world to which insurers may wish to spread their business to, but cannot due to higher underwriting costs related to civil unrest or riots. Unconventional monetary policies include negative interest rates, quantitative easing and other unproven economic experiments. Finally, internet fragmentation refers to countries' attempts to isolate their web presence from the rest of the world. 

As Insurance Business America noted, while insurers may not be dealing with these issues yet, these risk factors may have a significant impact on the industry within the next three years.

Internet fragmentation and insurers
Internet fragmentation has been a concern of technology experts and Internet activists for some time. As The Wall Street Journal reported, Vinton Cerf, a telecommunications expert considered to be one of the "Fathers of the Internet" warned last year that internet fragmentation could lead to increased government surveillance, poor cybersecurity and restrictions on freedom of information.

Internet fragmentation is already occurring in many parts of the world. As the Journal reported, Google has already seen limits placed on its search engine in parts of Europe and Asia, and Germany has seen calls for data storage and email that are national and isolated from the world wide web.

While Cerf spoke largely to the political and ethical concerns of limiting citizens access to the internet, the SwissRe report focus on the increased risks such policies pose to companies' abilities to carry out businesses. When firewalls and software are used to block out unwanted information and isolate information technology systems from global networks – whether by a private business or a national government – it can result in more difficult communications.

For insurers this can increase costs and disrupt existing businesses models when they operating across borders. Siloed IT systems may also lack the security insurers require for transmitting sensitive information. 

Other emerging risks identified in the SwissRe report include:

  • Legal and pricing risks of the sharing economy.
  • Mass migration
  • Precision medicine
  • Biomechanitronic organs and prosthetic limbs
  • Bitcoin
  • Ocean pollution from microplastics 

Report finds private sector cybersecurity spending insufficient

Attracting and retaining experience IT professionals will be essential for the private sector to address cyberthreats.

Even though awareness around the risks posed to businesses from cyberthreats is growing, spending to increase cybersecurity in the private sector is lagging.

According to a new report and survey from the Institute of Information Security Professionals, current spending is not enough to implement the technology, compliance programs and staff awareness training necessary to abate cyberthreats. The ISSP determined its findings by examining the security budgets allocated at private companies across multiple global sectors, as well as how these budgets have changed following well-documented and widely publicized incidences of cyberattack.

The report found two-thirds of the companies surveyed increased their cybersecurity spending following data breaches such as those seen at businesses including Target and Anthem. However, the report concluded that even businesses that are increasing their investment are not doing so at a level that matches the growing risks they face. These include threats related to external attacks, insider misuse, low staff awareness and technical device and service proliferation.

"Increased spending is vital for attracting and retaining IT professional with adequate knowledge and experience."

Increased spending is especially vital for attracting and retaining professionals with adequate knowledge and experience to oversee successful internal cybersecurity operations, the report found. A widespread shortage of skilled staff was reported, both in terms of number of employees and employees with adequate expertise. Reasons for this included increased competition to attract these professionals, meaning retention is becoming more costly for companies. However, internal factors, including lengthy hiring processes, are also making it more difficult for businesses to recruit and retain talented cybersecurity staffers.

The report concluded there is a "growing problem" in the private sector relating to the increased frequency, variety and sources of cyberattack. Additionally, there is greater reliance on increasingly complex IT systems, often without the security staff and regulatory environment needed to maintain these systems or create a culture of cyber awareness among non-IT employees.

While the report found awareness of cyberthreats has increased, without adequate spending many companies may be experiencing a false sense of security.

Public sector spending goes up but problems remain
Meanwhile, as TechTarget reported, cybersecurity spending in the public sector saw an increase as President Barack Obama included a $19 billion cybersecurity spending bump in his fiscal year 2017 budget. However, as TechTarget contributor Adam Rice argued, spending alone is not enough to implement effective cyberrisk management.

Just as experts in the private sector argue for the integration of cybersecurity awareness into all departments of a company, Rice noted the federal government will need to work to unify its currently decentralized IT departments.

"Many federal departments are comparable to Fortune 500 companies in terms of size and scale," Rice wrote. "They have thousands of employees and millions in their IT budgets."

In addition to increasing compliance with The Federal Information Security Management Act best practices, federal agencies, like private sector businesses, will need to work on increasing interdepartmental communication and matching market-driven compensation in order to attract the most qualified professionals.