Actuarial Expertise

Reliably Quantifying Cyberrisk Exposure

Since the multiplicity of vulnerabilities, events and damages constantly change, nailing down reliable factors for pricing and reserving cyber coverage has been elusive.

The CAS Research Paper, “Exposure Measures for Pricing and Analyzing the Risks in Cyber Insurance,” demystifies the complex nature of assessing potential cyber variabilities to adequately cover insurers’ customers. Written by Michael A. Bean, FCAS, CERA, FCIA, FSA, Ph.D., the paper also walks readers through the nature and types of cyber-related exposures and describes how to measure some of them.

While published within the actuarial community, Bean’s work is critical for underwriters, as well as agents and brokers, who play an active role in pricing, risk selection and sales of cyber insurance. In truth, cyber insurance remains somewhat nebulous to the buyer and seller alike. Compared to other commercial insurance lines, cyber insurance is still in its adolescence; Its cover insurance policies and language remain largely unstandardized. Cyber insurance is sold as part of a commercial package with either a stand-alone product or as an endorsement, depending on the insurer’s cyberrisk appetite and customer need and affordability.

Originally, cyber insurance was offered as policy language for businesses some 20-plus years ago to cover notifications when individuals’ personal data was been breached or stolen, also known as privacy liability. However, the expense of complying with state regulations, notifying affected individuals and paying for protection of personally identifiable information was not enough to cover the expanding extent of cyberrisk.

As cyberrisk became better understood, and its extent expanded to include cyber ransom and internet-of-things-related process stoppages, insurers added new products. Such coverages include network security liability; cyber event response; network interruption; digital asset recovery and restoration; regulatory actions; and payment card industry assessments. Insurers also offer supplementary coverages for cyber extortion; cybercrime; media content liability; technology errors and omissions; third-party bodily injury and property damage; enhanced business interruption; and reputation protection.

The first challenge in accessing risk is always obtaining reliable data. Besides gleaning information from customers, there is some publicly available data regarding cyber events, but it is limited is amount and reliability. As a result, identifying exposures is conceptual rather than empirical, Bean explains. Allowing for the caveat, he identifies potential exposures deserving of attention when assessing each potential customer by the coverage types mentioned above.

For example, when considering candidate exposure measures for network security liability coverage, which covers losses from damage and defense costs related to the claims of third-party computer systems or networks, he recommends using the number of user IDs or endpoints (such as desktops, laptops or mobile devices) as a “reasonable measure.” Lacking this information, he warns, is indicative of poor system management or security practices that “should give pause” to the underwriter.

With the goal of determining potential measures that are simple, auditable and stable as well as legally determinable and have a strong relationship with losses, Bean emphasizes that whatever exposure measure is used for a coverage should be “scaled appropriately” based on context.

With this in mind, he offers three basic measures depending on the coverage. Insurance products that offer protection for exposures affecting people, such as privacy liability or cyber event response coverage, could be based on the number of employees or customers, whichever is highest, presuming a headcount is available.

When losses primarily involve exposure to computer systems hardware or software, the recommended exposure measure is number of endpoints. These endpoints can be desktops, laptops or mobile devices, or the number of distinct user IDs, whichever is easiest.

For all other coverages, such as network interruption coverage, regulatory actions, fines and penalties coverage, Bean recommends an exposure measure of revenue or sales over a specified period.