I discussed in my last post the large potential size and rapid growth of the market for cyber insurance.  However, the absence of accurate models for assessing and pricing cyber risk has remained a barrier for insurers seeking to offer such policies.

Insurance companies – along with actuarial firms, software vendors and other third parties – are hard at work on modeling cyber risk.  Business Insurance has noted that some firms are adapting the modeling tools that have been used to quantify the risks arising from natural disasters.  One problem, though, is that, while data on hurricanes and other disasters is part of the public record, not all companies make public disclosures of cyber breaches.   That makes it difficult to accurately assess the impact and frequency of such attacks.

Another problem is the increasing number of devices that can be hacked.  Vulnerabilities are expanding beyond company data collection points and IT systems. As the Internet of Things expands, the number of devices communicating with each other, collecting data and taking commands from central sources is proliferating rapidly.  At this point, insurers are unable to estimate the potential damage from, for example, a ring of car thieves that learns not only how to override automobiles’ security systems but to issue commands to the vehicles themselves.  Similarly, the physical and financial consequences of hackers penetrating any one of the “smart grid” systems that utilities are putting in place could be catastrophic.

Another problem is the cross-border nature of cyber risk.  Companies can analyze potential risk from known threats, but it is difficult to model what a group of hackers in Eastern Europe or Asia might be hatching.

Companies are making progress, and there have been steps taken towards forming public/private partnerships to share information and data on cyber threats.  Estimates are, however, that it will be years, not months, before comprehensive cyber risk models are in place.  In the meantime, insurers will need to look at general liability policies closely to assess previously unanticipated risks from cyber-crime.

3 responses:

  1. Good article, Kevin. As you suggest, trying to get a handle on cyber risk based on threat intelligence is very daunting. Verizon’s 2015 Data Breach Investigations Report said that global threat intelligence providers report on over 500,000 malicious websites – and that list of websites turns over every day.
    Another path to understanding risk is in terms of defense by understanding a company’s ability to identify, protect, detect, respond, and recover from a security event. These 5 activities are part of the core of the NIST Cybersecurity Framework, widely regarded as the gold standard for gauging cyber breach readiness.

    1. Hit reply to fast…

      As I mentioned, appreciate the direction of reviewing the NIST Framework.

      Accenture has recently published several reports on cyber risk and resilience. You might be interested in reading Cyber resilience: Answering the cyber risk challenge, and Tackling cyber risk by integrating operational risk and cyber security.

Submit a Comment

Your email address will not be published. Required fields are marked *