Why mutuality is the best approach to cyber risk

By Lyndon Broad, Operations Manager, Australia, FM Global

Back in the 17th century, massive fires in overcrowded cities were a major problem all over the developing world. Burgeoning companies were losing all that they owned. Then a group of business owners came together and devised a way to protect themselves, ensuring they could start again if it ever happened to them.

This was the start of the concept of mutual insurance. Insured parties obtain a specified amount of coverage against an uncertain event for a smaller, but certain payment. These sort of insurance companies are still operating all over the world today. The basic tenant is that insuring in self-selecting groups improves risk quality.

Although fire is still a serious risk in many industries, cyberattack is now the biggest threat facing modern business. Company boards and executive leadership teams must show they have strategies in place to strengthen cyber resilience and recover from an attack as quickly as possible.

Part of this strategy involves taking out cyber-risk insurance. This is a relatively new field of risk and policies remain untested against a wide range of potentially catastrophic events.


In a digital society, where more and more transactions are being carried out online, the mutual concept is becoming more relevant again. Just like those owners living with a heightened threat of fire hundreds of years ago, there’s great appeal in banding together with like-minded businesses to find protection.

Mutual insurance is built on the concept that most losses are preventable. In this regard, cyberattacks are just like any other risk.

Let’s look at an example. A report by insurance company Lloyd’s and the University of Cambridge estimates that if hackers took control of the power grid from New York City to Washington DC, the total economic cost could reach $US1 trillion.

Tens of thousands of insured businesses would be affected and 93 million people across 15 states would be without power. The report concluded there was no way insurance companies could survive because payouts would exceed ability to pay.

Into the unknown

These are unsettling statistics for the insurance industry. The lack of relevant claim history makes it an even more difficult problem to address. We use sophisticated catastrophe modelling for risk assessment when it comes to flooding, hurricanes and other natural disasters. We have the same rich modelling data for fire and other forms of established risk. But that long history of claims data doesn’t exist in the cyber world yet.

This doesn’t mean we can stick our heads in the sand. It’s causing sleepless nights for our clients and we have a duty of care to respond.

Cyber coverage varies greatly from one policy to the next depending on many variables. Is a business covered for incident response and digital forensics to find the source of a breach? What about legal fees and crisis communications? How does a policy take account of business interruption or physical damage to property?

Most policies do not cover terrorism-related breaches, human error or fraud. All policies require insured companies to follow minimum security requirements in order to be eligible for payouts. For many decision-makers, it’s akin to the Wild West and that makes them reluctant to act. They’re sitting on their hands and hoping for the best. We must make it easier for them to understand risk and take appropriate response.

The market for cyber-risk insurance is developing quickly. Insurers need to take an agile approach to coverage and pricing so that policies accurately meet the needs of clients.

The concept of mutuality is based on the belief that a group of businesses with a shared world view are better able to ensure mutual benefit than by acting alone. The heightened sense of cyber risk is bringing that idea back into fashion, ensuring coverage for members by sharing the risk with other like-minded businesses.

Mutual encourage a risk-based culture and adequate business continuity planning that’s perfectly suited to this new era of cyber threat.

Tags Cyber risk

Show Comments