Learning Cyber Insurance Lessons from Life Insurance Underwriting
There is no doubt cybersecurity has become a key focus in establishing business resiliency. It is perhaps of most concern to those in the risk and insurance domain, who, in large part, are placing risks on their balance sheets that they do not entirely understand. Most insurers view cyber as a booming market segment that they cannot escape, yet most if not all are grasping at how to properly underwrite and manage this exposure, which not only has a long tail, but is vastly interconnected. Many insurers are treating cyber insurance as any other class of property and liability risk, when, in reality, it is much more akin to the risk profile of a life insurance policy and should be underwritten as such, especially on the higher end of the market. Those who approach cyber using a traditional paper-based application may find themselves overexposed to systemic risks within and across organizations, without the capacity to properly respond and pay claims. If there is any insurance risk calling for a “trust but verify” approach, cyber is it.
One of the principal actuarial challenges with cyber insurance is that there is limited historical data on the full scope and severity of losses. This is partly driven by how complex these risks are to detect, partly driven by the pervasive corporate culture of hiding bad information and, most importantly, the fact that most computer networks are more than likely already exposed. As a result, actuarial models using traditional insurance approaches will not hold overtime and we may face a scenario in which cyber insurers are under-capitalizing their reserves against cyber risk. There are also a wide variety of coverage gaps that emerge, such as the near universal exclusion of unencrypted mobile devices, which are one of the principal points of vulnerability. In order to more accurately underwrite cyberrisk, insurers should borrow a page from the proven life insurance underwriting manual, which assumes the applicant is exposed and tries to uncover the “hygiene” of their lifestyle and associations. Life insurers recognize that they are underwriting a moving target; cyber insurers should follow suit.
When evaluating a high-value life insurance policy underwriters almost never take the client’s word that they have a clean bill of health and clean financial character. Instead, life underwriters follow an evidence-based approach, particularly for higher-value or longer-duration policies. While this process can be onerous, it is proven to yield strong results overtime for both the customer’s and the insurance company’s long-term interests. Among the steps taken, a medical report is prepared in which the customer’s bloodwork is drawn and analyzed and character references are developed including a review of financial health, among other areas. Think of these as a proxy for cyber hygiene—just as threats to health often reside unseen at the cellular level, a big component of cyberrisk lies dormant inside end points in a computer network.
Unlike the traditional liability or property/casualty policies, cyber insurance does not have the extensive track record for actuarial purposes. While cyber insurance has been around for nearly two decades, the advance of technology and overall rash of cyberattacks has evolved at an unprecedented pace. The level of fallout from a cyberattack ten years ago, does not comparable to the overall exposure and systemic correlations today. Insurers today are merely assessing what the exposure is for an organization as determined by their application and warranty statements. They ask about how many end points an organization has, or whether they use secure servers and encrypted devices. And while they do inquire about any known breaches, this question is of little value without third-party validation. As we have seen time and again, an intruder may rest dormant in a system for years before being detected. A mere warranty statement from a client insufficient and will likely yield costly litigation to resolve certain cyber insurance claims.
To thoroughly evaluate the cyberrisk and resiliency of an organization, a thorough check up must be performed. Just as when an individual applies for life insurance, depending on their age and general answers to a health questionnaire, additional medical tests may be required. This enables the insurer to properly understand the level of health and conduct of an individual before offering coverage. Additional reviews may be required upon renewal to keep their rate and coverage unaffected. Today there are a wide array of technologies aimed at helping organizations assess their cyberrisk profile. Yet the collaboration between these companies and insurance providers remains in its infancy as a standards war is being waged among different cybersecurity technologies, with each claiming to be the Holy Grail of safety.
To mitigate the impending losses from cyberthreats, carriers should leverage these services and technologies to better gauge a prospective customer’s cyberrisk profile. This would not only serve to better hedge the insurer from large unfunded losses, it would also help to provide better risk-adjusted pricing and expanded coverage to the insured. Ongoing monitoring and employing agile risk control is another necessary pillar of cyber resilience. Taking a warranty statement once a year from the client does nothing to ensure that their system has not been breached. One must assume that the volatile mix of insider threats and external forces evolve quickly and dynamically, changing initial underwriting parameters. Looking for the outliers will help to determine the health of an organization and provide continuous monitoring thereafter.
As technology continues to advance, and cyberthreats become even more prevalent, additional layers of reinsurance and liquidity may be called upon. Just as we saw with the passage of the Terrorism Risk Insurance Act (TRIA), the impact of such widespread risks can shock even the stalwart insurance industry. Until then, however, it is in everyone’s interest to seek a proactive, trust-but-verify approach to cyberrisk transfer rather than continue down the passive paper-based path.