Cyber Survival Plan: Managing Risk in the Digital Age

By Special Guest
John Elbl, VP, business development, AIR Worldwide
March 07, 2017

In a connected world, there’s an increasing potential for a previously invisible breach to result in a wholly unexpected loss. For many insurers and reinsurers, the increasing frequency, types, and complexity of cyber attacks, the growing amount of information stored and sent digitally, and the expanding Internet of Things can coalesce to make cyber risk even more challenging to manage.

Unlike the mature property/casualty insurance market, where standard terms and policy form language evolved over time, today’s immature and diverse cyber risk market can create problems for many insurers and catastrophe modelers. Currently, policy offerings often determine to what degree various cyber-related scenarios might affect an insurer. A review of some claim types reveals how complex coverages can become—and where complexity reigns, litigation can sometimes follow. Some recent claims include a lost laptop with sensitive data; business interruption from a business’s lack of access to a credit card processing vendor; and a part-time hospital employee gaining unauthorized access to confidential records and then sharing private information with others.

Why just guess?

Rather than guessing about cyber exposure, companies might benefit from tools that allow users to determine how individual coverages could be best represented within unique coverage frameworks. Such solutions can help companies decide whether an insured’s cyber exposure might be better addressed under a cyber endorsement, E&O, D&O, GL, or some other type of policy. Further, it can be beneficial when a modeling tool supports the application of policy language, sublimits, and any additional financial vehicles so that companies can receive a more complete view of how their offerings might address a given exposure.

Many property policies tend be occurrence-based policies. An insurer can usually point to the exact date when an earthquake occurred, a flood overtopped a riverbank, or a hurricane made landfall. Similarly, by checking logs, the precise date of a cyber attack can often be identified. Unlike the chronology of natural catastrophes, however, months or years can pass before a victim becomes aware of a cyber breach. If a cyber exposure is triggered on an occurrence-based policy, the terms and conditions of the loss when the breach occurred would likely be applied to address the claim. If the cyber exposure is triggered on a claims-made policy, then the terms and conditions of such policy would likely be used with respect to any loss resolution.

As such, having the flexibility to state the limits and deductibles accurately as they appear in a company’s policies may be paramount in any cyber risk model, as opposed to models that merely assume how policy coverages are structured. Insight from insurers, reinsurers, and industry experts can help a company determine how best to model cyber risk, whether using several years of exposure data from occurrence policies or current terms and conditions of claims-made policies.

Precision counts
The importance of exposure data can’t be stressed enough for achieving accurate risk assessments. Consider, for example, a risk analysis for hurricanes reaching the United States. While most models can return a result if just the county and replacement value of an exposure are known, results will likely be uncertain if this is the only data input. If the exact address, its distance from the coast, type of construction, year built, and other pertinent information can be recorded, then a much more accurate representation of risk and expected loss is likely.

For some, the minimum information required for risk assessment might be as simple as the name of the company and its revenue. Information from additional data sources can help estimate the cloud provider, DNS server, credit card processor, security protocol, and industry segment of an insured. Still, the collection of such data by insurers should be undertaken for even more detailed model results. If a model provider has an exposure data schema, companies are recommended to use it for the collection of such data to help ensure the information is model-ready.

Cyber risk is still very much an emerging market, and it will likely be some time before it achieves a similar degree of standardization typical in the property/casualty market. Until it does, flexibility in risk modeling solutions remains vital to help companies truly and accurately “own” their cyber risk.

John Elbl is a vice president for business development at AIR Worldwide, a Verisk Analytics business.

Edited by Ken Briodagh

Related Articles

Deloitte Selects Miami Based Unified Technologies for Caribbean Cyber Security Alliance

By: Ken Briodagh    8/16/2017

Unified Technologies, an IT solutions provider with operations in the Caribbean and North America, has announced a newly established Cyber Security Al…

Read More

InfoSec Veteran Mike Ahmadi to join DigiCert as Global Director of IoT Security

By: Ken Briodagh    8/16/2017

Ahmadi brings decades of leadership and advocacy in critical infrastructure security, including active participation in several standards creation gro…

Read More

IoT Time Podcast S.2 Ep.43 Nokia

By: Ken Briodagh    8/16/2017

On this episode of the IoT Time Podcast, Ken Briodagh sits down with Khamis Abulgubein, PLM, Emerging IoT Applications at Nokia.

Read More

To Build or To Buy: That is the Question

By: Ken Briodagh    8/15/2017

When a company seeks to implement an IoT solution, the decision of whether or not to build a custom tool or platform is no less dire. It can mean the …

Read More

Speed is King in Florida as Verizon, Ericsson and Qualcomm Approach 1G Wireless

By: Arti Loftus    8/15/2017

As we move closer to a 5G world, a new age of intelligent, connected devices is paving the way towards more reliable and faster performance.

Read More