By Anthony Cappelletti
In September 2016, there were news reports of a data breach of Yahoo accounts. Yahoo confirmed that hackers obtained information on more than 500 million user accounts. This is an extraordinary number of accounts that were breached. At the time this was reported in the news, it was a major event that stirred up many questions I had regarding cyber risks and cyber risk insurance.
While premium volume for cyber insurance is still relatively small as compared to mature lines of business, it has grown significantly over the past 10 years. Cyber insurance is currently a topic of interest for general insurers, actuaries and insurance regulators.
In April 2016, I had the pleasure of being on a panel for the Risk & Insurance webcast “How to Maximize ROI in Your Cyber Risk Mitigation Efforts” that included Alex Krutov, an actuary and recognized expert in the field of cyber risk analysis and cyber insurance. Alex Krutov, MAAA, ASA, FCAS, CERA, is the president of Navigation Advisors LLC. I asked Alex many questions about cyber risk insurance and thought it would be of interest to our readers to share some of his responses.
On the demand for cyber insurance and the growth in the cyber insurance market
Anthony Cappelletti: Do you think that recent high profile cyber events, such as the Yahoo data breach, will further increase demand for cyber insurance coverage or has it reached a saturation point where most firms have already satisfied their demand for cyber insurance?
Alex Krutov: The seemingly endless progression of data breaches that get significant exposure in the media continue to generate interest in and demand for cyber insurance. There is a growing realization that cyber risk is much greater in its magnitude than many people have thought, that the risk is here to stay, and that in fact it will continue to grow. The financial consequences of malicious “cyber events”—attacks such as those that result in data breaches—can be significant and, in extreme cases, have the potential to put a company out of business. This naturally leads to the search for ways to manage this risk, and buying insurance is one of the many options available to risk managers.
The demand certainly exists and is growing. There is also significant growth in the general interest in cyber insurance protection that has not yet translated into actual demand for cyber insurance. Much of the current demand is driven by the regulatory requirements such as those related to data breaches affecting personally identifiable information (PII) or protected health information (PHI) of individuals. At the same time, cyber risk may involve other types of financial losses that could be covered by cyber insurance policies.
By all estimates, the cyber insurance market is growing in terms of premiums and the actual risk being transferred. There is also general expectation that over the next several years this market will continue to grow fast. However, I wouldn’t be surprised to see the growth being interrupted or even temporarily reversed if some insurance companies experience sizable loses and are forced to reevaluate the ways they underwrite and price cyber insurance.
On the coverage provided by cyber insurance policies
AC: What is the scope of coverage provided by stand-alone cyber insurance policies in the market today?
AK: Cyber insurance is a broad category that includes insurance policies that differ from each other significantly. The common element of cyber insurance policies is that they provide financial protection against risks resulting from activities associated with information technology. It can include first party insurance coverage against losses from risks of damage to or destruction of information assets, damage to or destruction of physical assets, business interruption, cyber-related fraud, cyber extortion, and quite a number of others. Third-party coverage can include liability protection against cyber-related losses from security breaches, unintentional transmission of malicious code, product liability, failure to comply with regulatory requirements, and many other types.
Despite the growth in stand-alone cyber insurance, the coverage provided is often defined more narrowly than the insurance buyers would prefer. The narrow and strictly defined scope of the coverage is driven in part by the difficulty faced by insurance underwriters in assessing the risk and in determining the appropriate price of insuring this risk. With the very high level of uncertainty associated with cyber events, it can be easier to perform the analysis if the coverage scope is more limited. Another reason is that currently there is demand for the sometimes-limited coverage being provided, which reduces the incentive to provide broader coverage.
These are general observations. There are quite a number of exceptions. Cyber insurance policies differ from each other significantly, often to reflect the types of financial losses from cyber that are perceived to be most important to a particular industry. These differences also drive the type of analysis that can be performed in quantifying the insured component of cyber risk.
AC: What components of a cyber loss are generally excluded from a cyber insurance policy loss payout?
AK: For almost any type of insurance, the financial payout under a policy typically represents a relatively high percentage of the total loss. In this sense, insurance provides good protection. This is not always the case for losses caused by cyber events. Cyber events can result in very large financial losses of which only a small part would be covered by a cyber insurance policy.
In modeling cyber risk, this is important because it is often necessary to consider the full cyber risk and not only its insured component taken in isolation. The moving parts related to uninsured parts of the cyber-related losses may directly impact the insured losses. Proper analysis will attempt to take it into account.
This goes beyond policy limits and other traditional limitations of coverage. In many cases, the biggest component of the loss can be excluded from the currently available cyber insurance coverage and arguably be uninsurable. An example would be a cyber crime resulting in the theft of valuable intellectual property from a pharmaceutical company or a military contractor. Another important example is the reputational damage to a company that has suffered a data breach and been accused of negligence in protecting the personal information of its customers. The reputational damage component can be very significant.
