Cyber insurance has evolved considerably since 1999 but commercial insurers lack standardization in cyber policies and there is not a lot of data available for underwriters, a speaker suggested at a recent conference.
For cyber risk, “the data is not all that robust at this point in time,” said Alice Underwood, executive vice president of Willis Re Inc. “The available data depends on lot on what people are required to report. If they don’t have to report something, they are kind of inclined not to report it.”
Insurers, by contrast, “can make a decent model of life insurance for individuals based on how old are you and do you smoke,” Underwood noted during a conference session Friday at the International Cyber Risk Management Conference.
“The question as an actuary you want to know if you want to quantify something is, first of all, what the heck is it that you’re quantifying?” Underwood said. “In terms of cyber coverage, what kinds of things are covered by this policy? Where do losses come from? And there is not great standardization yet in cyber policies. There are many different types of coverage that may or may not be included, but it does include both first-party and third-party coverage.”
Her panel was titled Actuarial Perspectives on Cyber Pricing/Modelling or Quantification in General.
“One of the problems (with cyber insurance) is, how do we sell it as at a profit?” Fernandez said. “Supposing there is a market that is willing to buy as much cyber insurance that we can sell, at what price do we sell it so that we can operate the business profitably?”
The cyber market has evolved since 1999, when she was a actuary at a reinsurance company, Underwood said.
“I had one of my underwriters come over and say, ‘well, there’s this new company called PayPal, and they have this new product called the electronic wallet, and they want insurance for it,’ and everyone’s like, ‘What are you talking about?’”
Today, Willis Re uses PRISM-Re, a cyber risk modeling tool introduced by Willis in February, 2015.
“What we know is from the breaches that have occurred in the past, what industry the firm is in and what types of information they lost,” Underwood said. “We are able to look at it and come up with estimates depending on what industry you are in, what the percentage breakdown is likely to be between the health information, the payment card information and the identifiable information.”
The size of an organization is one factor in assessing risk, she suggested.
“Bigger companies have more people that might accidentally hit send to all, they have more people that might accidentally leave their laptop at an airport or fail to dispose of their memory stick properly,” she said.
“What we have seen in the actual breaches that have occurred is that small companies can have very large breaches too,” she said. “The distribution is not as skewed as you might think in terms of the size of the breach to company size.”
Insurers covering cyber are not only exposed to large, publicized losses, Underwood noted.
“You might have your small attritional losses – things that are happening day to day – that form the bulk of the loss events,” she said. “Then there are the shock losses. Those are the kinds of things that make the headlines, and I think that people do focus on those headline events because they are exciting and because they are being played up in the media much more than the smaller events.” But the majority of losses do not stem from such events, she suggested.
However, some insurers are concerned about their aggregation of cyber loss in a potential catastrophic event, such as an outage of a cloud service provider or a “mass denial of service attack,” Underwood added.
ICRMC was produced by MSA Research Inc. and held March 31 and April 1 at the Hilton in downtown Toronto.