Bringing Sustainability to Cyber Insurance
The burgeoning market requires creative solutions.
- Tony Kuczinski
- October 2022
The cyber insurance market presents a tremendous growth opportunity for our industry. However, along with this growth potential come certain distinct challenges.
As an industry, we've been modeling property and casualty risks for hundreds of years. In comparison, we have a small amount of data for cyber, and even this data is often of limited use in modeling specific and evolving cyber-related risks.
We know the potential dangers to cars, buildings, and businesses, and the likelihood of those damages occurring. Conversely, the cyberthreat landscape can change on any day, at any moment. Even a minor change in system architecture or the installation of new software can significantly change a customer's cyberrisk profile.
Cyberrisk is also unique in that it cannot be geographically isolated. While the risks from a winter storm in Texas do not necessarily correlate to additional risk exposure outside the immediate area, a cyber incident impacting a popular software program could prove disastrous for countless firms worldwide. If the software is used by hundreds or thousands of businesses, the risk is multiplied.
The complexity of cyber as a peril and the evolving nature of the risk create challenges in insurance product design, underwriting, risk management and accumulation control. Nevertheless, as insurers, we must develop a sustainable approach to address these challenges, as cyber insurance is fundamental to the successful digitization of business on a global scale.
When it comes to cyber, the target is constantly moving, as “bad actors” perfect their methods and find innovative ways to counter security measures. In response, we need additional players who are financially strong, committed to the long term and well-staffed with professionals in all areas, including specialized cyberrisk managers, underwriters, claims professionals and technology experts. Collectively, our vigilance and adaptability will be key to ensuring the highest caliber of cyberrisk management and resilience for our clients.
As an industry, we need more open discussion and more creative solutions—and soon. Insurance is a competitive business, but when it comes to cyber, we must combine forces and align on a strategic approach to this dynamic and evolving market.
Data forms the basis of our understanding of any risk. We must become more data-focused, determining the specific information to capture and how to capture it. Improvements in available data will enable more frequent, detailed analysis and performance assessment, leading to more accurate modeling. For this reason, the industry needs to create data-sharing mechanisms, with commonly agreed data schema.
The standardization of definitions and exclusions in cyber policies is also essential. Cyber policy wording should be clear and well-defined, leaving no doubt in customers' minds about what is and is not covered. As part of this standardization of language in cyber policies, we must be clear about war exclusions.
We must also do more to educate our customers, encouraging them to take a more active role in mitigating their risk through strong cyber hygiene. Customer efforts in the areas of governance, technology and training subsequently factor into cyber insurance pricing, driving risk mitigation and building resilience.
Despite our best efforts, the cyber market will likely remain characterized by a higher degree of uncertainty than other lines, due to the nature of technology. To date, the insurance industry has proven that we can effectively manage this challenge. However, with rapid digitization creating the need for increased capacity, significant steps must be taken to ensure the long-term health of this burgeoning market. Ultimately, greater efforts are needed to incorporate capital markets in our management of cyberrisk, joining forces in a sustainable approach to this evolving systemic concern.
Best’s Review contributor Tony Kuczinski is chief executive officer of Munich Re US P&C Cos. He can be reached at firstname.lastname@example.org.