Markets have been slow to adjust to the multi-dimensional perils of cyber risk. Even headline-grabbing cyber incidents such as breaches of Equifax, Target, Anthem, Sony and Home Depot—along with NotPetya’s devastation of Merck, FedEx, and Maersk—have thus far had only fleeting impacts on assessments of major corporations’ prospects by investors, credit rating agencies and insurers. Many insurance brokers and carriers have continued to extend cyber risk coverage, explicitly or implicitly (through “silent cyber exposure” in property and casualty policies) and pay out for damages, despite mounting evidence that the premiums they collect appear grossly misaligned with the magnitude of the risks they assume.
This disparity reflects the broader problem of a “cyber risk gap” between corporations’ exposure to cyber risks and the adequacy of their efforts to address it. Investors, insurers, credit rating agencies and others presently face this gap, and have been only slowly waking up to its magnitude.
The Equifax story is especially instructive. Even though the company’s main line of business was collecting, storing and analyzing highly sensitive personal…
