The growing demand for cyber insurance has sparked a discussion about how cyber risk exposure can be better quantified to help price cyber insurance and guide insureds on what type of policy is needed. While traditional lines of insurance have decades, if not more, of quantitative data to analyze and predict risk, cyber risk is just beginning to “scratch the surface,” explained Brent Reith, senior vice president at Aon P.L.C’s financial services group. “We’ve made a tremendous amount of progress as an industry in developing stronger risk models for cyber,” but time is needed as data continues to aggregate.
Another improvement that must be made is stronger communication between risk managers and the IT department. While risk managers do not necessarily quantify their organization’s cyber risk, they are often involved in the decision-making process regarding what cyber policy to purchase and how much to spend. In fact, Mark Greisiger of cybersecurity provider NetDiligence explained that too often, risk managers and their IT counterparts are “exchanging business cards because they don’t know each other.” With a constantly evolving threat such as cyber, risk managers, the IT department and the C-suite must communicate to adequately gauge these risks and purchase the appropriate policy. While technology approaches are being used to assess the probability of a cyber event, non-technology-related improvements can help analyze different scenarios to predict the subsequent financial impact. In the end, these two approaches will lead to better pricing of cyber policies as well as understanding risk to prevent a cyber-attack on the front-end.