Assessing the cost of cyber breaches is arguably the toughest task insurers have on their hands right now.
Some believe a cyber-risk modelling tool, akin to those used to assess catastrophe, financial and other exposures, may be what the industry needs to address the issue. Global law firm Clyde & Co says it is working with several foreign and Australian insurers that are using cyber-risk modelling to develop bespoke products for clients.
“There is a gap that risk modelling can fill and we are seeing insurers use cyber-risk modelling to develop more policies,” Sydney-based Senior Associate John Gallagher, who advises on cyber risk, cyber insurance and data breach, told insuranceNEWS.com.au.
“Risk modelling will certainly help the industry come to grips with what the risks are.”
However, there are sceptics who question the accuracy of risk modelling in assessing an intangible threat such as cyber attacks. Unlike earthquakes, floods and other natural catastrophes, the available pool of data is patchy at best. Mr Gallagher says the quality of data used to develop a risk model is critical.
“A model will only be as good as the accuracy of the data it is based on… you will never get an accurate model without accurate data,” he says.
“With risk modelling, it can’t be one size fits all.” Making it mandatory to report breaches will improve the data pool.
“There is a danger that there is very little sharing of information relating to cyber breaches or cyber claims,” Mr Gallagher says. “You may see more sharing if mandatory reporting is required.”
US-based AIR Worldwide is the latest modeller to jump on the cyber-risk bandwagon. Last month it announced work has begun on an “advanced” model for insurers, in collaboration with security and cyber-data providers Risk Based Security and BitSight Technologies.
“Having a reliable model on the market should allow… companies fresh into the cyber game to write policies with a better understanding of the risks they are assuming,” AIR Worldwide Manager and Principal Scientist Scott Stransky told insuranceNEWS.com.au.
AIR Worldwide is using the same modelling framework employed in its catastrophe model for nearly 30 years. Working in stages, the model uses data to calculate exposure, including determining the number of attacks per year and types of industry being targeted.
“The final step of the model is to produce loss estimates, including average annual losses, one-in-100 [year] losses, one-in-250 [year] losses, per account and for entire portfolios,” Mr Stransky says.
“To do this, we need loss data… we are working with six primary insurers to receive such data.”
He says there is “a very strong demand for a probabilistic cyber-risk model” and more than 40 clients have expressed interest in it. Aon’s financial specialties team Chief Commercial Officer Stephen Trickey cautions against relying solely on risk modelling.
“It’s not just about a model,” he told insuranceNEWS.com.au. “It’s one of several ingredients.”
Cyber insurance is a high-growth market, with PricewaterhouseCoopers predicting it will triple to $US7.5 billion ($10.6 billion) in annual premium by 2020 from $US2.5 billion ($3.5 billion) last year.
Aon says cyber insurance in Australia will likely take premium receipts of $25 million next year, up from about $15 million this year. This should not come as a surprise, with past attacks on some of the biggest corporations, including Sony and upmarket US retailer Neiman Marcus, highlighting the threat’s seriousness. Even Apple has not been spared. The tech giant was left red-faced when its App Store’s much-vaunted “walled garden” was breached by malware.
It’s no wonder then that some companies are having sleepless nights over the problem, which is costing the global economy $US445 billion ($631 billion) a year. Swiss Re says it is focusing on “accumulation of potential of cyber risk” as part of its policy portfolio.
“The tricky thing with cyber risk for an insurance industry is that it spans almost all the lines of business, as well as all geographies,” Swiss Re told insuranceNEWS.com.au.
“We take accumulation very seriously and are investing significantly into better understanding this topic, also in collaboration with industry associations, academic institutions and other partners.”
Cyber breaches are not new, but attacks have become more sophisticated, with global commerce now run on a web of computers. What’s needed is a new mindset to survive in the digital landscape.
“We are seeing the rise of the hacktivists… insurance is there to mitigate the risk,” Mr Gallagher said.