Is cyber insurance modeling missing key components?

Is cyber insurance modeling missing key components?

Is cyber insurance modeling missing key components? More than 60 insurance carriers are active in the US data privacy and security space, offering new and diverse products to guard against increasingly sophisticated and hard-to-manage cyber risk. But while the market is growing – some estimates put its current worth at more than $3.25 billion in gross written premium – there is some anxiety over whether insurers have the ability to adequately underwrite cyber perils.

Don’t forget Cyber Risk 2016, a global event produced by Insurance Business, on November 2 (tomorrow). 

Matthew Mosher, executive vice president and chief operating officer with A.M. Best, believes the complexity of risk is so great that many insurance companies do not yet have the ability to model and rate it appropriately.

“The insurance industry has taken a slow path to engage with cyber because they’re not sure of the risk and aren’t completely able to provide a quantitative perspective of it,” Mosher told Insurance Business. “Carriers are working with different modeling firms and viewing risk from an aggregation basis to limit their exposure, but they lag somewhat in getting some of the best information available from models.”

Specifically, many insurers are not considering probable frequency (how often any given attack is likely to occur) or connectivity of an attack (the risk that a breach of a Microsoft system, for example, would put all users of that system at risk) in their underwriting.

To improve their conversations with carriers, A.M. Best has partnered with data firm Cyence, an economic modeling platform for cyber risk, in hopes of evaluating currently available cyber policies and assisting underwriters in more accurately modeling and rating cyber risk.

Doing so would likely improve limits available in the market, which currently top out at around $20 million, and help further a more mature stage in cyber underwriting – similar to how natural catastrophe models improved the market following Hurricane Andrew, Mosher says.

“A lot of companies are not overly comfortable with frequency or connectivity risk, but as they use better models, they’ll be able to provide greater protection to insureds and increase their own risk level relative to cyber,” he said. 

Some questions remain, however. A major cyber event, like the Heartbleed security flaw disclosed in April 2014, could put insurers in great financial peril, and a new white paper from the Insurance Information Institute notes that several insurers have warned “the scope of [cyber] exposure is too broad to be covered by the private sector alone.”

In fact, at least one industry figure – Stephen Catlin, founder of Catlin Group (now XL Catlin) has described cyber as a “systemic risk” and proposed a government backstop program similar to the Terrorism Risk and Insurance Act (TRIA) in the US.

How the industry and governmental officials respond remains to be seen, but it will depend largely on how insurers adapt to model and manage these risks amid a lack of historical actuarial data and the growing interconnectivity of cyberspace.

Related Stories:
This risk is four times higher than it was in 2015: Report
Cyber policies may not cover important risk exposures