Pricing and reserving challenges for cyber insurance

1. Data. Data. Data.

In PwC’s 2018 global cyber insurance survey found “the majority of respondents indicated to have claims data from incidents like data breach, ransomware, malware and phishing. The average number of years of available data is approximately seven years.” In fact, 43% of the respondents have six or less years of data. Bear in mind that this was a global survey which could be skewed by the US insurers. In Australia, given the infancy of cyber insurance, insurers who write this business may have only about a few years of data.

Not only is the quantity of data a challenge, quality is also a challenge. What are the required fields for policies and claims data? What are the key exposure measures that need to be collected for rating purpose? Is the claims database able to capture the various claim types and their details?

As a starting point, basic policy information such as company revenue, staff numbers, location, industry type or occupations are required. Given the wide coverages cyber policies offer, policyholder options on these including sub-limits need to be captured accurately. To underwrite and assess exposure and risk quality, further information such as number of data subjects, record types (credit cards, health records, etc), IT security controls and budget information on patch management, malware protection, application controls, access controls and network security (just to name a few!). In May 2019’s Notifiable Data Breaches Scheme 12-month Insights Report, it stated that 35% of data breach notifications were attributed to human error. Interestingly, this percentage is 41% for the Finance sector and 55% for the Health sector. So, it is also important to understand the procedure manuals and training in place for staff. Lastly, the insured’s cyber incident response plan and its testing are also important.

When it comes to quality, it will be dependent on how well the insureds (or their brokers) complete their policy application forms – and they are unlikely to have an IT background!

Similar challenges exist for collection of claims data. The recommendation here would be to work with IT security experts to understand the key drivers of exposure and losses to ensure the database will capture all the necessary data fields that helps with monitoring the portfolio. When deciding on data granularity, a balance is needed between the complexity of the cyber insurance coverages and claims and a “layman’s understanding” of cyber risks of those who fill in the insurance forms.

2. Will the traditional triangulation reserving methods work?

Traditional triangulation reserving methods rely heavily on one assumption – that the past is a good indicator of the future. This is clearly not the case with cyber insurance!

Considering the continuous change in product coverages, increasing limits taken out by the policyholders, changing business mix of corporates versus SMEs, competitors entering the market – the growth in premium volume can be driven by a smorgasbord of factors and not just policy counts and premium rate increases.

With respect to claims, most of the current claims data would have first-party losses. In the future, there is likely to be a rise in associated Business Interruption costs as well as third party losses.

Also consider the continuously changing cyber risk landscape. For example, instead of generating only ransomware attacks, attackers are getting more sophisticated in their approaches and deploying multiple methods such as phishing and malware delivered by emails in tandem. Reserving actuaries need to be aware that such changes could lead to a trend of lower frequency but an exponential increase in severity as well as lengthening of the tail.

3. Aggregation and accumulation scenarios

PwC’s cyber insurance survey identified the measurement of cyber accumulation scenario costs as another challenge.

“Because of its potentially systemic impact, cyber related business interruption/contingent business interruption is the scenario that most worries companies”.

The survey found that companies are concerned about:

• Parameterising the Probable Maximum Loss
• Staying abreast of systemic threats
• Designing scenarios relevant to the portfolio
• Knowing your total exposure at risk

Regarding the last point, the issue of silent cyber makes this an issue for all insurers and not just those who offer cyber insurance policies. This makes understanding something about cyber risk exposure relevant to all general insurance actuaries.

What do actuaries typically do when confronted with “known unknowns”? Put in risk margins! Currently, cyber is a profitable market at an industry wide level. This is partly driven by the conservative margins factored into pricing to prepare for that big event which is likely to have a systemic effect. When and how large does the next corporate data breach or a NotPetya attack need to be before these margins are wiped out?

To conclude, faced with the realities of expanding digital asset values, online economic activities, growing interconnectivity and development towards Internet of Things, actuaries should not only have a heightened awareness but perhaps develop a solid understanding of cyber risks. For those who work in cyber insurance, continuous dialogues with IT security experts would be important.  As the market continues to develop, actuaries will also need to consider deployment of new pricing and reserving techniques.

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.