AC: Can cyber insurance be used to mitigate reputation risk from a cyber event?
AK: Reputational damage is extremely difficult to quantify, which is why many consider it to be uninsurable. The currently available cyber insurance policies, while not providing for direct reimbursement of losses resulting from reputational damage or the reduction in brand equity, can in some cases provide for payments that help to reduce reputational and other losses resulting from cyber events.
Cyber insurance coverage can include payments for legal expenses and the cost of engaging crisis management and communication experts, some types of communication to the affected parties and services to potential victims of identity theft that may help to reestablish good will, and certain other expenses. While these expenses may serve more than one purpose, they usually help to reduce reputational damage. Not all of them are included in every cyber insurance policy, and the level of coverage also depends on a particular policy.
On the potential for catastrophic cyber events
AC: Should chief risk officers for insurers underwriting cyber insurance be concerned with an accumulation of cyber insurance exposures and the potential for catastrophic cyber events?
AK: The list of concerns for chief risk officers at companies underwriting cyber insurance is surely long, but high on it is the possibility of a large-scale catastrophic event that would affect many companies at the same time. Such a cyber earthquake could result in simultaneous losses on a large number of cyber insurance policies.
This is a very real risk that has to be properly managed within a comprehensive enterprise risk management framework. Insurance is based primarily on the concept of pulling together risks that are largely independent. Under normal conditions, the assumption of independence is a good approximation of reality. If a cyber earthquake happens, the seemingly independent risks suddenly start moving in lockstep with each other. In the tail of the probability distribution, the assumption of independence no longer holds, and pooling risks together produces limited benefits.
There are types of potential cyber events that can affect a whole sector of the economy simultaneously. Certain kinds of cyber events may affect enterprises in several sectors if they share a particular element of their cyber risk profile. For example, they may have common vulnerabilities to certain types of attacks that haven’t yet been discovered.
When financial losses resulting from such cyber attacks are partially insured, the insurance companies can be hit with very large losses falling in the category of catastrophic. Risk concentrations of this kind can be hidden in underwriting portfolios and be difficult to identify. While identification may at times be impossible, there are some analytical techniques that can help to expose these hidden risk concentrations. Wherever possible, these techniques should be employed in managing insurance underwriting portfolios. Right now, not every cyber insurance underwriter is properly monitoring and managing its portfolio risk.
AC: Is cyber terrorism the only concern with respect to catastrophic cyber events?
AK: Cyber terrorism immediately comes to mind when truly catastrophic cyber events are considered. However, irrespective of the question of cyber insurance, an undoubtedly catastrophic cyber scenario that dramatically affects the United States or another country and causes major economic damage does not have to involve an act of cyber terrorism or a coordinated attack by a nation state.
There are many other possible scenarios that fall in the category of catastrophic. In a simplified example, a new type of malware may spread very rapidly and allow malicious actors to take advantage of it in ways that result in losses to many companies at the same time. And, if these enterprises are insured against some of the financial consequences of an event of this nature, some insurance companies may suffer very large losses.
Additional thoughts
AC: Do you have any additional thoughts regarding cyber risk?
AK: My first thought is that cyber risk is important to every insurance company and not only to underwriters of cyber insurance. Chief risk officers at insurance companies that do not underwrite cyber insurance and appear to be far removed from the risk of underwriting portfolio concentration still have a lot to worry about. Every insurance company is exposed to cyber risk. This risk is part of their operational risk as it is for non-insurance enterprises in every single sector of the economy.
Another thought is that cyber risk is not all about “bad actors” as the only cause of cyber events. It is important to remember that while we are used to hearing of cyber criminals launching attacks, not every cyber event involves such nefarious activities. Some wounds are self-inflicted. Cyber accidents may be even more difficult to model than cyber attacks.
Finally, I think analytical techniques can and should be used for modeling cyber risk much more often than it is currently done. This applies to pricing cyber insurance, managing risk accumulation in underwriting portfolios, and cyber risk management of non-insurance enterprises. The degree of uncertainty involved in this modeling is significantly greater than we are used to seeing in the modeling of the more traditional kinds of risk. That, by itself, does not mean that analytical approaches are ineffective or that cyber risk cannot be modeled. Analytical approaches, especially those that utilize clearly defined risk metrics, add significant value and can be of critical importance. That said, I do believe in the need to view results of cyber risk modeling with a healthy dose of skepticism and to make sure that relatively simple estimates and, in some cases, qualitative approaches are also utilized. For example, while acknowledging that other views exist, I personally consider scenario testing to be a very useful supplement to any modeling approach as long as the scenarios have been developed intelligently.
AC: Thank you Alex for answering my questions and allowing me to share them with the readers of General Insurance Insights.
Anthony Cappelletti, FSA, FCIA, FCAS, is a staff fellow for the SOA. He can be contacted at acappelletti@soa.org.