Insurance against cyberrisk is one of the fastest growing lines of business, but actuaries setting rates should look beyond historical trends, a panel of experts said at the Casualty Actuarial Society Seminar on Reinsurance in Philadelphia held in June 2015.
Three panelists — Dr. Raveem Ismail, a specialty treaty underwriter at Ariel Re; Jason Crabtree, chief executive officer at Rationem, a developer of risk management support systems; and Chuck Thayer, a senior vice president at Willis Re — told actuaries that the fast-changing nature of cyberrisk makes it difficult to price using the traditional actuarial model of projecting losses from the past into the future.
There’s no doubt that the line of business is growing, said Thayer. Willis counted more than $2 billion in writings through February, and there continues to be strong potential for growth, he said.
However, even the name “cyberrisk” can be a bit misleading, Thayer observed, since the risk isn’t usually caused by computers. In most ways, “it is essentially a human risk.” Thayer likened the situation to making a side bet on a contest, one between the company and the attacking hackers. One of the parties — the insured — you know well. The other side, however, resembles “a cage match where anyone can enter the ring.”
Panelists said recent hacks that tapped millions of customer records at retailers Target and Home Depot, health insurer Anthem and others are just one small piece of the total cyberrisk. The threat grows more complex, said Dr. Ismail, when hacks can cause physical damage, even terrorism. “The term ’cyber’ no longer means what it once did.”
Dr. Ismail is dedicated to underwriting, analyzing and modeling specialty risks such as war, terrorism and cyber. He characterized current cyberrisk in three ways:
- The hazard evolves rapidly and contextually. All businesses face cyberrisk, but malware is often uniquely targeted: “It’s as if new storms are invented every day, and the storms are very specific to your organization,” Dr. Ismail said.
- The exposure cannot be diversified away by geography or by class of business. Hidden accumulations exist. For example, a German factory and an Australian bank could be linked via use of the same service provider.
- The exposure profile changes rapidly, unlike standard lines of business. For example, fire risk, he noted, can be mitigated by building fire escapes and following building codes, actions typically present at the construction of a building and only requiring routine maintenance afterwards. With cyberrisk, the exposure can change very quickly and drastically, by simply hiring a new IT resource or by switching to a new third-party tech provider. Therefore, a standard way an insured enumerates its exposure — often by filling out an application — may not be effective in this case, and previous loss experience may not have any relevance to predicting the future. The insured may not even understand all the permutations of the risk; a self-audit or questionnaire could potentially leave too many gaps, and the depth, frequency and complexity of proper appraisal could be expensive.
Crabtree said most cyber protections are meant to stop hackers who are trying to penetrate the weakest system. Often, though, hackers target a particular company. That is harder to defend against. It would be a mistake to try to create a failsafe, “silver bullet” solution against targeted attacks, Crabtree warned. “Security is an emergent property of a complex system,” he said.
Panelists spoke of insuring risks instead through a combination of risk management techniques, which would include regularly monitoring insureds, and actuarial pricing. Although for now, a lack of data and understanding can make pricing a challenge.
“The environment is constantly changing,” Thayer said.
James P. Lynch, FCAS, is chief actuary and director of research and information services for the Insurance Information Institute in New York.