This latest Opinion piece looks at the value of stacking, and accurately sifting data, when it comes to cyber risks.
The continued lack of reliable cyber insurance data is causing data-driven decision making challenges for Lloyd’s and the wider London Market. Ben Churney, Director of Business Development at Verisk, discusses four advantages of aggregated cyber data and details how companies can look to get involved in this industry-wide strategy.
Approximately 77 insurers within the London market offer cyber risk insurance solutions, and with most of its business deriving from the US the market is accountable for nearly a quarter of the global cyber risk market share. Since early 2020, Lloyd’s has stipulated transparency for all policies regarding coverage for losses incurred by a cyber event. According to Aon, the frequency of E&O and cyber claims in 2020 was up 100% from 2019, the majority relating to ransomware. Separate findings from AM Best found that the true number of cyber claims may be understated due to a lack of uniformity among cyber policies and reporting alongside the use of captive and surplus lines insurers to write cyber coverage.
Despite rapid growth within the London market for cyber insurance, the widespread variety of strategies adopted by market participants towards cyber insurance are producing discrepancies in both modelling and product offerings.
Four benefits to aggregated cyber data
Insurers from across the industry will need to aggregate their data into a central source that will provide summarised metrics. This can help London market companies manage their cyber insurance portfolios in four crucial ways:
1. Gathering credible and relevant data will bolster product credibility
While there are many different vendors that offer cyber risk modelling, the results presented when comparing the outputs of these vendors are drastically different. At the 2021 CAT Risk Management & Modelling Summit in London, a comparison of various cyber aggregation models found inconsistencies regarding the probable maximum loss for different cyber risk scenarios such as mass data breaches, cloud outages and mass ransomware.
Unlike other insurance perils that have the bonus of years of historical claims data to reflect on, cyber risk is still in early stages, and there’s a lack of loss data to support the growing number of different coverages.
To help develop credible and relevant data, companies should aim to aggregate historical data, ideally from an extended period such as the past six years and subsequently on a regular basis. In doing so, companies including Lloyd’s syndicates will benefit from an extensive source of summarised industry business intelligence.
2. Interactive dashboards enhance decision making using relevant data
London market underwriters may have difficulty evaluating the cyber risk on new submissions – especially for classes of business such as education, finance, manufacturing or healthcare – they may not have previously been exposed to.
Determining the full cost of a cyber-attack can be a challenge, and cyber policy forms and coverages can vary significantly between companies. Coverage could for example relate to business interruption, extortion, incident liability, data recovery costs or incident response costs.
With summarised industry cyber data and valuable claims information, such as attack vector, actor involved, assets compromised and what coverages were triggered, trends between the different types of incidents and coverages are easier to establish.
Interactive dashboards with industry loss ratio heatmaps for different industry classes and revenue range buckets, can enable companies to see which segments of business have higher and lower loss ratios and the underlying premium amounts. Companies can in turn identify more profitable business.
3. Industrywide metrics increase market penetration and boost confidence
Cyber insurance penetration remains comparatively low against other insurance perils, which is partially due to the lack of understanding around cyber risk. But low insurance penetration means less access to data, which can lead to low underwriting confidence. In turn, a vicious cycle can form as the low confidence in underwriting leads to restricted coverage options and doubt from buyers concerned over the value of insurance.
According to a 2018 report from AIR Worldwide and Lloyd’s, the penetration of cyber insurance is estimated at less than 30 percent in the U.S., and much lower in the UK and other countries. The report also highlighted that the failure of a top cloud service provider in the U.S. for three to six days could cost the US economy $15 billion and insurers up to $3 billion – which highlights a significant protection gap.
Having access to industrywide metrics such as frequency, severity and trends across different dimensions can be very beneficial to companies analysing their portfolios or developing quantitative models — with particular focus on developing risk selection or pricing tools, support rate filings, conduct reserving analyses and profitability reviews of their book of business.
4. Comparative metrics mean standards are set
Cyber-attacks are a delicate issue for all parties involved, and with the lack of transparency around cyber risk and its associated data, an insurer’s ability to confidently expand within this space is limited.
It is important that while aggregating industry data in an exchange, all companies retain anonymity in their data. A central, anonymised exchange will encourage root cause analysis of company portfolios and help identify what may be driving their results, why they may diverge from the broader industry, and help build a better comparative understanding.
Companies should be able to view their claim sizes by classes of business against the average industry claims by class, and also view the average written premium per cyber policy – including how this has developed over time.
Strategic decision making strengthened by aggregated data
Any industry exchange will need to guarantee anonymity by de-identifying all submitted company data and ensure the source of data is not revealed to other participants. Companies that contribute data should be able to do so in a manner that is most convenient for them, with no requirement to submit every field. Although a lack of cyber data is still prevalent in the industry, insurers can change this by collating years of previous metrics together and in doing so, mutually benefit from enhanced strategic data-driven decision making.