The cyber insurance market has come to an inflection point. Until changes are made in how prospective customers are evaluated, insurers will continue to live in a no man’s land bordered on one side by an unwillingness to ask for more information during the application process, and on the other side by insufficient data to improve underwriting.
The insurance community is currently grappling these three hot cyber challenges:
- Unquantified cyber exposures lie hidden in traditional P&C policies.
- Cyber insurance is growing at a slower rate than anticipated.
- Adequate data for cyber underwriting is either nonexistent or difficult to get.
As insurers contend with these issues, they are still learning how to treat cyber insurance as a separate offering rather than as simply another peril within other policies, yet they lack the data they need to raise actuarial precision for cyber risk to the level required.
A tension exists between the need for more and better data versus the reality of a highly competitive market. Insurers don’t want to make their application process so daunting that they discourage brokers and prospects from completing them. Yet, to adequately assess risk, they need much more data from prospective customers than they receive now.
Different insurers are taking different approaches. The very largest believe that the answer can be found through analyzing their own databases of customer information. They don’t have precise underwriting analytics yet, but they are busily pursuing answers based upon proprietary internal data combined with data purchased from commercial sources. Other smaller insurers lack enough of their own customer data, and commercial data alone doesn’t provide sufficient insight.
While larger insurers may enjoy a slight edge, no one yet is able to create predictive analytics that can identify cyber risk with a high level of accuracy. What are the key factors that astute underwriters should examine in evaluating cyber risk, and what data is required to create accurate predictors?
Cyber insurers focus much of their energy here, seeking to evaluate current cyber risk management policies and practices, with each insurer employing its own application process. Each one emphasizes a different but overlapping set of specific areas, yet none produce a comprehensive picture.
Risk assessment is best organized around three dimensions derived from the NIST Cyber Security Framework. Risk Management inquiries gauge the level of thoughtful policies, processes, and practices deployed. Questions about Risk Culture reveal how responsibility for managing cyber risk has been extended across the organization to include non-technical areas like HR and Procurement. Measure of Risk Influence expose how effectively the organization manages third-party risk originating from its supply chain and other business partners.
In a comprehensive risk assessment, external appraisals play an important role in validating what has been learned about the internal environment. By gathering data from multiple publicly available sources, including examining the availability of hacked data on the Dark Web, several commercial vendors provide a hacker’s view of an organization’s vulnerabilities. Correlating this picture with what is known about the three dimensions of the internal environment sharpens an underwriter’s understanding of the relative likelihood of a breach.
Incidents and Claims History
Aggregations of internal and external data can be combined with historical records of breach incidents and insurance claims to develop advanced predictive analytics. Eventually, they will become fine-grained enough to distinguish with much greater accuracy those at most risk of a breach. At that point, cyber insurance begin to motivate better cyber hygiene and lead to better national cyber resilience.
Why do insurers have fire insurance underwriting down to a science? It’s because they have access to an abundance of data about building methods, construction inspections, and historical data on fires. Until insurers find the will to adopt the practice of assembling deeper and broader information about cyber risk, cyber insurance may continue down its current path. It’ll take more high-profile breaches, like that of Yahoo, to force a total reevaluation of cyber risk policies and practices.
“Cyber risk has changed since the first policy was underwritten around the turn of the century and… the market now needs to respond decisively to the changing scale and scope of cyber risk. For example, data breaches have become more frequent in the last five years, with the number of reported data breaches globally rising by more than 300 percent.”
“RIMS 2017: Why Cyber Should Be Treated as Standalone Insurance”
INSURANCE JOURNAL, April 24, 2017