Cyber Insurance Has Distinctly Risky Characteristics

Uploaded on 2018-09-04 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Although cyber risk premiums have expanded sizably in recent years with loss ratios that compare favorably to other product lines, the danger of accumulation risks is a key concern for the market, according to a study released by insurance industry think tank The Geneva Association.

The study, titled “Advancing Accumulation Risk Management in Cyber Insurance,” identifies three prerequisites to a sustainable cyber insurance market:

• Customers and insurers must facilitate resilience at the source of risk for the principles of insurability to apply.

• Insurers must be able to achieve an acceptable return on capital.

• Insurance markets need to be able to withstand shocks from extreme events, which means absorbing accumulation risk.

The concern about accumulation risk is widely held across the industry and is the reason the Geneva Association report is focusing on the market’s ability to withstand extreme events, said Anna Maria D’Hulster, secretary general of The Geneva Association (GA), in a forward to the report.

“Expanding the boundaries of insurability is not new for insurers. However, cyber risks are taking us into uncharted territory,” she added. “Both exposures and threats have distinct characteristics, which give rise to unprecedented challenges.”

“These challenges require that insurers strengthen their core underwriting capabilities, in particular exposure measurement, claims assessment, and accumulation modelling,” the study said.

The report went on to highlight four cyber accumulation risk challenges:

• A single large event or a series of consecutive events may make affirmative cyber insurance unprofitable. (The report explained that insurers provide affirmative coverage in standalone and package policies).

• Insurers and reinsurers (for which risk accumulation may be more pronounced than for primary insurers) could underestimate non-affirmative cyber exposure leading to an unplanned shock from a major event. The report explained that non-affirmative cyber exposure occurs when a cyber attack causes major losses by triggering coverages in other classes. [Editor’s note: Insurers face non-affirmative, or silent cyber exposures, when they offer all-risk policies and other liability insurance policies that have not excluded cyber risks.]

• Data are of insufficient quality, are incomplete and/or lack the necessary consistency for more advanced modeling techniques.

• Governments predominantly fail to provide frameworks for the sharing of large-scale cyber-terrorism-induced losses.

Market Consequences

The study said there are many market consequences if risks from these challenges materialize.

“Insurers and reinsurers could withdraw from the market after unacceptably high losses and fear of repeat events,” the study continued, noting that such losses also could stall the growth of the small alternative capital market and prevent insurers from accessing needed capacity.

In addition, re/insurers could introduce tighter policy terms and increase the number of exclusions and/or make buy-backs prohibitively expensive, the GA study said.

“The lack of confidence in advanced model outputs could stifle growth if models are deemed to be too blunt for insurers to extend portfolios or offer higher coverage levels,” which could result in a further constraint on the amount of coverage available for larger enterprises and leave the market for small and medium enterprises underdeveloped.

“A large event may also trigger regulatory intervention with the risk for insurers having to provide cover with uneconomic terms and rates,” GA said.

In response, GA said, insurers have formulated several approaches:

• Developing data analytics that analyze the characteristics of cyber risk as well as data protocols that combine company infor­mation with digital risk indicators.

• Novel approaches to analyzing the risk “footprint” and corresponding threats affecting the size of the footprint. For example, the mathematics of epidemiology could be applied to the spread of computer viruses.

• Forward-looking threat assessments including external expert inputs, while developing in-house technical know-how.

• Mapping cloud-related interconnectivity and digital supply chains, and using machine learning to assess the relationship between claims frequency and multi-dimension exposure.

• “Of equal importance is the need to maintain underwriting discipline. Cyber risk is not unique in this respect. Historically, many property-casualty classes have suffered when underwriting standards slipped or when prices failed to adequately reflect the cost of risk,” the study went on to say.

“Many insurers perceive the current rating environment as soft and likely inadequate should any of the above risks materialize,” the study added. “Furthermore, the growing threat from terrorism adds urgency to such concerns, and the appropriate treatment for this risk in war and terrorism exclusions will be key.”

