A.M. Best advises insurers to examine correlated cyber risk

Insurance carriers writing cyber risk need to understand “aggregate exposures,” such as exposure of multiple clients to major service providers and “common vectors of attack,” A.M. Best Company Inc. suggested in a recent report.

In a Best Special Report, the Oldwick, N.J.-based rating firms noted that it gets information on cyber security data from annual supplemental rating questionnaires (SRQ), and through discussions with each company’s management.

“A.M. Best views an organization’s ability to general detailed and credible assessments of its potential cyber risk as a valuable tool in its overall risk management approach,” the firm wrote in the report, titled A.M. Best’s View on Cyber-Security Issues and Insurance Companies, published Nov. 24. “As such, methodologies that examine aggregate exposures and potential disaster scenarios involving correlated cyber risk will be crucial to insurance companies with portfolios of cyber insurance policies.”

A.M. Best said it “expects to include more specific questions” on cyber risk in its supplemental rating questionnaire.

In the report, A.M. Best included some questions it asks as part of the ratings process.

One is how “non-obvious paths of aggregation, such as common service providers and vectors of attack,” are being evaluated.

Another is whether cyber insurance is a separate policy or whether it is bundled with directors’ and officers’ liability, commercial general liability or business interruption.

Carriers “can better serve policyholders” by designing and selling cyber policies separate from CGL, business interruption or D&O, many of which which were developed at a time when cyber claims were not contemplated, A.M. Best suggested.

As part of the ratings process, A.M. Best suggested it asks insurers to list the top 5 industries to which they provide cyber security insurance.

“The interconnectedness of cyber risk among companies is not necessarily correlated to attributes like physical location and class of business, so carriers must act accordingly and take a deeper look at the business written when examining potential aggregated loss scenarios affecting their portfolio,” A.M. Best said in the report. “These insurance companies should have an understanding of their portfolio’s exposure to major service providers and other common vectors of attack and adequately analyze the potential catastrophe scenarios on their book to arrive at reliable measures of potential losses.”

A.M. Best suggested ways that insurers can improve their risk profiles, with respect to cyber security. One is by “devising single-risk limits with regard to policyholders’ shared service provider, common vectors of attack, and other correlational factors,” A.M. Best noted. This “could prevent massive losses that may occur as a result of a single event, simultaneously causing losses at many organizations.”