cover story

Cyber Insurance: The Actuarial Conundrum

With scarce data and its ever-evolving risks, cyber coverage poses vast challenges for actuaries working in this emerging line of business.

With cyber incidents making headlines, it is no surprise that cyber coverage is the fastest growing insurance line.

As it evolves, cyber coverage has all the problems of an emerging line, including lack of data, little policy standardization and plenty of market experimentation.

Broadly defined, cyber security incidents are events that violate organizations’ electronic information.  Cyber coverage is generally customized to meet the unique needs of an organization. Depending on the policy, cyber insurance can include anything from covering the costs of notifying customers and providing them identity theft protection to expenses associated with business interruption and reputation and system damage.

From 2013 to 2014, collected premiums for cyber coverage nearly doubled to $2 billion, said Robert Parisi, managing director and cyber product leader for Marsh USA, the nation’s largest cyber insurance broker. “I would not be surprised if it grows to $4 billion at the end of this year,” Parisi said. In 10 years, he sees the market reaching $25 billion.

Currently, there is about 35 percent market penetration in the economy, according to Parisi. In the next year, he expects it to grow between 40 and 50 percent, with different levels of coverage adoption based upon an organization’s size and industry.

While the burgeoning cyber insurance market is exciting, it is taking place with limited actuarial influence. This points to a pressing actuarial conundrum: How can actuaries appropriately price ever-changing cyber risk when data is scarce and models remain under development?

Further, asks Lloyd Foster, an adjunct actuarial instructor at Columbia University, “How can actuaries keep themselves relevant while they are trying to build the necessary models?”

For actuaries to gain their rightful place at the pricing and underwriting table, they must solve the conundrum. It will require them to look beyond the past-is-predictor-of-future assumptions to keep up with ever-changing risk. Until there is enough reliable insurance loss data, they will need the vision and temerity to scour for as much alternative relevant data as possible to develop effective models.

One Hot Market

Not since the genesis of employment liability coverage has the insurance industry experienced such a growing insurance segment. Cyber insurance was first offered in the late 1990s when AIG developed coverage for data privacy during the dot-com boom, said Parisi, who helped develop that first product for AIG.

Demand for coverage gradually grew, accelerating when headline-making cyber incidents affected household-name companies — including Target, Chase Bank and Sony — and made the C-suite realize their companies’ need for cyber insurance. The percentage of Marsh USA clients that bought stand-alone cyber insurance policies rose to 32 percent in 2014 from about 20 percent in 2013, according to “Benchmarking Trends: As Cyber Concerns Broaden, Insurance Purchases Rise,”1 a Marsh USA report released in March 2015.

More customers are buying coverage and seeking policies with higher limits, according to the Marsh USA report. Among clients with $1 billion or more in revenues, the average limit purchased rose to $34.1 million in 2014 compared to $27.8 million in 2013. The highest amount of insurance a company can buy is about $500 million to $600 million from a combination of insurers, Parisi said.

The three industries purchasing higher limits are not surprising. Financial institutions bought the highest average limit per company at $23.5 million, up from $19.7 million in 2013, while the power and utilities industry limit averaged $21 million in 2014, up from $13.2 million the year before. The retail industry bought higher average limits at $14.9 million in 2014, up from $10.2 million the previous year.

Sectors that do not traditionally purchase cyber insurance, such as manufacturing, are also seeking coverage, Parisi said. “The industrial side of the economy is purchasing coverage focusing on operational losses from cyber incidents, which differs from the data privacy focus of traditional buyers including the financial industries,” he added. There is also market potential from small- to medium-sized companies.

At least four dozen insurers assert they offer cyber insurance, said Parisi, who believes the amount of participation is reaching a saturation point.

A report prepared for the Verisk Analytics subsidiary Insurance Services Office, Ltd. (ISO), “Cyber Insurance Survey,”2 states that 80 percent of insurer respondents that offered cyber insurance in 2014 report direct written premiums at less than $10 million. Approximately 75 percent of those offering coverage planned to offer more, according to the study, which was prepared by Hanover Research and released in November 2014.

