There is no doubt cybersecurity has become a key focus in establishing business resiliency. It is perhaps of most concern to those in the risk and insurance domain, who, in large part, are placing risks on their balance sheets that they do not entirely understand. Most insurers view cyber as a booming market segment that they cannot escape, yet most if not all are grasping at how to properly underwrite and manage this exposure, which not only has a long tail, but is vastly interconnected. Many insurers are treating cyber insurance as any other class of property and liability risk, when, in reality, it is much more akin to the risk profile of a life insurance policy and should be underwritten as such, especially on the higher end of the market. Those who approach cyber using a traditional paper-based application may find themselves overexposed to systemic risks within and across organizations, without the capacity to properly respond and pay claims. If there is any insurance risk calling for a “trust but verify” approach, cyber is it.
One of the principal actuarial challenges with cyber insurance is that there is limited historical data on the full scope and severity of losses. This is partly driven by how complex these risks are to detect, partly driven by the pervasive corporate culture of hiding bad information and, most importantly, the fact that most computer networks are more than likely already exposed. As a result, actuarial models using traditional insurance approaches will not hold overtime and we may face a scenario in which cyber insurers are under-capitalizing their reserves against cyber risk. There are also a wide variety of coverage gaps that emerge, such as the near universal exclusion of unencrypted mobile devices, which are one of the principal points of vulnerability. In order to more accurately underwrite cyberrisk, insurers should borrow a page from the proven life insurance underwriting manual, which assumes the applicant is exposed and tries to uncover the “hygiene” of their lifestyle and associations. Life insurers recognize that they are underwriting a moving target; cyber insurers should follow suit.