By Denson Todd, Director of Cyber Risk Services
In our recent survey of the insurance industry, we asked very direct questions of insurance carriers and brokers to better understand market drivers, inhibitors, and overall how the market understands cyber risk.
In addition to what we anticipated, there were a number of unexpected findings. Cyber insurance coverage is a necessity for most enterprise companies. However, our study unanimously revealed that there is a key component missing within the cyber insurance market: the ability to clearly measure cyber risk in financial terms. Nearly 90 percent of respondents know that their customers either have an inadequate method for measuring the cost of a data breach or remain unsure of their customers’ data breach measurement capability (see table 1 below).
Table 1: Cyber Risk Measurement Capability by Cyber Peril Category
The trickle-down effect
The trickle-down effects of being unable to confidently measure cyber risk can be seen throughout the study:
- 73 percent of respondents noted that most organizations do not understand the delineation between risk remediation and risk transfer as a mechanism to buy cyber insurance.
- 4 percent of customers cannot adequately measure the cost of a data breach.
- 7 percent of customers cannot adequately measure the cost of a service interruption.
- 2 percent of customers cannot adequately measure the cost of the theft of intellectual property.
- 41 percent of customers cannot adequately measure the cost of extortion (i.e. ransomeware).
- 3 percent of customers cannot adequately measure the cost of a cyber physical event (property and casualty damage via cyber incidents).
- 74 percent of respondents indicated that “not understanding risk exposures” is the main obstacle in the adoption of cyber insurance as a means of transferring risk. Behind that, 41 percent of respondents claimed that “not understanding policy coverage” was the second biggest obstacle.
You can start to see the pieces come together: how the lack of adequate risk measurement across customers, brokers, and insurers leads to a host of other obstacles. If the customer cannot accurately determine the risk and financial impacts across the five main cyber peril categories (data breach, service interruption, theft of IP, and cyber physical) how can they know that they have purchased the right cyber policies to align with their risk? And that they have purchased enough to cover expected losses?
This is compounded by the fact that only 53 percent of brokers and insurers believe that cyber risk policies offer a clear connection between cyber peril events and cyber insurance coverage elements (such as data privacy and cyber extortion). Not only does there appear to be a significant challenge with understanding risk and when and what to transfer, there is also apparent ambiguity with cyber coverages themselves. This leads to a compounding struggle with accurately aligning a customer’s coverage needs to policy.
Table 2. Connection Between Cyber Peril Events and Cyber Insurance Coverage
An unsettling reality
Cyber insurance is driven by speed to quote. However, there are no historical actuarial tables to support customer profile assumptions and exposure to quote policy premiums quickly and accurately. The cyber insurance industry also lacks the standardization of terminology and processes present within other insurance practices. With nearly 90 percent of respondents either unsure or knowingly quoting policy and premiums based on inadequate risk measure,how does a customer trust the applicability of its policy? And how does the insurer sustain uncertain aggregate risk across their cyber insurance portfolio? While demand and competition are driving speed to quote rather than quality and policy alignment, only 2.6 percent of respondents agree that a short questionnaire or information gleaned from an internet-based tool is adequate to measure the entire cyber risk profile of an applicant.
What can be done?
“Cyber risk measurement is the quantitative reduction in uncertainty. Not the elimination of uncertainty or an exact measure,” (How to Measure Anything in Cybersecurity Risk). The clear and concise measurement of cyber risk and its financial impact is at the center of a sustainable cyber insurance market. Our study revealed that the executive board (42 percent) is in the best position to understand and make an informed business decision on risk transfer. Theexecutive board is also the main force behind the demand for cyber insurance. However, to make informed risk transfer decisions a board must reduce the uncertainty associated with the risk transfer process both internally (organizational risk) and externally within the buyer experience.
Who do we turn to?
Who has responsibility and the ability to change this dynamic? An overwhelming 94.4 percent of respondents agreed that there is a significant need to educate the buyer better during the pre-sales process to avoid miss-selling of cyber insurance policies. But who is the onus on to change this process? 65.1 percent say it is with the insurance brokers, while only 10.6 percent and 7.6 percent respectively believe that underwriters or corporate cybersecurity leaders (e.g. CISOs) have the responsibility to educate buyers. In reality it is most likely a combination of all three taking ownership to change this dynamic. The stats, however, point out that it is most likely the insurance broker who is in the best position as mediator between the buyer and the insurer to make changes and force better practices, creating a more sustainable process for everyone.
The survey clearly highlights a flawed process while demonstrating awareness and significant agreement that the current process needs to change to sustain portfolio risk and drive growth in the cyber insurance market. No one specific party can make the change itself. Perhaps, as the study illustrates, the broker may serve to bridge the gap and encourage a sustainable process: starting with the adoption of a standardization in cyber risk measurement to support better alignment and efficacy of cyber risk policies within the market.