Accumulation risks need to be addressed in the context of a hyperconnected digital world, as cyber insurance offerings and premium volumes expand sizeably. Sustainable growth in the cyber insurance market should not be taken for granted, said a new report from the Geneva Association, 'Advancing Accumulation Risk Management in Cyber Insurance'.
The Geneva Association secretary general Anna Maria D'Hulster said, "Expanding the boundaries of insurability is not new for insurers. However, cyber risks are taking us into uncharted territory. Both exposures and threats have distinct characteristics, bringing unprecedented challenges."
Senior advisor insurance economics and primary author Daniel Hofmann, said: "Cyber risk has distinct characteristics. Exposure bases are hard to define and measure. Historical claims data are scarce and not good predictors. Threats are constantly evolving, can spread widely and rapidly, and a series of consecutive large events is plausible. Moreover, a high degree of interconnectivity may result in potentially boundless impacts."
Sustainability of cyber insurance
The report identifies three prerequisites to ensure sustainability of cyber insurance.
First, customers and insurers must facilitate resilience at the source of risk.
Second, insurers need to make an acceptable return on capital. This requires disciplined and effective underwriting.
And third, available capital must absorb shocks from accumulation risks and provide adequate compensation to insureds after such an event— —in the case of cyber, it means absorbing accumulation risk, which is the root of many concerns about cyber risk.
Cyber accumulation challenges
The report highlights four cyber accumulation risk challenges:
- a single large event or a series of consecutive events may make affirmative cyber insurance unprofitable;
- insurers and reinsurers could underestimate cyber exposures resulting in unplanned shocks from a major event;
- data of insufficient quality for more advanced modelling techniques; and
- governments predominantly fail to provide frameworks for the sharing of cyberterrorism-induced losses.
In response, insurers have developed several approaches:
- Developing data analytics that analyse the characteristics of cyber risk; as well as data protocols that combine company information with digital risk indicators;
- novel approaches to analysing the risk 'footprint' and corresponding threats impacting the 'size of the footprint.' For example, applying the mathematics of epidemiology to the spread of computer viruses; and
- mapping cloud-related interconnectivity and digital supply chains, and using machine learning to assess the relationship between claims frequency and multi-dimension exposure.
However, there continue to be a number of outstanding issues, like the technical nature of exposures being difficult to learn and creating talent challenges, insurers may be misled by unseen threats or trends deviating from expectations and malware remains a major threat with non-affirmative cover exposure not assessed.
The report said that the insurance industry can offer only a partial remedy and other stakeholders must play their part too. Given the fluid stage of developments, it would nevertheless be premature to make firm recommendations, it said. Nonetheless, the crucial role of the public sector in combatting cyber risks was highlighted.
The report suggested a prudent approach and refraining from making irreversible decisions, especially when the cyber market is demonstrating high levels of innovation. Policymakers should endeavour to use the market as a discovery mechanism and expect best practices to be adopted quickly by competitors and new market entrants. To strengthen resilience, cyber security features should be developed and implemented at inception, and security design features should be certified and controlled by authorities.
“Jointly with IT security providers and insurers, authorities should develop and implement foundational IT and information security standards that facilitate IT security hygiene. Governments could also consider becoming signatories to a ‘Digital Geneva Convention,’ which would contain the use of cyber weapons by governments,” it proposed.