Cyberattacks are on the rise. Hardly a day goes by without news of another data breach, ransomware attack, or cybersecurity incident impacting businesses large and small. As attacks become more sophisticated and damaging, companies are seeking cyber insurance to help manage the financial risks. But for many, obtaining adequate and affordable cyber coverage has proven to be frustratingly difficult.
The Emerging Cyber Insurance Market Faces Growing Pains
Cyber insurance is still in its infancy compared to other insurance products. While demand is rapidly rising, the market remains constrained by various factors. According to a 2022 survey, nearly half of risk managers looking to buy cyber insurance faced challenges finding coverage that met their needs.
So why is cyber insurance so hard to get? The nature of cyber risks creates inherent complications for insurers seeking to underwrite policies.
Historical Data Deficits Cause Uncertainty
Insurers rely on historical loss data to model and price risk. But for cyber policies, there is a lack of reliable long-term data. Cyberspace itself is a relatively new domain of risk, and cyber insurance only emerged in the late 1990s. The limited claims history poses difficulties for actuaries in estimating future losses.
Another issue is that past cyber events provide little predictive value for the future. The cyber threat landscape evolves incredibly quickly. New attack techniques, vulnerabilities, and targets appear constantly. Yesterday’s data breaches look very different from today’s ransomware campaigns. Extrapolating future costs based on previous losses is precarious given how rapidly perils change.
Interconnected Risks Compound Exposures
Traditional insurance products cover isolated risks impacting individual policyholders. But cyber policies must account for aggregate threats affecting multiple companies simultaneously.
Cybercriminals frequently deploy attacks like ransomware broadly across sectors. A single malware campaign can cripple firms across the supply chain. This correlation of losses and “contagion” effect makes cyber risks systemic in nature. Insurers face accumulations of exposure that could overwhelm capital reserves if multiple policyholders file claims concurrently.
Calculating the Costs of Cyber Risks is More Art Than Science
Modeling and pricing cyber insurance is as much art as science due to the involved complexities and uncertainties. With unpredictable threats, lack of robust data, and aggregation issues, quantifying cyber risks is extremely challenging. Premiums often rely more on subjective judgment than objective actuarial analysis.
Insurers must account for intangible factors like policyholders’ security cultures alongside technical vulnerabilities. Assessing which firms represent good risks versus bad risks involves some guesswork. This can lead to coverage gaps or mispriced policies.
The Threat Environment is Dynamic and Unknown
The cyber threat landscape is continuously evolving. Cybercriminals rapidly adjust their techniques and tools to exploit new vulnerabilities for financial gain. High-profile attacks using novel methods can suddenly emerge. This dynamic environment makes predicting worst-case attack scenarios difficult if not impossible.
Insurers prefer to underwrite “known unknowns” based on experience. But cyber risks often fall into the “unknown unknown” category where the nature of potential threats remains highly opaque. Without knowledge of the maximum plausible loss, insurers struggle to define risk accumulations and required policy limits.
Overcoming Cyber Insurance Hurdles Through Collaboration
While barriers exist, experts see grounds for optimism that cyber insurance can grow into a mature and stable market. But it will require collective action between insurers, businesses, regulators, and other stakeholders.
Better threat data sharing and standardized reporting metrics would help strengthen risk analytics. Frameworks like the Cybersecurity & Infrastructure Security Agency's schema for reporting incidents could improve loss insights if adopted widely.
Partnerships between insurers and policyholders to enhance cybersecurity and resilience will also be key. Well-managed cyber risks are more insurable. Promoting a “cyber-aware” culture alongside IT security controls can substantially lower probability of breaches.
For cyber insurance to fulfill its promise, the public and private sectors must work together to shed light on the uncertainties and interconnectivity surrounding these crucial risks.
The Bottom Line
Cyber insurance has quickly gone from “nice to have” to “must have” for enterprises looking to manage digital risks. But for many, obtaining the right coverage remains frustratingly elusive and expensive. Factors ranging from limited data to systemic threats to opaque future perils create challenges for insurers seeking to underwrite policies.
Collaboration to collect information, analytics to quantify risks, and tools to reduce exposures will be vital to overcoming the hurdles facing cyber insurance. As attacks and adoption continue rising, both insurers and policyholders have much at stake in shaping a secure and sustainable cyber insurance market for the 21st century.
Frequently Asked Questions on the Difficulties of Getting Cyber Insurance
What makes cyber risks so difficult to insure against?
Several key attributes of cyber perils create obstacles for insurers seeking to underwrite policies. The dynamic nature of the threat landscape, lack of historical data, and potential for correlated losses across firms mean cyber risks do not behave like conventional insurance exposures. This complicates risk modeling and pricing.
How does the lack of past claims data impact insurers?
Insurers rely heavily on historical loss statistics to forecast future claim patterns. But cyber insurance is still relatively new, so there is limited aggregated data available. Also, the rapidly evolving nature of cyberattacks means past losses have little predictive power. This lack of robust actuarial data makes quantifying cyber risks very challenging.
Why can’t insurers just look at recent cyber events to predict future costs?
While recent cyber incidents provide some insight, the threat landscape shifts so quickly that extrapolating based on past events is extremely unreliable. Cybercriminals rapidly adjust tactics, so yesterday’s data breach looks very different from today’s ransomware attack. Insurers prefer to underwrite “known unknowns” based on experience, but cyber perils often fall into the “unknown unknown” category.
How does interconnectedness of risk affect cyber insurance?
Traditional policies cover isolated risks impacting individual policyholders. But cyberattacks frequently affect multiple organizations across sectors simultaneously. This aggregation or “contagion” effect violates the independence assumptions of conventional risk models. The potential for correlated losses represents a systemic risk that could overwhelm insurers’ capital reserves.
Why is it hard to know how much cyber insurance coverage to offer?
Quantifying the maximum plausible loss is very difficult with cyber risks. The dynamic threat environment means the worst-case scenario is opaque. Without knowledge of maximum exposures, insurers struggle to define risk accumulations and required policy limits. They also cannot easily gauge appropriate premiums relative to potential claim costs. This makes pricing and capacity decisions more art than science.
What can be done to improve the cyber insurance market?
Experts recommend steps like standardized threat reporting, public-private data sharing, and policyholder cybersecurity partnerships to help strengthen actuarial models and risk management. Well-managed risks are more insurable, so promoting cyber resilience alongside insurance will enable the market to grow sustainably. Government frameworks providing liability clarity and regulatory support also promise to unlock greater coverage options.
0Comments