Unlike most actuarial models that use easily accessible authoritative sources of data, for cyber, there is an absence of any meaningful information to draw from. For general P&C underwriting, the picture is clear, with little variance over a considerable period of time. Even in the case of modelling natural disasters, the models have sufficient data to undertake analysis to determine overall exposures with high confidence levels.
Loss events or near misses are generally well reported for mainstream risks, but the information security sector estimates that more than 50% of data breaches go unreported, despite there being mandatory breach reporting laws in the US and now the EU. The reasons are obvious, aside from the direct cost of informing customers and providing backup services for their financial and identity security. Customer churn rates have been proven to increase post-breach report, with confidence in a breached company falling over a sustained period.
For cases of near misses, or even simple threat data and vulnerabilities posed to a customer, the probability of them informing a potential cyber insurer is close to zero. As such, there is a fundamental asymmetry of relevant data, with a consequent increased risk of adverse selection by an underwriter. Unlike other forms of P&C products, for cyber products there is reliance upon the judgement and experience of the underwriter.
For cyber risks, the key issue is the sheer number of attributes that affect impact, whether immediately, or into long-run periods that may not be comprehended at the time of a risk event. Discovery of a data breach may take place at a far later time, with multiple impacts, raging from legal fees to a severe negative market reaction.
Variables that must be considered at the very least for cyber include degree of cyber security maturity, risk appetite and risk management posture, IT topology, in-house versus external contracted skill sets, employee training and profiles, location and time zones and physical infrastructure.
Even when attempting to account for as many of the variables as possible is undertaken, much of the data has a lower relevance in future periods due to the volume and type of threat constantly evolving. To what degree does an underwriter attach a level of weighting to cyber risks? What models should be used to account for the voluminous parameters?
Quantar developed CyCalc® purely to provide financial institutions and large enterprises with the capability to calculate, model and manage cyber risks through the use of multiple data and actuarial and operational models. See how your enterprise can use our platform for insightful underwriting data. https://www.cycalc.com/case-usage/