RMS has recently released their Cyber Exposure Data Schema, an “open standard” data schema which will “provide the insurance industry with a systematic and uniform way to capture cyber exposure data and manage cyber accumulation risk.” Thus far, insurance companies have found that providing useful coverage has been profitable but many risks do exist such as a cyber catastrophe resulting in thousands of clients getting hit by a cyberattack at once. Additionally, Verisk Analytics has developed a “preparer’s guide” to help organizations in both collecting and storying cyber exposure data in an open format appropriate for modeling. Scott Stransky, principle scientist at AIR Worldwide in Boston explains “It’s important to lay the foundation – you can’t build a model until there is a standardized way to put it in a framework for capturing cyber risk.” Currently, some insurers simply collect information on the insured’s industry and revenues while others spend much time and resources investigating an organization’s cybersecurity practices.
RMS has also created an accumulation management system which helps carriers “organize and structure their data enabling them to determine how much exposure they have.” This new data schema for cyber insurance, along with RMS’s other recent developments, will provide firms “with a standard approach to identifying, quantifying, and reporting cyber insurance exposure” enabling firms to:
- Share and transfer information about exposures in a consistent and standardized format for risk transfer transactions, benchmarking exercises and regulatory reporting
- Report exposure aggregates by different types of coverage and potential loss characteristics to a level of granularity that can inform risk appetite decisions
- Assess and monitor an insurer’s risk appetite by estimating losses from accumulation scenarios or other types of risk models to the exposure recorded
- Clarify silent or affirmative covers by identifying insurance policies that may have ambiguity in whether they would pay out in the event of a cyber incident