While technology is continuing to evolve and provide many benefits to insurers and their customers, one concern is that growing connectivity and dependence on technology means a single cyber event could simultaneously impact a large number of businesses. This is called cyber accumulation risk, and the American Academy of Actuaries defines this risk in its Cyber Risk Toolkit as the likelihood of a greater-than-anticipated accumulation of claim costs due to multiple exposures being tied to the same event or a related event.
Guests on this episode of The Insuring Cyber Podcast said data and modeling are the best solutions for insurers to manage cyber accumulation risk, however, there is a challenge. Insurers can’t rely solely on their experience with natural catastrophe modeling to prepare for this kind of cyber catastrophe, although there are similarities.
“[Cyber modeling] builds a lot on natural catastrophe modeling, which itself grew quite a bit over the last couple of decades and 10 years or 15 years ago was not nearly as sophisticated as it is today. I would expect cyber modeling to follow a similar path,” said Tim Zeilman, vice president with HSB, part of Munich Re. “But data is really kind of one big issue or point where natural catastrophe modeling and cyber modeling diverge significantly.”
He explained that while a lot of data exists on hurricanes, earthquakes, wildfires, and other natural disasters as they happen relatively regularly, cyber is a younger field.
“One of the big challenges with cyber modeling is there’s just not that much data,” he said. “I liken it to trying to model the impact of a hurricane when you’ve never really seen a hurricane. I think that’s largely where we are with cyber.”
Norman Niami, vice president and actuary at the American Property Casualty Insurance Association and chairperson of the American Academy of Actuaries Cyber Risk Committee, added that another challenge with modeling cyber versus natural catastrophes is that cyber damage is harder to quantify than property damage. This is because the duration of a cyber event and reporting lag can vary significantly depending on the specifics of the cyber attack, he said. This, coupled with increased connectivity and reliance on technology, makes cyber accumulation an emerging and unique risk.
“With the connected world and connected cars and connected homes, the possibility of threats that have a very large impact and footprint in terms of the number of businesses and individual consumers that are impacted is very real,” he said.
Zeilman said for most carriers and modelers, business interruption risk poses the greatest threat when it comes to cyber accumulation.
“None of us are hoping for a really big cyber accumulation loss tomorrow, but the absence of events like that makes the modeling I think really challenging,” he said.
The best insurers can do in the face of these challenges is try to eliminate as much uncertainty as possible, he said. This can be done by getting as many perspectives on this problem as possible with internal models, conversations with other carriers, MGAs, and InsurTechs that are also trying to address these questions, and active engagement with the third party modeling community.
After that, it’s about “managing it, realizing that you are living with a significant amount of uncertainty in this area that is not going to be eliminated anytime soon, and using the tools that you have – pricing and things like that – to build in some sort of factor for that amount of uncertainty,” he said.
Niami said while cyber accumulation risk modeling is a relatively new area for insurers, it is improving at a quick pace.
“More analysis of an insurer’s own data, analyzing and looking for external data that’s available, and continuously monitoring the portfolio is key,” he said. “Additionally, I think close relationships and exchange of ideas and sharing information and expertise among various professionals such as actuaries, IT security experts, underwriters, and claims experts is even more critical than in other lines of business to get a better understanding and feel for the risks and the exposure to manage the portfolio.”
While this work is complex and challenging, he said, it also can’t be ignored.
“Accumulation management is critical for most lines, including cyber, if not more so,” Niami said. “If it’s ignored, it may become a significant problem in case of larger scale attacks from the bad actors or even in incidents that are not criminalized.”
But how likely is a large scale cyber accumulation loss event to occur in the near future?
“I’m not sure if I’m going to venture a guess there. If I were to guess, then I would probably fly to Las Vegas tomorrow,” he said. “But having said that, the possibility is obviously real and exists.”
Check out the rest of the episode to hear what else Tim and Norman had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.
Topics Cyber
Was this article valuable?
Here are more articles you may enjoy.
2023 to Test Recent Growth in Private Flood Insurance Market 
Shot-at FedEx Driver, Now on Workers’ Comp, Has Been Fired, Attorney Says 
Burger King Must Face Lawsuit Claiming its Whoppers Are Too Small 
Billion-Dollar Satellite Risks Upending Space Insurance 