Growing Risk

Despite growing awareness of security incidents, studies generally agree that these occurrences are on the rise. It seems that as information technology experts address a particular threat, innovative cyber hackers identify more vulnerabilities.

Various organizations offer cyber incident data that can provide a window into the state of cyber risk. The challenge is that just as cyber events and responsive insurance are evolving, so are the terms and categories used to describe cyber incidents and their causes.

Just as cyber events and responsive insurance are evolving, so are the terms and categories used to describe cyber incidents and their causes.

 

For example, Verizon’s “2015 Data Breach Investigations Report,”3 released in April, uses the term “security incidents,” which can be used interchangeably with “cyber incidents.” Verizon, which defines a security incident as “any event that compromises the confidentiality, integrity or availability of an information asset,” reported 79,790 security incidents worldwide for 2014 from companies that provided information.

Of these, there were 2,122 confirmed data breaches that Verizon views as incidents that result in “confirmed disclosure,” not just exposure, to an unauthorized party.

Meanwhile, another often-quoted source of cyber security data, Ponemon Institute, LLC, defines data breaches differently. The Institute defines a data breach as “an event in which an individual’s name plus a medical record and/or a financial record or debit card is potentially put at risk — either in electronic or paper format.”

The interconnectedness of technology within an industry, such as the use of common software, is a reasonable concern given that some cyber attackers go after entire industries at the same time, said Larry Ponemon, president and chairman of the Ponemon Institute. “If one bank gets hacked, then there is a high probability that other banks will get hit at the same time,” he said. “We have seen some of that. When Chase Bank experienced a major cyber attack last year, other banks were also getting hit,” he added.

Cyber security studies vary on how they characterize cause — whether by malware, virus, Trojan or worms — but what really matters to insurers are the costs from cyber incidents, he added.

Some lawmakers and regulators see cyber insurance as being a key part of preventing cyber attacks because insurers require it to obtain coverage. Having coverage, however, can also create an optimism bias. Some suggest that government intervention might be needed to encourage greater safety measures. Ponemon said, however, that compliance with laws and regulations can give organizations a false sense of security. “Getting from a C+ grade in security to an A requires more than regulations,” he added.

Limited Actuarial Role

Traditionally, insurers rely heavily on actuarial analysis when designing and pricing coverage. But actuarial involvement in cyber insurance has been limited so far.

“I think in the rush to fill a gap, the decision makers are going ahead without sufficient actuarial involvement,” added Foster, the adjunct actuarial instructor, who is also an independent actuarial and financial consultant and the chief risk officer of The Found Table, a business networking group.

Insurers are currently focused on building market share, Ponemon said. “The insurance companies see this as a profitable new line of business and want to ride the wave because their competitors are writing policies and seem to be doing well,” he added.

“Insurers are trying to balance opportunity with volatility,” said Parisi. “Pricing and underwriting is being driven more by corporate governance and an analysis of security controls at companies than by any actuarial data.”

Actuaries should be providing advice and consent until they have enough data to provide actuarial direction, Parisi said. “I think actuaries need to be part of the process,” he added. “I think carriers would be foolish not to have actuaries at the table.”

One challenge of analyzing cyber risk is that “the insured loss data available is so limited that it lacks the level of credibility actuaries want to see. There are simply too few data points for traditional analysis,” said Alex Krutov, president of Navigation Advisors LLC and chair of the Casualty Actuarial Society’s Task Force on Cyber Risk.

Because substantial actuarial data is not available, some experts say the insurance companies may be exposed to a greater degree than commonly assumed. Foster said that the life insurance industry is facing grave financial setbacks (measured in the hundreds of millions of dollars) because of the modeling and risk management issues related to variable annuities. “We stand to face a similar problem with cyber insurance,” he added.

