Historical Data Won’t Predict Cyber Claims - Here’s What Will
The Challenges Associated with Predicting Cyber Claims
In most insurance areas, historical loss data is paramount in perfecting pricing and other underwriting strategies. Not so in Cyber Insurance. An examination of large data sets relating to prior breaches is not without interest, of course. But most aspects of Cyber Risk are dynamic: the types and sources of attacks, levels of awareness and defense on the part of organizations, and the ever-growing digital surface area of organizations -- these are all in flux. As a result, reliance upon historical loss data, that pillar of insurance underwriting, will likely lead to a false sense of security among many insurers.
Insurance Underwriting - the Traditional Way
In order to demonstrate how Cyber Insurance poses new challenges to the commercial insurance industry, we must first consider traditional underwriting approaches. Let’s approach it through the lens of Property Insurance. There is an immense amount of historical data about the frequency and severity of property losses from major perils like fire. Through both intuition and the gathering of data over decades, insurers are able to identify distinguishing risk characteristics and quantify those differences.
For example, property losses may be several times as likely to commence in a building made of wood as opposed to a building made of non-combustible materials. Property losses are also mitigated by common defenses that have been well studied. Greater losses are more likely to occur in a building without a modern sprinkler system than one with a system of sprinklers. Consider also temporal conditions. The fire hazard posed by the operations of a paper goods wholesaler or a law firm has not changed in decades. The operations of these companies and the fire risk arising from them are well studied. The past can accurately predict the future.
Cyber Risk Is Immensely Dynamic
Digital risks are much more challenging for insurers to measure. This is due in part to a lack of expertise. Most do not examine, in a digital fashion, the IT Security of their prospective insureds other than by asking questions on a quickly outdated application. Over time, insurers have gone deeper into the Cyber Insurance market and have suffered losses that can produce intuitions and data-driven assumptions about future risks. This information is certainly important—but the tendency in insurance to rely upon historical data may finally meet its match in Cyber Insurance. Digital risks should be evaluated using digital tools.
Cyber Risk is not as static as most other areas of risk. Unlike fire, whose nature does not change, the Cyber Risk peril is in constant motion. Consider cyber thieves. They don’t rest idly with their current methods, waiting for law enforcement or the security industry to catch up -- these thieves make a living inventing new types of scams, ransomware attacks, and phishing formats. They are innovative in a way that fire risk simply cannot be. Their strategies change in order to increase the likelihood of success. The international nature of the internet along with powerful state actors like North Korea make the source of the peril ever-changing.
Of course, the nature of the peril is not the only dynamic aspect. The defenses used by organizations are also in constant motion. New Cyber Security companies seem to pop up like mushrooms in the spring. They offer new detection and prevention systems for companies large and small. It is a challenge just to identify the nature of these changes, never mind evaluating their effectiveness. Sprinkler systems never had to change so quickly.
The biggest source of unreliability in prior experience is the use of the internet by the policyholders themselves. It seems that every function is moving to digital platforms with cloud-based systems. Not only does this pose a new aggregation risk for insurers, but it also means that most organizations are increasingly reliant on web-based platforms for customer orders, logistics, quality control, product operation, safety, and more. Thankfully, this is countered by an increasing level of attention being paid to Cyber Risk security by organizations.
Lastly, the use of static underwriting tools like document-based applications leads to a tendency to collect information that is quickly outdated. While insureds are seldom malevolent, there is a tendency nonetheless for many to put less than their full effort into the underwriting process -- particularly when it seems so antiquated by the nature of its questions.
Determining How Insurers Will Respond to This New Risk Environment
There are a number of strategies for insurers to address the ever-changing risk dynamics of Cyber.
First, underwriting information needs to be focused on the near past instead of the distant past. That means opening up to the possibility of using proactive measures to assess risk at a point in time, not just by using an aggregation of past data. Put differently, if the digital “footprint” of a business is constantly growing and evolving, the most accurate assessment of risk will necessarily be one that examines an organization’s digital landscape as close as possible to the moment the policy is quoted -- not what it looked like last quarter or last year, or generally over the past 5 years.
To accomplish this up-to-the-moment assessment, insurers need platforms that use AI and machine learning to automate the process of scanning web-facing infrastructure, and which can process new information about threats and defenses far more quickly than a labor-intensive questioning process about the company’s systems. These kinds of scans are typically found within the realm of cyber security, where vendors work to actively protect clients rather than underwrite risk. But such technologies are making inroads in the insurance industry as their value for underwriting becomes better understood. A side benefit of using an automated assessment is that it bypasses the human element, eliminating inaccuracies based on misunderstanding, error, or laziness.
Insurers should also be wary of becoming too reliant on the historical data approach that has served so well in everything from Property Insurance to Workers Compensation to Products Liability Insurance. Looking back at a decade of cyberattacks to judge risk at the point of quoting a policy isn’t enough. With dynamic cybercrime trends, information about current risks should be both included in the initial risk assessment and also shared with policyholders as new information becomes available. The cybercrimes relevant in 2017 may not be relevant in 2019. Insurers can protect themselves from increased risks by helping their policyholders proactively protect against new threats throughout the policy period.
Digital tools are needed to assess digital risk. The sooner insurers accept and act upon this directive, the better cyber insurance will be for insurers and policyholders alike.
Much has been made about the opportunity for a “cyber catastrophe” or cyber CAT event. Modeling these potential events — for which we have yet to see a real-world example — has gotten quite a bit more sophisticated in the past few years, to the benefit of everyone operating in the insurance space. In these exercises, focus commonly lands on software-as-a-service (SaaS) vendors, including major players such as Microsoft 365, Salesforce, and ADP — technologies that are likely used by significant percentages of organizations in a cyber underwriter’s overall book of business.
By compiling data from several different companies, Corvus determined the likelihood of a security incident based on whether or not a company was using a VPN solution, and if so, if they were utilizing a high-risk or low-risk VPN.