I discussed in my last post the large potential size and rapid growth of the market for cyber insurance. However, the absence of accurate models for assessing and pricing cyber risk has remained a barrier for insurers seeking to offer such policies.
Insurance companies – along with actuarial firms, software vendors and other third parties – are hard at work on modeling cyber risk. Business Insurance has noted that some firms are adapting the modeling tools that have been used to quantify the risks arising from natural disasters. One problem, though, is that, while data on hurricanes and other disasters is part of the public record, not all companies make public disclosures of cyber breaches. That makes it difficult to accurately assess the impact and frequency of such attacks.
Another problem is the increasing number of devices that can be hacked. Vulnerabilities are expanding beyond company data collection points and IT systems. As the Internet of Things expands, the number of devices communicating with each other, collecting data and taking commands from central sources is proliferating rapidly. At this point, insurers are unable to estimate the potential damage from, for example, a ring of car thieves that learns not only how to override automobiles’ security systems but to issue commands to the vehicles themselves. Similarly, the physical and financial consequences of hackers penetrating any one of the “smart grid” systems that utilities are putting in place could be catastrophic.
Another problem is the cross-border nature of cyber risk. Companies can analyze potential risk from known threats, but it is difficult to model what a group of hackers in Eastern Europe or Asia might be hatching.
Companies are making progress, and there have been steps taken towards forming public/private partnerships to share information and data on cyber threats. Estimates are, however, that it will be years, not months, before comprehensive cyber risk models are in place. In the meantime, insurers will need to look at general liability policies closely to assess previously unanticipated risks from cyber-crime.