Why it’s hard for insurers to price cyber risk

It’s hard for an insurance company to price cyber because clients are reluctant to report losses, industry experts suggest.

“You need historical incidents to understand the types of events out there,” Scott Stransky, assistant vice president and principal scientist in AIR’s Research and Modeling group, said during an episode of A.M. Best TV published Tuesday.

But some clients affected by cyber losses are reluctant to share their experiences with the public, Stransky said during the panel, A Key to Underwriting Cyberrisk Is Getting the Right Data, hosted by A.M. Best Company Inc.

“When you are destroyed by a hurricane, it’s like a badge of honour. You were destroyed, you  lived through the hurricane and you rebuilt. There is not much you could have done about the hurricane. But for cyber risk, when you have a cyber attack it is not a badge of honour. People look at you negatively.”

But a cyber breach does not necessarily have to be a source of shame.

“Even if you have the best IT staff in the world, you are not going to be immune from these breaches,” said Stransky. “Although it does not look great to have a breach, it’s not something you should be absolutely embarrassed about, because you really can’t prevent breaches. Every company is going to have a breach.”

Also speaking on the panel was Erica Davis, senior vice president and managing broker at Guy Carpenter & Co. “The business community is really struggling to define what cyber risk means to their organization,” said Davis. “A lot of organizations do view cyber risk as part of that black box if you will. It’s not something as quantifiable as a burning building. It does not feel super tangible to them.”

When AIR Worldwide studies data on cyber incidents in public reports, there are very few events involving small companies, said Stransky.

To model cyber risk, you need information not only on claims data but also on which cloud processors companies use, which payment processors they use, how often they patch their systems, added Stransky. “We need to collect a wide swath of data about the different types of businesses. You need all the data first and then you can think about starting to build models.”

There is an increasing tendency for companies to connect their systems to the public Internet, said the third panelist, Michelle Chia, Zurich North America’s head of errors and omissions and cyber.

One challenge is that as technology continues to evolve, cyber risk evolves as well, said Chia. “As the world is becoming interconnected there is an increasing reliance upon all those other companies we work with.”