Remarks by Angel Gurría,
Bari, Italy, 13 May 2017
(As prepared for delivery)
Ministers, Central Bank Governors,
I want to applaud the Italian Presidency for including this important issue on the agenda of the G7.
Our economies are increasingly dependent on digital technologies, and the risk posed by cyber security incidents on businesses and individuals requires the attention of economic and financial policymakers. Cyber risk has been identified as the highest or second highest concern to doing business in five of the G7 countries, according to the World Economic Forum’s 2017 Global Risk Report.
Last year, the G7 Cyber Expert Group’s published “fundamental elements of cyber security for the financial sector” which is an important contribution to this discussion.
The OECD has a long track record working on the implications of digitalisation, including on aspects related to cyber security risk. For instance, in 2015, the OECD Council adopted a Recommendation on Digital Security Risk Management for Economic and Social Prosperity. Those issues were also thoroughly discussed at the OECD Ministerial Meeting on the Digital Economy held in Cancun in June 2016. Today I will focus my remarks on the particular issue of cyber insurance - which can make an important contribution to the management of cyber security risk.
The most basic function of insurance is to protect individuals and businesses against the financial impacts of the risks that they face. This is important, especially for vulnerable groups such as individuals or SMEs. But another significant contribution made by a functioning insurance market is to support and help improve risk management: it indeed requires data and modelling to quantify the risk; it fosters the development of an expertise in risk reduction; and provides incentives, through risk-based premiums, to invest in risk reduction.
These incentives are having their intended impact: in a recent survey, 36% of respondents indicated that they enhanced their overall cybersecurity posture in order to drive down insurance premiums.
But insurance markets for cyber risks are not yet mature and not making the comprehensive contribution to risk management that they should be making. In the most mature market, the US, little more than a third of companies, at most, have purchased cyber insurance coverage. The market for cyber insurance is less than 1% of motor vehicle insurance in G7 countries – while the value of assets at risk of a cybersecurity incident is much higher.
There are a number of impediments to the development of the cyber insurance market: the lack of data on past incidents; the ever evolving nature of the risk; the possibility of significant correlation of exposure across policyholders (for example, due to a dependence on a same cloud or internet service provider); and a huge gap in understanding by businesses about cyber insurance coverage and whether they need it.
Some of these issues will correct themselves over time: the insurance offerings will become more harmonised over time; claims experience will partly address the lack of data. This will take time, while the exposure to these risks is fast increasing.
We delivered a report to you on what we see as the main policy priorities going forward for governments to support and accelerate the development of the market. Among those, improving the data available for quantifying exposures, including in particular, information on cyber incidents is essential.
Given the challenges that need to be overcome, this will be most successful if it is done through a public-private collaboration that maximises the benefits of the limited amount of data that is available in government agencies, cyber security firms and the insurance sector. Better data on exposure to cyber risk – and confidence in that data – will accelerate the development of the market and improve the overall management of cyber risk.
Another area where governments can play a role is in improving awareness of cyber risk, notably in SMEs, and encouraging improved transparency about the insurance coverage available. The cyber insurance market will not make a material contribution to managing this risk unless this issue is addressed.
We at the OECD are looking in depth at some of these issues and this will continue to be an important part of the OECD's work programme in the years to come. Our next step is the finalisation of a comprehensive report on how the development of the cyber insurance market could assist greater cyber security.
We will keep you posted on our progress and encourage you to keep focusing on this important issue in your domestic agendas as well as in this forum.