For years, insurers have been playing Russian roulette in dealing with cyber coverage.
Cyber incidents have been rising but the ability to calculate and manage the risk has been sorely lacking.
Insurers often take unnecessary risk by underwriting cyber without the appropriate data and risk models or avoid the market entirely, missing out on a growing opportunity.
Cyber risk modeling proficiency grows
Operating in the dark since the advent of cyber insurance, the industry is finally benefitting from an influx of new data on cyber risk factors and growing proficiency at modeling that risk into quantitative probabilities and costs, enabling losses in this area to be turned into profits and portfolios to be expanded.
It took a while for cyber risk modeling to shift from guesswork to science due to the complexity of the problem. Data on cyber incidents is more fragmented and harder to come by than other kinds of incidents (such as U.S. Geological Survey data for natural catastrophe modeling) because no one wants to advertise their security weaknesses.
The lack of data and empirical modeling meant insurers were forced to rely on existing risk models designed for other areas. For instance, actuaries were using models designed for professional liability or errors and omissions (E&O) to write cyber policies. While E&O data ties loosely to cyber at best, companies reluctantly used these risk models in order to avoid missing the growing market altogether, often at cost.
The nature of cybersecurity also makes assessing and managing risk uniquely difficult. In natural catastrophe scenarios, a hurricane or other natural disaster doesn’t change direction or timing when people batten down their hatches. Hackers, on the other hand, change their approaches in response to a defensive posture; they are active adversaries. They create adaptive malware modified to slip past anti-malware software and perform reconnaissance to find openings in a network. Also, whereas the chances of a hurricane and a tornado hitting the same spot simultaneously is highly unlikely, companies face multiple different types of cybersecurity threats on a regular basis.
Today, there’s a critical mass of information available on cyber to create risk models. They range from the threats that hackers pose to the risks that insiders pose by clicking on phishing emails, and other indicators of security weaknesses at a company, such as the lack of a chief information security officer (CISO). In cyber, you need to understand the people, processes, technology and threat landscape combined.
With this baseline for cyber, insurers can feel more comfortable with underwriting policies and empowered to take on more of that risk. A chief risk officer recently told me that new cyber economic risk models enable his company to confidently take a more aggressive approach toward cyber policy writing, deploying capital off a modeled return period rather than conservatively holding reserves for their entire aggregate policy limits.
SMB cyber insurance market to grow dramatically
We’ve seen typical max policy limits for individual carriers rise from $10 million in 2014 to $25 million today. In addition, the cyber insurance market for small and midsize businesses (SMBs), while still in its nascence, is set to grow dramatically as insurers develop means to evaluate risk for small companies at scale.
Quantifying the cyber risk for these small companies will also benefit other companies with whom they do business. Take, for instance, the Home Depot breach, which was enabled via the company’s HVAC partner connection. The SMB market represents only 7 percent of cyber coverage, partly because smaller companies believe they aren’t targets as much as the bigger companies. This is just not true: SMBs are hit by 62 percent of all cyber attacks.
Insurers who have been offering cyber policies without an accurate assessment of the underlying risks have been putting the cart before the horse, often getting burned on their balance sheets as a result. Now, with the advent of models that are specifically designed for cyber, risk can be quantified into dollars and probabilities for the first time. The benefits to insurers will be varied: improved understanding of the policies they already offer, and the ability to develop innovative new products and services that will help companies profit from this growing market.