Insights on ‘Cyber Risk and the Role of Insurance’

The session was held on Thursday 29 September and featured its authors Win-Li Toh and Ross Simmonds from Taylor Fry and Michael Neary from DXC Technology.

The paper takes a deep dive into the evolution of cyber risk, and how businesses and governments are addressing this risk. With 20 ransomware attacks globally every second^[1], and an unpredictably dynamic nature, cyber risk has become an incredible challenge for a wide range of stakeholders.

In Australia, the economic cost of cyber crime is $33 billion^[2], more than half the gross written premium of the Australian market. Due to the size and complexity of cyber risk, a collaborative approach will be needed to tackle this issue. As Win-Li Toh comments, “It is no longer possible to combat this issue in silos… What our paper does uniquely is it tries to thread together these different perspectives to urge meaningful discussion”.

The paper propositions cyber insurance as a vital component for risk management. Beyond its core role of providing compensation and incident response resources to recover from a cyber event, it can also act as an incentive for insureds to boost their resilience.

The paper references the Cyber Security Cooperative Research Centre’s 2021 report, and its calls for minimum security standards for companies that take out cyber insurance. This interaction was considered synonymous to the Plimsoll line by Michael Neary, stating, “There is a role for insurance… in setting those standards that help prevent a cyber-attack and helping organisations come up with best practice.”

The presentation illuminated the challenges cyber insurance faces today for both insurers and consumers. While the product has been historically profitable, the recent experience of ransomware losses has challenged this status and insurers have responded with rate increases, often in excess of 100%, and capacity reductions. This is evidenced by the rapidly increasing loss ratios in the Lloyd’s market for the 2018 and 2019 underwriting years.

The presentation offers further insight into the consumer challenges for cyber insurance, noting the shortage of qualified personnel. According to CyberCX^[3], Australia requires another 30,000 cyber professionals by 2026. However, as Ross Simmonds notes, there are only, “approximately 1,300 people studying cyber security courses at a tertiary level”. This deficiency in supply relative to demand will provide shortage issues for businesses and insurers as they compete for skilled people.

The session spurred insightful questions from the audience which delved deeper into the subject matter. One attendee asked about the sophistication of valuation and pricing models, and how this has evolved over time.

The approach to valuation and pricing of cyber insurance has developed very rapidly over the last few years. Not too long ago, simple rating approaches based on industry and revenue were adopted in the absence of data to write this business. Win-Li Toh pointed out that the modern techniques of risk selection and pricing have begun to leverage new techniques.

“It’s not just a matter of filling out a form yourself, there’s also external scanning tools that help to underwrite. As we get increasing knowledge, there are more and more factors to use,” Win-Li said.

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.