Accumulation risks need to be addressed in the context of a hyper connected digital world, as cyber insurance offerings and premium volumes expand sizeably. Sustainable growth in the cyber insurance market should not be taken for granted, says a new report from the Geneva Association called Advancing Accumulation Risk Management in Cyber Insurance.
The Geneva Association secretary general Anna Maria D’Hulster said, “Expanding the boundaries of insurability is not new for insurers. However, cyber risks are taking us into uncharted territory. Both exposures and threats have distinct characteristics, bringing unprecedented challenges.”
Sustainability of cyber insurance
The report identifies three prerequisites to ensure sustainability of cyber insurance.
First, customers and insurers must facilitate resilience at the source of risk.
Second, insurers need to make an acceptable return on capital. This requires disciplined and effective underwriting.
And third, available capital must absorb shocks from accumulation risks and provide adequate compensation to insureds after such an event - in the case of cyber, it means absorbing accumulation risk, which is the root of many concerns about cyber risk.
Cyber accumulation challenges
The report also highlights four cyber accumulation risk challenges:
- a single large event or a series of consecutive events may make affirmative cyber insurance unprofitable;
- insurers and reinsurers could underestimate cyber exposures resulting in unplanned shocks from a major event;
- data of insufficient quality for more advanced modelling techniques; and
- governments predominantly fail to provide frameworks for the sharing of cyberterrorism-induced losses.
Insurers have developed several approaches in response to the challenge:
- Developing data analytics that analyse the characteristics of cyber risk; as well as data protocols that combine company information with digital risk indicators;
- Novel approaches to analysing the risk ‘footprint’ and corresponding threats impacting the ‘size of the footprint.’ For example, applying the mathematics of epidemiology to the spread of computer viruses; and
- Mapping cloud-related interconnectivity and digital supply chains, and using machine learning to assess the relationship between claims frequency and multi-dimension exposure.
The report said that the insurance industry can offer only a partial remedy and other stakeholders must play their part too. Given the fluid stage of developments, it would nevertheless be premature to make firm recommendations, it said.
The report highlighted the crucial role of the public sector in combatting cyber risks. It suggested a prudent approach and refraining from making irreversible decisions, especially when the cyber market is demonstrating high levels of innovation. Policymakers should endeavour to use the market as a discovery mechanism and expect best practices to be adopted quickly by competitors and new market entrants. To strengthen resilience, cyber security features should be developed and implemented at inception, and security design features should be certified and controlled by authorities.
“Jointly with IT security providers and insurers, authorities should develop and implement foundational IT and information security standards that facilitate IT security hygiene. Governments could also consider becoming signatories to a ‘Digital Geneva Convention,’ which would contain the use of cyber weapons by governments,” it proposed. A