September 14, 2017

Despite consistent growth in the cyber insurance industry over the last two years, the industry faces a key underwriting obstacle that could potentially limit growth in the market: data.  Lack of historical data in the cyber insurance market provides a critical challenge as carriers struggle to model cyber risk across a broad portfolio.

From an underwriting perspective, disclosed cyber risk data given to underwriters remains insufficient. Many feel that carriers are not asking the right, or enough, questions to accurately represent risk exposure for particular rates. Additionally, the fears of an aggregate attack were brought to light after a recent report conducted by Lloyd’s of London and Cyence suggested a catastrophic cyber-attack on a cloud service provider could result in average losses of $53 billion in just two to three days.

In terms of risk modeling, “a lack of sufficient historical data hinders a carrier’s ability to build models to properly rate the risk,” according to a recent Carrier Management article. Not only are organizations hesitant to report cyber events in fear of reputational loss, insurance companies are skeptical to share incident data with each other for competitive reasons.

Although the insurance industry has historically stayed at arms-length from government regulation, many experts believe the government could play a crucial role in collecting useful data through the required disclosure of certain cyber incidents, particularly when personally identifiable information (PII) is compromised.

Cyber events involving PII, however, account for only a fraction of all data breaches and carriers. In addition, modelers are more interested in how and why a breach occurred, not necessarily that a breach occurred and the number of compromised records involved. Nonetheless, the government could take several steps to improve both the quality and quantity of data accessible to carriers, the first being a uniform national data breach reporting law that would consolidate data into a common repository, a position The Council supports for a number of reasons. Others believe that encouraging organizations to disclose data breach information on the condition of anonymity would ensure sufficient and quality data, but the reality that organizations would voluntarily report this data remains an issue due to liability concerns.

Another example of what the government is doing to promote a greater understanding of cyber risks is the creation of the National Cybersecurity Center in Colorado Springs (NCC). The NCC is a non-profit organization founded in 2016, supported by philanthropic and corporate donations, and aims to “vastly improve the cyber preparedness, security and response of primarily midsize and smaller companies,” a recent Leader’s Edge article explains. The development of a “Rapid Response Center” is dedicated to assist NCC members to both prepare for and respond to cyber threats. The response center will also serve as a clearinghouse for cyber-related information, populated with government data on cyber incidents.

Cybercriminals have historically taken advantage of a lack of coordination around data collection, notification and response. Due to a generally limited understanding of cybercrime at the C-Suite level, appropriate resources and funding allocated for cybersecurity remain inadequate in many organizations.  Not only would better data collection in cybersecurity increase cyber awareness, preparedness and response, it would also provide carriers, modelers and brokers with the necessary tools to underwrite this large and complicated risk.