Cyber Risk and Insurance Cyber Risk Governance throughout the value chain and its transfer to the Insurance

This research, conducted under the EIC Program at IRT-SystemX1, concerns the conditions needed for knowledge, management and control of cyber risk so that it would be possible to transfer it to insurance. Chapter III summarizes the results. Later chapters detail all the work undertaken.This research was conducted by a pluridisciplinary team including insurers, reinsurers, an international organization, public organizations and researchers.ncreasingly aware of the threat of cyber risk for their businesses, companies and other organizations are endeavouring to assess their cyber risk exposure more precisely. However, they face many obstacles: acknowledgement, grasp and control of this risk. In the absence of reliable procedures to back their approach, many risk managers have failed to take a comprehensive view of cyber risk throughout the value chain, nor have they integrated the possibility that it could threaten the company’s very existence. Many wonder whether it is worthwhile investing in cyber insurance cover, because they are aware that securing their information systems and protecting their infrastructures, products and strategic data will never guarantee them from all attacks. The public and private figures on the cost of cyber-attacks are currently inadequate: there are as yet no series of statistics over a sufficiently long period, nor widely approved metrics that would define the overall cost of past attacks, or reliable economic models enabling loss arising from futureIT attacks to be predicted.These obstacles hamper the development of the cyber-insurance market. While all the interested parties agree that it has high potential, the market, first developed in the United States, remains inits infancy in Europe.In parallel, the national and international public authorities have also begun examining cyber risk management and possible transfer to insurance, the better to improve the resilience of economic players. In some countries, regulatory or statutory tools have been developed.Cyber space is definitely different from the real world because it complies with a different sort of laws: digital networks have no borders, are infinitely expandable and are abstract and virtual in nature. Time and space are compressed in cyber space: potential attackers might be your own neighbours; transitions cannot be seen; the precursors of an attack are very difficult to perceive; identities are difficult to discern and actions are ambiguous. The malicious nature of a computer code is not something intrinsically easy to prove.Finally, the digital economy defies traditional concepts: the cost of an attack may be marginal (free tools) compared to the cost of the consequences or that of protecting information systems