When actuaries are not properly involved in the analysis of cyber risk, Krutov said, insurers “are not getting the benefits of the actuarial expertise, and that could lead to potential losses, increased risk of insolvency and missed opportunities.” While preventing cyber attacks may be impossible, he added, neglecting proper analysis and not getting the benefits of actuarial perspective are inexcusable. “This is a risk no insurance company should take,” he added.

To boost market share and remain financially healthy, “insurance companies write policies by providing coverage to a point,” said Ponemon.

Because substantial actuarial data is not available, some experts say the insurance companies may be exposed to a greater degree than commonly assumed.

 

Since policy standardization is also evolving, selling coverage and buying it can be complex and confusing. “[Insurers need] the actuarial experience and the insight of policy design because certain ideas are out of the scope of the models,” Foster said.

Policies are currently being offered, but with limitations. Sometimes agents and brokers have to stack policies together to achieve customers’ desired limits. What is and is not covered can be confusing.

Insurers also vary on the type of coverage they offer. At least half of the insurers in the 2014 ISO survey offered coverage for data breach expenses, data restoration and replacement, business interruption losses and public relations expenses. Coverage for cyber extortion (ransom paid for compromised customer data) and cyber reward (paid for information leading to a criminal conviction), however, was available from fewer than 20 percent of carriers.

Insurers are compensating for the lack of actuarial data “by relying on qualitative assessments of an applicant’s risk management procedures and risk culture,” according to the National Association of Insurance Commissioners’ website.4 Thus, according to NAIC, cyber risk policies “are more customized than other risk insurers take on, and, therefore, more costly.”

Foster is concerned that pricing considerations are being made around the independence of a specific client company instead of looking at the potential of how a company is interconnected with others.

“Unlike other lines of coverage,” Parisi said, “there is no right rate for a bad risk, so carriers are pricing and underwriting by adopting non-insurance tests, such as information security standards.”

Considerations Sans Actuarial Data

How are insurers underwriting cyber coverage without actuarial data and models?

Insurers in the ISO study cited enterprise risk management philosophy, nature of records or data stored, and security tests and audit as the three most important types of information for underwriting risks.

When considering risk by industry, insurers responding to the ISO study named credit card payment processors (25 percent), banking and other financial services (23 percent), and national retail chains (23 percent) as the three industries most hazardous to insure.

In its study, Verizon reports that the average cost per breach is 58 cents per record. It also concludes that the more records affected by a breach, the lower the cost per record.

Meanwhile, the Ponemon Institute estimates that the costs of a data breach are about $200 per record, according to its “2014 Cost of Breach Study,” the most recent report at press time. The conclusions vary considerably from those in the Verizon study due to the use of different data sets and definitions as well as some self-described “non-statistical samples” and sampling methods that are “not scientific.”  The experts who performed the two studies also disagree on the methodologies and calculation assumptions.

Solving the Conundrum

As cyber insurance evolves and matures, Parisi said that there will be more actuarially useful data and actuaries will have greater input.

In the meantime, actuaries need to find credible data wherever possible. Data on actual cyber losses is extremely limited and a large part of it is proprietary, Krutov said.

Other types of data can be found but have their limitations, Krutov said. For example, he noted that filings of publicly traded companies with the U.S. Securities and Exchange Commission contain certain useful information on some of the largest data breaches and, for the most part, this information is quite reliable.

The data, however, is very limited and the sample it comes from may be skewed. “There is a significant difference between losses in general and insured losses, which is another challenge insurance companies face in pricing cyber risk,” Krutov said.

At press time, Congressional efforts were underway to allow companies to report data breaches without fear of liability.

Encouraging information sharing between industry and government is another step toward having a comprehensive risk mitigation strategy. However, Foster wonders, “What if the data bank the government creates is itself breached?”

