The role of cyber-risk insurance is a complex issue for insurers and remains largely misunderstood by businesses that could benefit from cover.
Most businesses understand that failing to protect networks and data means leaving the door open to cyber-threats. Following the introduction of the General Data Protection Regulation (GDPR), this laxity endangers more than operational functionality and client trust — it can lead to fines of up to €20 million or 4 per cent of global annual turnover. Ultimately it is all about protecting the bottom line. So why aren’t organisations flocking to buy cyber-risk insurance?
Calculating cyber-risk exposure is complex in itself, so it shouldn’t be surprising that insurers face difficulties in creating effective and affordable cyber-risk policies. Technology evolves quickly, as do use-case scenarios, and that’s making it increasingly difficult for both businesses and insurers to keep pace.
“Simply put, changes in technology affect how data is collected, stored and used, and the risks to which businesses are exposed as a result,” says Tim Smith, head of cyber at commercial law and insurance specialist BLM.
Data type and volume varies enormously from organisation to organisation, as does the risk represented. “Assessing that risk, identifying what the exposures are, then working out how much of that risk the company wants to manage through an insurance product is not straightforward,” says Mr Smith. Unlike motor insurance, for example, there isn’t a century of claims data to fall back upon.
Outside-in vs. inside-out for data
As the cyber-loss experience becomes less benign, insurers are expected to start insisting on much more qualified risk-exposure data. “Until then, insurers are compensating for the problems in submitted exposure data using ‘outside-in’ third-party data sources, such as cyber-incident data pools and measures of vulnerability of internet exposed IT infrastructure,” says Pratap Tambe, business development manager at Tata Consultancy Services.
This is hugely problematic, according to some cybersecurity vendors. Take Nik Whitfield, chief executive at Panaseer, who argues that outside-in is a highly limited approach “similar to doctors assessing patients without the benefit of X‑rays, blood tests or MRI scans”.
Better to be using “inside-out” information for risk assessment; think, telematics in the motor insurance sector. “This will provide a far better evaluation of the enterprise cyber-hygiene and therefore the risk position of the insured,” says Mr Whitfield.
Calculating risk takes people, policy and process into account
Someone who is very familiar with calculating risk exposure is Visesh Gosrani, director of risk and actuarial solution architect at Guidewire Cyence. “The cyber-risk model needs to look beyond pure technology and extend the problem to people and processes,” he says. “A holistic data-driven approach is necessary to get a complete view of the multi-faceted cyber-risk of companies.”
Cyber-insurance has a lower decline rate for claims than most other lines of insurance
Given that this rapidly-changing environment also requires a continuous loop between data collection and risk-modelling, there is a serious challenge when these are performed in silos, Mr Gosrani admits.
When it comes to specifics, the economic modelling metric must be broken down to address frequency as well as severity, financial loss and recurrence. The latter means asking if a company experiences one breach what the probability is of another occurring, and requires insight into organisational cybersecurity policy and process.
How likely is a pay-out if a breach occurs?
The insurance industry must also consider performance across portfolios, so any cyber-risk model must look at the economic impact of risk accumulations, aggregate events and disaster scenarios, and then translate these into probable loss curves. Otherwise insurers would be unable to deploy capital and justify their decisions to shareholders, regulators and rating agencies. “This requires a revolutionary approach to how insurers utilise data-listening and artificial intelligence to create the right models for tracking risks that are extremely dynamic,” Mr Gosrani adds.
Ask most organisations about cyber-risk insurance and the most common response will be: how likely is a pay-out? Neira Jones, senior adviser for financial services with the Centre for Strategic Cyberspace and Security Science, says: “Whether a cyber-insurance policy will pay out depends on how well businesses understand their environment, their vulnerabilities and their consequences.”
Ultimately, it’s about fostering partnerships between the organisation and their insurance provider. “The financial services and information services industries are prone to assaults on their infrastructure, such as denial of service or hacking attacks on servers, while the public sector exhibits patterns of compromise due to misuse and errors or cyber-espionage,” Ms Jones points out.
Keen eye for detail is key for security
The devil, therefore, is almost always in the detail. Sjaak Schouteren, partner at global insurance broker JLT Specialty, warns that the importance of exclusions is particularly acute in the technology and cyber-arena, even down to specific aspects of software being used.
“If a company uses Windows XP on their system and suffers a breach, they may still be able to claim if the breach occurred outside of Windows XP,” Mr Schouteren explains. “If the breach occurred via a Windows XP vulnerability, there is not likely to be a rightful claim because the software itself cannot be updated, having been left behind by Microsoft.”
The good news is that it’s extremely likely a cyber-insurance claim will be paid, according to Graeme Newman, chief innovation officer at CFC Underwriting. “Cyber-insurance has a lower decline rate for claims than most other lines of insurance,” he says. “We paid more cyber-claims in 2017 than ever before and 2018 is already looking to eclipse that by a considerable amount.”