The cyber insurance market presents insurers with an attractive growth opportunity. It also presents a significant challenge to overcome. Coverage constitutes the largest genuinely new class of business developed by the insurance industry for at least a generation. And its potential at even the conservative end-of-the-scale can be measured in tens of billions of US dollars.
However, with limited tools to measure the threat, carriers have been understandably reluctant to throw too much capital at the risk. With warnings about the systemic nature of the threat reverberating through the press to boardrooms, the industry has so far approached the risk with caution and coverage has been limited.
Yet the need for insurance solutions to assist corporates with their cyber threat is real and great. In the wake of losses such as Target’s $67 million settlement with Visa over a breach of customer payment data, and an estimated annual global cost of cybercrime of $445 billion, companies are eager to offload what they rightly see as a large and looming financial risk.
Industry Concerned by Systemic Nature of Cyber
We recently surveyed 40 RMS clients already writing cyber, including insurers, reinsurers, and brokers, to gain an understanding of their concerns. They had a number of common challenges.
Firstly, due the dynamic and emerging nature of the peril it’s difficult to quantify just how big and systemic a potential cyber catastrophe might be. In addition, with so many different attack methods available to cyber criminals—even knowing where the attack will come from poses some difficulty.
Another common challenge was the uncertainty of how cyber attacks could impact non-affirmative cyber policies—the so-called silent exposure. With limited precedent set for how cyber-related losses would trigger these policies there is uncertainty around the impact of a cyber catastrophe.
Lastly, the lack of a common data standard or a mechanism for understanding aggregations of risk, pose a further challenge, hindering companies in understanding their capital implications, setting risk appetites, and meeting their regulatory reporting obligations.
A Response to the Problem
We have tackled our clients’ cyber risk management concerns by developing a cyber accumulation management solution, built on three core elements.
A data standard for the industry: Our Cyber Exposure Data Schema was developed in conjunction with the Centre for Risk Studies at the University of Cambridge, with support from leading market companies. It provides an approach to standardizing cyber data as a distinct peril. It copes with both affirmative and silent cyber coverage, and allows risk to be tracked and transferred by providing a consistent framework for data capture, storage, and analysis. Critically, it is open source, model-agnostic, and extensible.
Five loss scenarios to stress test portfolios: The new RMS cyber loss process models assess actual books of business against multiple realistic loss scenarios, testing various levels of severity for the top five cyber threats identified by our industry development partners at Cambridge. Running analyses shows underwriters how loss events would interact with their exposure, and isolates the key drivers of risk, allowing an informed, independent view of cyber to be formed.
A Cyber Accumulation Management System: The accumulation engine is the framework for generating loss projections. The analytical capabilities enable companies to report exposure aggregates by coverage type and potential loss characteristics, to a previously unthinkable level of granularity. It highlights accumulations and correlations, giving insurers, reinsurers, and brokers all of the tools necessary to answer questions regarding portfolio optimization, capacity and capital requirements, while delivering answers to regulatory demands.
Together these three components comprise a complete cyber risk management solution which solves the key, real-world challenges facing the insurance industry today. We have created a new standard for the capture and management of cyber exposure data, and mechanisms both to get a handle on affirmative and silent cyber risks, while simultaneously meeting reporting requirements. All of that delivers the insights necessary to unlock the capital necessary to meet ultimate insureds’ demands for cyber cover, and allow the insurance sector to grow confidently into this exciting new line of business.
