“We tried something different: an unclassified report that we hope will be found readable by the very people who are affected by cyber insecurity – everyone.” The final report of the US Cyberspace Solarium Commission, which has just been published, is a refreshing and valuable intervention.
Cybersecurity is the domain of technical specialists, but it is fundamental to every aspect of modern society. This report issues a call to action to the United States at large – but it should also resonate with audiences around the world who care about the security and resilience of our economies.
Insurance is recognised as a fundamental component of risk management and a valuable tool to incentivise good practice at all levels of the economy. At the same time, the authors rightly identify that the uptake of cyber insurance remains limited, and that insurance has not achieved the same strategic effect in driving improved risk management for cyber risk as with some other risk exposures. Yet – it is disappointing that the report chooses the easy option of laying the blame for this with insurers, citing lack of investment in talent, the early stage of development of risk models and the continuing issue of ‘silent’ cyber exposure.
These are important challenges. But they are symptomatic of a strategic context which goes unrecognized: insurance can only function, at any level, as a component of broader risk management. Insurers are developing the tools and expertise they need to tackle difficult questions such as the likelihood and impact of catastrophic cyber attacks, or the economic cost of cyber events. But they cannot independently answer questions which continue to challenge governments and expert communities.
The call for collaboration between government and insurers should therefore be welcomed, recognising that insurers are confronting some of the most fundamental issues facing society at large as we seek to build resilient and sustainable economies in the digital age.
Read the report here: https://www.solarium.gov/
"Insurance can only function, at any level, as a component of broader risk management"