The digitalization of information, the widespread diffusion of devices always connected to the internet and the penetration of web-based services have revolutionized the operation of modern companies. Moreover, the current trends related to the diffusion of the Internet of Things and Industry 4.0 has resulted in the multiplication of connected devices and devices controlled remotely and via software even within traditionally non-connected production lines. This transformation also involves clear changes in the way companies perceive, manage and handle IT risk.

Computer security has traditionally been considered as a set of constraints added to pre-existing business processes, satisfied through the adoption of appropriate technological solutions and exclusive prerogative of the IT sector. This erroneous perception is now obsolete, and the most modern management approaches consider IT security as a necessary requirement to guarantee the correct operation of all business processes. As a direct consequence of this change of paradigm, IT security becomes a cross-cutting issue, affecting everyone within a modern company: Management is called upon to define its policies based on the company’s value chain, the technicians must put in place all the necessary measures to implement the policies defined by management.

The tremendous impact that incidents and cyberattacks can have on a company’s ability to generate profit in conjunction with the associated collateral damage (loss of reputation, penalties, legal consequences) makes it necessary also to consider IT security in the risk management process that characterizes each activity of a modern organization. Insurance policies have emerged on the insurance market for cyber risk assurances, which make it possible to transfer at least part of the risk associated with potential cyberattacks. However, today’s insurance companies — unlike, for example, auto or life insurance — do not have a great deal of data to create models to calculate risk in the cyber realm. Therefore, more comprehensive and reliable cyber intelligence data is needed to increase the risk appetite of insurers.

Even with the potential of cyber insurance becoming more widespread, it is necessary to underline the problems that still afflict the cyber risk insurance sector. These factors risk slowing down the growth of the insurance market, effectively limiting the possible choices of IT risk management by managers and creating a gap between the expectations of those who intend to take out insurance against IT risk and existing insurance products.

The main difficulties in this area of concern include three fundamental aspects for the whole insurance sector: risk assessment, the assessment of the damage and the definition of the limitations of insurance coverage.

Risk Assessment

IT risk assessment is an extremely complex activity, not only for large companies but also for small and medium-size enterprises and professional firms. In general, a risk assessment linked to a given event considers the probability of occurrence of this event and the possible negative consequences that such an event could entail. This assessment is relatively simple in traditional sectors, covering damage caused by fire, flooding, theft and automobile accidents. In all these areas, there is a large number of cases that allows basing the risk assessments on statistically relevant data. Furthermore, such events involve material damages that can be objectively assessed. Similar evaluations are very complex in the cyber field.

Evaluation Of Damage