Menu

IoT FEATURE NEWS

Cyber Survival Plan: Managing Risk in the Digital Age

By

In a connected world, there’s an increasing potential for a previously invisible breach to result in a wholly unexpected loss. For many insurers and reinsurers, the increasing frequency, types, and complexity of cyber attacks, the growing amount of information stored and sent digitally, and the expanding Internet of Things can coalesce to make cyber risk even more challenging to manage.

Unlike the mature property/casualty insurance market, where standard terms and policy form language evolved over time, today’s immature and diverse cyber risk market can create problems for many insurers and catastrophe modelers. Currently, policy offerings often determine to what degree various cyber-related scenarios might affect an insurer. A review of some claim types reveals how complex coverages can become—and where complexity reigns, litigation can sometimes follow. Some recent claims include a lost laptop with sensitive data; business interruption from a business’s lack of access to a credit card processing vendor; and a part-time hospital employee gaining unauthorized access to confidential records and then sharing private information with others.

Why just guess?

Rather than guessing about cyber exposure, companies might benefit from tools that allow users to determine how individual coverages could be best represented within unique coverage frameworks. Such solutions can help companies decide whether an insured’s cyber exposure might be better addressed under a cyber endorsement, E&O, D&O, GL, or some other type of policy. Further, it can be beneficial when a modeling tool supports the application of policy language, sublimits, and any additional financial vehicles so that companies can receive a more complete view of how their offerings might address a given exposure.

Many property policies tend be occurrence-based policies. An insurer can usually point to the exact date when an earthquake occurred, a flood overtopped a riverbank, or a hurricane made landfall. Similarly, by checking logs, the precise date of a cyber attack can often be identified. Unlike the chronology of natural catastrophes, however, months or years can pass before a victim becomes aware of a cyber breach. If a cyber exposure is triggered on an occurrence-based policy, the terms and conditions of the loss when the breach occurred would likely be applied to address the claim. If the cyber exposure is triggered on a claims-made policy, then the terms and conditions of such policy would likely be used with respect to any loss resolution.

As such, having the flexibility to state the limits and deductibles accurately as they appear in a company’s policies may be paramount in any cyber risk model, as opposed to models that merely assume how policy coverages are structured. Insight from insurers, reinsurers, and industry experts can help a company determine how best to model cyber risk, whether using several years of exposure data from occurrence policies or current terms and conditions of claims-made policies.

Precision counts
The importance of exposure data can’t be stressed enough for achieving accurate risk assessments. Consider, for example, a risk analysis for hurricanes reaching the United States. While most models can return a result if just the county and replacement value of an exposure are known, results will likely be uncertain if this is the only data input. If the exact address, its distance from the coast, type of construction, year built, and other pertinent information can be recorded, then a much more accurate representation of risk and expected loss is likely.

For some, the minimum information required for risk assessment might be as simple as the name of the company and its revenue. Information from additional data sources can help estimate the cloud provider, DNS server, credit card processor, security protocol, and industry segment of an insured. Still, the collection of such data by insurers should be undertaken for even more detailed model results. If a model provider has an exposure data schema, companies are recommended to use it for the collection of such data to help ensure the information is model-ready.

Cyber risk is still very much an emerging market, and it will likely be some time before it achieves a similar degree of standardization typical in the property/casualty market. Until it does, flexibility in risk modeling solutions remains vital to help companies truly and accurately “own” their cyber risk.

John Elbl is a vice president for business development at AIR Worldwide, a Verisk Analytics business.




Edited by Ken Briodagh
Get stories like this delivered straight to your inbox. [Free eNews Subscription]


SHARE THIS ARTICLE
Related Articles

Nothreat Launches On-Premises Agentic AI Analyzer Enterprises

By: Carl Ford    7/10/2025

Nothreat's solution operates entirely within the organization's perimeter, ensuring total data sovereignty and eliminating third-party exposure.

Read More

Texas Passes Unique AI Laws

By: Carl Ford    7/3/2025

What is the new Texas AI law all about and what does it mean for businesses and government entities?

Read More

I've Asked the Security Experts, But It's Time You Have Your Say

By: Carl Ford    6/27/2025

Security experts are quick to say they know what's happening, but here's your opportunity to weigh in on the state of cybersecurity in IoT.

Read More

Mary Meeker Returns with AI and Breezes Past AIoT

By: Carl Ford    6/26/2025

We are entering an era where intelligence is not just embedded in digital applications, but also in vehicles, machines, and defense systems

Read More

Nothreat Fights AI Fire with AI in Firewalls

By: Carl Ford    6/26/2025

According to Nothreat, the only way to fight AI cyber threats in IoT with AI is to go beyond detection and into active containment, deception, and aut…

Read More