Since Ponemon uses field-based research where they visit companies to analyze events, some insurers are including their data for underwriting decisions. “The caveat is there are probably better ways to do this,” Ponemon said.

Foster suggests that reinsurers should be another data source, which would be especially useful since their information would come from several insurance companies. “The reinsurer’s duty to its client is more than sharing risks, but also sharing certain helpful information.”

Enlarging the Actuarial Role

Effectively pricing and underwriting cyber coverage, and reserving for cyber events, require a multidisciplinary approach that includes input from actuaries, underwriters, information technology professionals, cyber security experts and legal experts, Krutov said. “Actuaries can and should play the leading role in the cyber risk analysis and the quantification of financial impact of cyber-related events such as data breaches,” he added.

At the same time, it is a mistake to believe that actuaries alone can perform this type of analysis even though they can do so for many other types of risk, he said. That is “as big a mistake as the common belief on the part of some information technology experts, risk managers or insurance underwriters that they can, on their own, properly assess cyber risk exposure or to price cyber insurance.”

And while actuaries do need as much historical data as they can get, past data is not always indicative of future events or their cost. “The challenge is much greater than not having enough historical data,” Krutov said. “Because cyber risk is both growing and rapidly evolving, information about the past may be of limited direct predictive value when looking at the future,” he added.

Consider the unique Sony attack last November, which included a breach of several terabytes of data, compromised operational systems and threats to employees and even theaters that would show the film, The Interview. Before Sony, headline-making cyber attacks focused on the loss of personal information. The Sony experience demonstrated that cyber attacks could go well beyond that.

Cyber experts see several potentially dangerous cyber incident scenarios that could make standard data breaches look inexpensive in comparison. The chance that an attack can knock out a power grid is a tremendous worry because such an attack has the potential to jeopardize human life. Then there is cyber terrorism, a term whose definition alone could affect coverage eligibility.

While actuaries do need as much historical data as they can get, past data is not always indicative of future events or their cost.

 

And a cyber hurricane — where a security incident cascades to a multitude of companies in a limited timeframe — would mean insurers would have to pay heavy losses in a short period of time.

Technological innovation also introduces new vulnerabilities. Cloud computing, employees using unprotected personal devices for work, and the Internet of Things offer new places for attackers to strike.

The need for future predictive analysis of extreme events presents an opportunity for actuaries to become more relevant to insurers, Foster said. For large incidents such as a cyber hurricane, the extreme value theory-modeling tool can be helpful because it overcomes the problem of determining the cost of future cyber incidents with limited data.

“In addition, the science and mathematics behind it have been established and described in detail for over 70 years by respected mathematical professionals,” Foster said. “The downside is the model would make cyber coverage more expensive,” he added, which should be counterbalanced because the cost of incidents is often underestimated. As more information becomes available, the model would be adjusted accordingly.

Krutov maintains that there is no agreed-upon modeling approach for analyzing cyber risk. “While it is not difficult to develop many theoretical models of cyber risk, in practice model selection is likely to be driven by the available data,” Krutov said. Even as models improve, “expert judgment will continue to play an important role in model construction, parameter selection, input choices and other elements of cyber risk modeling,” he added.

To get insight into the potential of future cyber incidents and their financial impact, Foster believes conducting simulations with the help of carefully selected and reformed former cyber criminals can be useful.

As more ideas surface, actuaries will overcome their actuarial conundrum with cyber insurance. After all, solving problems is what actuaries do.


Annmarie Geddes Baribeau has been writing about insurance and actuarial issues for 25 years. To read her musings, please visit annmariecommunicatesinsurance.com.

http://usa.marsh.com/Portals/9/Documents/BenchmarkingTrendsCyber8094.pdf
2 http://www.verisk.com/downloads/emerging-issues/cyber-survey.pdf
3 http://www.verizonenterprise.com/DBIR/2015/
4 http://www.naic.org/cipr_topics/topic_cyber_risk.htm. Accessed 4/23/2015.