The challenge of pricing cyber risk - does it feel like nailing jelly to the wall?
- Keith Stonell, Managing Director, EMEA at Guidewire
- 02.08.2018 07:45 am undisclosed
According to the Allianz Risk Barometer 2018 business owners consider cyber incidents to be the second greatest threat to their organisations – rising from third place in last year’s survey. Cyber threats were second only to business interruption, with respondents citing a cyber incident as the most feared cause of business interruption.
With 2017 a year of record breaking damages resulting from natural disasters, it is pertinent to consider that large-scale cyber-attacks and so-called ‘cyber hurricanes’ threaten to match, if not exceed, these costs for businesses and insurers in the future. The Petya ransomware attack in June 2017 interrupted production of a vital vaccine and brought one of the world’s busiest ‘smart’ ports to a standstill, causing a potential $575m in damage for these two incidents alone. The economic losses attributed to WannaCry, which hit a month earlier, impacting thousands of companies globally, are forecast to reach $8bn.
Companies are becoming more concerned with the security of their data and the consequences they might face should they suffer a breach. The recent implementation of GDPR across Europe means that negligent businesses could soon be facing fines of up to four percent of turnover or €20m, whichever is greater, alongside the significant costs and damage that a cyber breach would cause.
Clearly, cyber risk protection and mitigation present an enormous business opportunity for insurance carriers. Indeed, over the past yearmany businesses have turned to cyber insurance to protect themselves from potential risks, with one insurer, Hiscox, seeing annual growth of 40% in cyber insurance business.
However, calculating cyber risk is far removed from calculating typical commercial risks and presents a unique set of challenges. Besides being a relatively new threat, the nature and potential of cyber risks are changing at such a rate that data needs to be collected in a dynamic, real-time manner for insurers to keep pace with ever-changing threat vectors. If underwriters are to keep ahead of these changes and price cyber risks accurately, they need to change from an approach based on hindsight to one based on foresight, grounded on the most up to date data available. To achieve this, and properly account for future risks, underwriting needs to be based on predictive models created by the intelligent use of data and machine learning technologies.
It is worth noting that cyber risk models cannot purely look at technology. Whether malicious or benign, human actions often play a part in cyber incidents and represent a risk that cannot be prevented by technology alone. Accordingly, a holistic, data driven approach that understands the nature of the cyber risk faced by companies should be employed to calculate cyber threats accurately. And for underwriters to have any chance of interpreting the vast number of potential data points and deriving actionable patterns from them that can predict risk, insurers need to employ platforms that use machine learning.
Underwriting requires turning data into an economic model. Doing this dynamically, and at the scale required to make it useful, necessitates having an analytics platform that leverages artificial intelligence to cope with all the relevant data sets. Compounding this, insurers are focused on performance across their business, so cyber risk models need to consider the economic impact of risk accumulations, aggregated events, and disaster scenarios.
We have reached a point where no amount of cyber security software is going to protect a business entirely from the evolving threat landscape faced by companies today, making cyber insurance a necessary tool in a business’ arsenal. The rapidly changing threat landscape also means a significantly different approach in how insurers assess and price risks. If they are unable to price cyber risks accurately or competitively this will mean a bad deal for customers; more than likely a terminal blow for the insurers.