Menu

IoT FEATURE NEWS

Cyber Survival Plan: Managing Risk in the Digital Age

By Special Guest
John Elbl, VP, business development, AIR Worldwide
March 07, 2017

In a connected world, there’s an increasing potential for a previously invisible breach to result in a wholly unexpected loss. For many insurers and reinsurers, the increasing frequency, types, and complexity of cyber attacks, the growing amount of information stored and sent digitally, and the expanding Internet of Things can coalesce to make cyber risk even more challenging to manage.

Unlike the mature property/casualty insurance market, where standard terms and policy form language evolved over time, today’s immature and diverse cyber risk market can create problems for many insurers and catastrophe modelers. Currently, policy offerings often determine to what degree various cyber-related scenarios might affect an insurer. A review of some claim types reveals how complex coverages can become—and where complexity reigns, litigation can sometimes follow. Some recent claims include a lost laptop with sensitive data; business interruption from a business’s lack of access to a credit card processing vendor; and a part-time hospital employee gaining unauthorized access to confidential records and then sharing private information with others.

Why just guess?

Rather than guessing about cyber exposure, companies might benefit from tools that allow users to determine how individual coverages could be best represented within unique coverage frameworks. Such solutions can help companies decide whether an insured’s cyber exposure might be better addressed under a cyber endorsement, E&O, D&O, GL, or some other type of policy. Further, it can be beneficial when a modeling tool supports the application of policy language, sublimits, and any additional financial vehicles so that companies can receive a more complete view of how their offerings might address a given exposure.

Many property policies tend be occurrence-based policies. An insurer can usually point to the exact date when an earthquake occurred, a flood overtopped a riverbank, or a hurricane made landfall. Similarly, by checking logs, the precise date of a cyber attack can often be identified. Unlike the chronology of natural catastrophes, however, months or years can pass before a victim becomes aware of a cyber breach. If a cyber exposure is triggered on an occurrence-based policy, the terms and conditions of the loss when the breach occurred would likely be applied to address the claim. If the cyber exposure is triggered on a claims-made policy, then the terms and conditions of such policy would likely be used with respect to any loss resolution.

As such, having the flexibility to state the limits and deductibles accurately as they appear in a company’s policies may be paramount in any cyber risk model, as opposed to models that merely assume how policy coverages are structured. Insight from insurers, reinsurers, and industry experts can help a company determine how best to model cyber risk, whether using several years of exposure data from occurrence policies or current terms and conditions of claims-made policies.

Precision counts
The importance of exposure data can’t be stressed enough for achieving accurate risk assessments. Consider, for example, a risk analysis for hurricanes reaching the United States. While most models can return a result if just the county and replacement value of an exposure are known, results will likely be uncertain if this is the only data input. If the exact address, its distance from the coast, type of construction, year built, and other pertinent information can be recorded, then a much more accurate representation of risk and expected loss is likely.

For some, the minimum information required for risk assessment might be as simple as the name of the company and its revenue. Information from additional data sources can help estimate the cloud provider, DNS server, credit card processor, security protocol, and industry segment of an insured. Still, the collection of such data by insurers should be undertaken for even more detailed model results. If a model provider has an exposure data schema, companies are recommended to use it for the collection of such data to help ensure the information is model-ready.

Cyber risk is still very much an emerging market, and it will likely be some time before it achieves a similar degree of standardization typical in the property/casualty market. Until it does, flexibility in risk modeling solutions remains vital to help companies truly and accurately “own” their cyber risk.

John Elbl is a vice president for business development at AIR Worldwide, a Verisk Analytics business.




Edited by Ken Briodagh


SHARE THIS ARTICLE
Related Articles

IoT Evolution World Week in Review: Intel, Nokia, Telefonica

By: Ken Briodagh    6/24/2017

Welcome to the IoT Evolution Week in Review, my friends. This week, we've been talking about global cybersecurity, the IoT Evolution Expo, healthcare …

Read More

IoT Time Podcast S.2 Ep.33 Trusted Computing Group

By: Ken Briodagh    6/22/2017

On this episode of the IoT Time Podcast, Ken Briodagh sits down with Steve Hanna, chair of TCG's embedded systems and IoT work groups, and principal a…

Read More

IoT Time Preview: The Cloud

By: Ken Briodagh    6/22/2017

In this weekly series, we'll be previewing chapters of "IoT Time: Evolving Trends in the Internet of Things" for you to read in the hopes that you'll …

Read More

IoT Evolution Speakers: Lee Gruenfeld Speaks Out

By: Ken Briodagh    6/22/2017

Lee Gruenfeld is Managing Partner of the Cholawsky & Gruenfeld SaaS/IoT consulting firm, and is a Principal with the TechPar Group in New York, a bout…

Read More

IoT Evolution Speakers: Jeff Liebl Speaks Out

By: Ken Briodagh    6/22/2017

Jeff Liebl is President of Anaren IoT Group, which designs, manufactures and sells custom high-frequency solutions and standard components for the wir…

Read More