The cyber risk the insurance industry seems most concerned about currently relates to large aggregation scenarios – such as the impact of an attack on the power grid or the cloud – but that concern has not necessarily translated into understanding how to handle the consequences, Jayanta Guin, executive vice president of research and modelling for AIR Worldwide, suggested Tuesday.
“What are the consequences if it happens is where the industry doesn’t have a good sense of how to handle that,” Guin told Canadian Underwriter during the 2015 Toronto Seminar hosted by AIR Worldwide, a Verisk Analytics business.
“I think we are less concerned about trying to estimate the probabilities, because that’s going to be very hard; it’s human-induced,” he said of cyber risks and how best to model them. It is in helping to understand the consequences of something that can prove far-reaching where modellers “can add a lot of value,” he noted.
“What are the financial consequences? That’s where we are finding people are interested in us helping them,” Guin said.
“A lot of companies are using cloud providers to actually make the backbone of their business; it’s on the cloud,” he noted. “So if there is a cloud provider that is hacked, that can impact many companies that are relying on that cloud.”
The same could apply if the target is a company that provides such services as payroll, business processing or payment processing (for example, when credit or debit cards are swiped), he pointed out. “If their systems get hacked, that can immediately cascade into a very large loss scenario for the industry, because that’s direct accumulation of many risks impacted by the same event.”
For those sorts of events, Guinn said, “we need to understand the motivation, try to estimate the relative likelihood of those happening.”
When building a model – AIR Worldwide recently announced it is working with BitSight Technologies and Risk Based Security to build an advanced cyber risk model – Guin (pictured left) suggested it is important to understand the cyber actors. These include the sectors of the economy being targeted and “if an attack does happen, what are the consequences, especially if it relates to insurance risk.”
Cyber coverage is unlike property coverage, he said, with losses coming from very different kinds of coverages: first-party liability, third-party liability, business interruption, loss of data and loss of reputation, among others.
“It’s a whole set of complex issues and it varies from company to company. So we have to work with various carriers to understand their actual policy coverage and wording,” Guin told Canadian Underwriter. “If you don’t understand what is being covered, we can end up modelling something else.”
AIR Worldwide has talked with at least three dozen companies between the U.S. and London markets, Guin said, in a bid to gather feedback and help build exposure data standards. The challenge, of course, is getting insurers to share their loss experience data, although some have signed a memorandum of understanding and provided some of their data.
“We don’t expect that today will come and everybody is going to give us all of their data, because that’s simply not going to happen,” Guin said. Expecting sharing will unfold over the coming years – after participants have provided feedback on the data standards and after the model is released and used – he also noted not much claims data currently exists. That, too, will take time to grow.
All that said, Guin emphasized that “data alone is not going to be enough.” The idea is not to build an actuarial model, but rather, pull data from other sources to help get a handle on the possible targets and consequences.
“The biggest value we see is there are many specialized cyber vendors, if you will, but all of them have specialized in looking at a narrow sliver of the whole problem. Where we come into the picture is we are sourcing all these data sets from other vendors and putting it all together as one package,” Guin said. “We have to bring in this third-party information to build in that intelligence.”
Having a real-time score from BitSight will help enhance flexibility, he suggested. “A model is frozen in a period of time, but some insureds’ risk is constantly changing,” Guin explained. “So that score is going to be built into our model, so if a company wants to bring in some of their real-time information, they can get an adjusted view of risk,” he added.