AM Best

A.M. Best Special Report: A.M. Best’s View on Cyber-Security Issues and Insurance Companies


Fred Eslami
Senior Financial Analyst
(908) 439-2200, ext. 5406
Christopher Sharkey
Manager, Public Relations
(908) 439-2200, ext. 5159

Jim Peavy
Assistant Vice President, Public Relations
(908) 439-2200, ext. 5644


OLDWICK - NOVEMBER 30, 2015 01:47 PM (EST)
A.M. Best believes that insurance companies are particularly exposed to cyber liability given the nature of their business, and as a result, sees effective risk management in this area requiring a holistic approach where a company’s technology, people and processes diligently work in concert to minimize cyber-security risks. A new Best’s Special Report, titled “A.M. Best’s View on Cyber-Security Issues and Insurance Companies,” states that while A.M. Best still considers natural catastrophe losses to be the primary threat to the financial strength and credit quality of property/casualty insurers, the increasing frequency and severity of cyber attacks, and difficulty in measuring the risk, pose a substantial threat to the insurance industry.

Recent breaches at large managed health care organizations have highlighted the fact that an insurance company’s breach can have wide-reaching effects, impacting staggering numbers of individuals and organizations. Industry research has also warned that a total realistic probable maximum loss for cyber-security risk globally is currently approximately USD 31 billion. A.M. Best is analyzing cyber-security exposure in an effort to increase awareness of this threat and assess the impact on an organization’s financial strength. Assessments have historically been limited to the technology-based controls an organization has in place, but technology alone is not an adequate predictor of overall cyber-security posture or risk. An assessment of the susceptibility of a company’s cyber-security posture from the perspective of technology, people, processes and preparedness must also be undertaken.

The next step in understanding a company’s overall cyber-security risk is an evaluation of the motivation of threat actors like criminal hackers, state-sponsored groups and rogue employees to direct their efforts at a particular company. It is A.M. Best’s opinion that an evaluation of the offensive and defensive forces apparent in the susceptibility and motivation of an organization is essential to understanding an entity’s overall cyber-security risk. A.M. Best views an organization’s ability to generate detailed and credible assessments of its potential cyber risk as a valuable tool in its overall risk management approach.

The report also summarizes results obtained from various surveys and questionnaires A.M. Best has conducted over the years as part of its interactive rating process, and explores areas where companies can improve their risk profiles. Two main trends have become evident in the surveys. First, most companies tend to be inclined to invest large sums of money to improve security on their IT systems and infrastructure. Secondly, larger companies tend to buy cyber insurance policies to further manage the risk associated with a cyber attack, protecting themselves and ultimately their policyholders.

A.M. Best also is cognizant of the fact that the industry may be contemplating new company formations to exclusively write cyber-security insurance. As cyber-security risk is better understood, and underwriting and risk management functions are enhanced and specific consequence-oriented data and actuarial studies become available, A.M. Best will continue to incorporate its findings into the rating process.

To access a copy of this special report, please visit .

A.M. Best Company is the world’s oldest and most authoritative insurance rating and information source.