Cyber Models

Accumulation modeling supports a greater understanding of risk interconnectivity, whether on a wide scale or within specific industry segments, which improves the ability of underwriters to accept risk, the study affirmed.

Market development is likely to continue to benefit from modeling advances, said the report, expressing cautious optimism that as long as underwriting discipline is maintained “insurers are well-positioned to ensure the cyber insurance market’s viability and achieve sustainable growth in the future.”

“Cyber risk has distinct characteristics. Exposure bases are hard to define and measure. Historical claims data are scarce and not good predictors. Threats are constantly evolving, can spread widely and rapidly, and a series of consecutive large events is plausible. Moreover, a high degree of interconnectivity may result in potentially boundless impacts,” said Daniel Hofmann, senior adviser Insurance Economics at The Geneva Association and primary author of the study, in a statement.

Insurance Journal:

You Might Also Read:

Insurers Are Not Ready For IoT

« Catching The Silent Attacker, And The Next Phase Of Cyber AI
NATO Live-Fire Cyber Exercise »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

Watch this webinar and get a comprehensive roadmap for securely adopting generative AI using Amazon Bedrock, a fully managed service that offers a choice of high-performing foundation models (FMs).

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Critical Infrastructures for Information and Cybersecurity (ICIC)

Critical Infrastructures for Information and Cybersecurity (ICIC)

ICIC addresses the demand for cybersecurity for National Public Sector organizations and civil and private sector organizations in Argentina.

BitRaser

BitRaser

BitRaser serves your needs for a managed & certified data erasure solution that can support internal & external corporate audit requirements with traceable reporting.

CRU Data Security Group (CDSG)

CRU Data Security Group (CDSG)

CRU is a pioneer in devices for data mobility, data security, encryption, and digital investigation.

Plixer

Plixer

Plixer delivers a network traffic analytics system used for monitoring, visualization, and reporting of network and security incidents.

Invensis Learning

Invensis Learning

Invensis Learning is a professional training and certification company providing IT Service Management, IT Security & Governance, DevOps, Cloud Computing and Digital Awareness training.

Centurion Information Security

Centurion Information Security

Centurion Information Security is a consulting firm based in Singapore that specialises in penetration testing and security assessment services.

Comarch

Comarch

Comarch is a provider of IT business solutions to optimize operational and business processes. Cyber security solutions are focused on Identity Management and Security Assessment services.

42Gears

42Gears

42Gears is a leading Unified Endpoint Management provider. Secure, monitor and manage tablets, phones, desktops and wearables.

Tier1Asset (T1A)

Tier1Asset (T1A)

T1A is Europe’s leading IT refurbisher. We offer certified data erasure using blancco on site and at our facilities, providing environmentally sound disposal of your used equipment.

Allthenticate

Allthenticate

Allthenticate Single Device Authentication (SDA), enables seamless authentication in both the physical and digital words while unifying management in one easy-to-use interface.

FifthDomain

FifthDomain

We are a specialist cyber security education and training company tackling the global cyber security skills shortage.

Secure Systems Innovation Corp (SSIC)

Secure Systems Innovation Corp (SSIC)

SSIC is a cyber risk analytics firm whose mission is to improve how businesses manage cyber risk through the power of data analytics. SSIC developed the X-Analytics cyber risk decisioning platform.

Drumz

Drumz

Drumz plc is an investment company whose investing policy is to invest principally but not exclusively in the technology sector within Europe.

Strivacity

Strivacity

Strivacity lets brands quickly add secure login and identity management capabilities to their customer-facing applications without tying up an army of developers or consultants to do it.

CAT Labs

CAT Labs

CAT Labs is building digital asset recovery and cybersecurity tools to enable governments to fight crypto crime and to protect investors from hacks, fraud and scams.

Bluerydge

Bluerydge

Bluerydge specialises in cyber security and technology, focusing on the delivery of innovative sovereign solutions through trusted, cleared and experienced professionals.