For the insurance sector, assessing cyber risk is fraught with difficulty. Problems around defining cyber risk, combined with a lack of reliable data and common reporting standards have all contributed to a very confusing and challenging picture.
In an attempt to provide some clarity, BDO recently held a virtual discussion involving a group of panellists from the IFoA’s cyber risk working party to appraise the current state of play and predict how cyber risk assessment is likely to evolve in the future.
Defining cyber risk
The insurance industry needs to be really clear about what it means when it refers to cyber risk. When all parties - including actuaries, underwriters, claims handlers and reinsurers - are aligned, assessing and analysing cyber risk becomes a lot more manageable.
A simple way of thinking about it is to consider what cyber risk means for an individual business. More often than not, this refers mainly to technology risks, the systems that are in place and the vulnerabilities in those systems and processes. From there, consideration needs to be given to the risks that come with existing, new and advancing technologies, what the outcomes of the materialisation of those risks would be, and their financial impact.
With regard to reserving for cyber risk, claims development patterns sit between property and casualty lines of business, and it tends to have a relatively short tail of 3-5 years or less and it is often modelled separately from casualty lines of business which tend to have a 5-7 year tail. Larger losses for cyber are easy to identify and it has a high accumulation risk.
In an ideal world, carriers with big books of business would have processes in place to create cyber triangulations split by cause of loss. Ransomware, for example, has a very short notification delay as it becomes public information very quickly. However, there can sometimes be a development delay as some hackers sit on a network for months learning internal operations before attacking at a later date.
The data challenge
Unlike other lines of business, the industry does not yet adequately understand or know how to assess cyber risk and it urgently needs to address this.
Data remains the biggest challenge. Without the data required to understand and assess risk, the sector has to rely heavily on third party vendors. This is especially significant for parts of the risk where there is limited visibility such as accumulations.
Insurers also need to improve lines of communication with cyber security professionals so that they fully understand the issues and terminology to enable better risk assessment.
How data collection is evolving
Over the last three years, the data being collected has changed drastically. For reinsurance brokers, there is a lot more submission data becoming available which can help identify latest trends. Clients have become more aware that good quality data is imperative and underwriters have begun collecting new factors such as the number of records or even implementing external vulnerability scanners to help manage cyber hygiene.
While there have undoubtedly been some improvements, the recent insurance stress test results by the government indicate that the PRA still has concerns over the market’s ability to assess and manage the treatment of affirmative risks and non-affirmative cyber risks.
The role of third party vendors
Vendors have an important role to play in helping clients improve their ability to assess risks. They can provide a structured framework for modelling how attacks may be carried out and where the vulnerabilities may lie.
Among other things, they can also help establish what the accumulation path is and if this departs from traditional geographical boundaries currently used for risk assessment in property catastrophe.
The results can sometimes be spurious as there is a lack of consistency in definitions, approaches and understanding. Peer benchmarks are not comparable and results can be misinterpreted. However, vendors are working hard to improve their models and real progress is expected within the next 18-24 months.
Models built in-house can also be useful in understanding a firm’s particular risks. If exposure is understood and identified, it can be used to define the risk appetite in each area.
Understanding technology is key to managing risk adequately, and cyber risks are constantly evolving.Two years ago, cyber risk was predominantly associated with the cloud but since then there has been a large increase in ransomware claims.
Ultimately, Board members are responsible for making management decisions and they need to be well-versed on cyber risks.
The need for new industry standards
A number of European countries are endeavouring to develop new standards although the process is in its early stages. EIOPA is also looking at consolidating data collected from the Solvency II QRTs. However, there is nothing currently being prepared in the UK.
Some reinsurers have been looking for participants, but so far have not received enough interest to make any analysis worthwhile.
Pooling claims data
Pooling claims data could be a good way of minimising risk, allowing parties access to new databases and benchmarks.
There are currently lots of market initiatives to share data but as the line of business is so new and understanding is developing, there is an inherent risk that the data could be misunderstood and incorrectly used.
Some carriers with lots of claims data may also be reluctant to share so as not to lose their competitive advantage.
There are also limits on the value of claims data alone, with the incident data surrounding the claim being far more important.
The world of cyber risk is constantly evolving and the insurance market needs to develop with it. While there have been recent improvements, there is still lots more work to be done. Part of the challenge lies in bridging the knowledge gap between cyber security experts and the insurance world. Vendors are playing their part by producing better models as more data emerges. The insurance industry could also benefit from working together to better collect and share data to gain a better understanding of the risks.
BDO’s virtual panel discussion was chaired by Rob Murray, Head of Actuarial Services at BDO. The panellists included Simon Cartagena – Actuarial Risk Manager at SCOR – The Channel Syndicates, Justyna Pikinska - Head of Analytics for property and speciality lines at Capsicum Re and Matthew Silley - Actuary at CyberCube.