Cyber Survival Plan: Managing Risk in the Digital Age

By Special Guest
John Elbl, VP, business development, AIR Worldwide
March 07, 2017

In a connected world, there’s an increasing potential for a previously invisible breach to result in a wholly unexpected loss. For many insurers and reinsurers, the increasing frequency, types, and complexity of cyber attacks, the growing amount of information stored and sent digitally, and the expanding Internet of Things can coalesce to make cyber risk even more challenging to manage.

Unlike the mature property/casualty insurance market, where standard terms and policy form language evolved over time, today’s immature and diverse cyber risk market can create problems for many insurers and catastrophe modelers. Currently, policy offerings often determine to what degree various cyber-related scenarios might affect an insurer. A review of some claim types reveals how complex coverages can become—and where complexity reigns, litigation can sometimes follow. Some recent claims include a lost laptop with sensitive data; business interruption from a business’s lack of access to a credit card processing vendor; and a part-time hospital employee gaining unauthorized access to confidential records and then sharing private information with others.

Why just guess?

Rather than guessing about cyber exposure, companies might benefit from tools that allow users to determine how individual coverages could be best represented within unique coverage frameworks. Such solutions can help companies decide whether an insured’s cyber exposure might be better addressed under a cyber endorsement, E&O, D&O, GL, or some other type of policy. Further, it can be beneficial when a modeling tool supports the application of policy language, sublimits, and any additional financial vehicles so that companies can receive a more complete view of how their offerings might address a given exposure.

Many property policies tend be occurrence-based policies. An insurer can usually point to the exact date when an earthquake occurred, a flood overtopped a riverbank, or a hurricane made landfall. Similarly, by checking logs, the precise date of a cyber attack can often be identified. Unlike the chronology of natural catastrophes, however, months or years can pass before a victim becomes aware of a cyber breach. If a cyber exposure is triggered on an occurrence-based policy, the terms and conditions of the loss when the breach occurred would likely be applied to address the claim. If the cyber exposure is triggered on a claims-made policy, then the terms and conditions of such policy would likely be used with respect to any loss resolution.

As such, having the flexibility to state the limits and deductibles accurately as they appear in a company’s policies may be paramount in any cyber risk model, as opposed to models that merely assume how policy coverages are structured. Insight from insurers, reinsurers, and industry experts can help a company determine how best to model cyber risk, whether using several years of exposure data from occurrence policies or current terms and conditions of claims-made policies.

Precision counts
The importance of exposure data can’t be stressed enough for achieving accurate risk assessments. Consider, for example, a risk analysis for hurricanes reaching the United States. While most models can return a result if just the county and replacement value of an exposure are known, results will likely be uncertain if this is the only data input. If the exact address, its distance from the coast, type of construction, year built, and other pertinent information can be recorded, then a much more accurate representation of risk and expected loss is likely.

For some, the minimum information required for risk assessment might be as simple as the name of the company and its revenue. Information from additional data sources can help estimate the cloud provider, DNS server, credit card processor, security protocol, and industry segment of an insured. Still, the collection of such data by insurers should be undertaken for even more detailed model results. If a model provider has an exposure data schema, companies are recommended to use it for the collection of such data to help ensure the information is model-ready.

Cyber risk is still very much an emerging market, and it will likely be some time before it achieves a similar degree of standardization typical in the property/casualty market. Until it does, flexibility in risk modeling solutions remains vital to help companies truly and accurately “own” their cyber risk.

John Elbl is a vice president for business development at AIR Worldwide, a Verisk Analytics business.

Edited by Ken Briodagh

Related Articles

AvePoint Citizen Services Launches in Richmond, Virginia

By: Ken Briodagh    6/21/2018

Six government agencies in Richmond, Virginia will hook into the AvePoint Citizen Services' RVA 311, centralizing requests and resolution tracking for…

Read More

Cybertrust Joins the CIP Project As Ecosystem for Large Scale Critical Infrastructure Initiatives Grows

By: Cynthia S. Artin    6/20/2018

When it comes to critical infrastructure, including development of the smart grid, smart cities, transportation systems, and more, security is no long…

Read More

Study Says: Mauritius, Ghana and Tunisia Lead African Telecoms

By: Ken Briodagh    6/20/2018

BuddeComm has launched a Telecoms Maturity Index (TMI), to analyze the broadband, mobile and fixed Line markets of a country, rank it and compare it t…

Read More

A Guide to Creating New Citizen Experience in IoT-Based Smart Cities

By: Special Guest    6/19/2018

IoT-based smart cities are creating value for citizens. In this article, we explore three components of a citizen-centric smart city and reveal how to…

Read More

IoT Time Podcast S.3 Ep.20 CSG

By: Ken Briodagh    6/18/2018

On this episode of IoT Time Podcast, Ken Briodagh sits down with Ian Watterson, Head of Americas and Asia Pacific, CSG, to talk about Smart cities, Su…

Read More