Today, cyber pricing is driven by competition, rather than rigorous risk assessment—but inevitably, losses will outpace premiums. Risk-based pricing can help carriers price cyber risk more accurately.

A carrier’s sustained profitability hinges on precise underwriting—but is that happening in the current cyber insurance market?

Unfortunately, no.

Right now, data-driven underwriting in cyber insurance is elusive, and at some point losses will catch up with carriers that aren’t using risk-based pricing.

It’s impossible to predict the point at which losses exceed premiums. But the pivot might come sooner, rather than later. Consider that the Financial Times reports that the market is hardening and that in 2017, AIG’s Europe, Middle East and Africa business received as many cyber claims as in the previous four years combined.

Here’s the thing: It’s impossible to prevent breaches entirely, so businesses and carriers must assume that they’ll happen. That means shoring up lines of defense and implementing controls at different levels. So the question isn’t whether a company will be breached, but how quickly it’ll find out and how great a loss it’ll sustain .

If you compare that construct with where many insurers are right now—giving away coverage that isn’t risk-based—there’s an inevitable intersection where losses will exceed premiums. Inevitable. That day isn’t here yet, but it’s coming. And underwriters need to think about that day. When will they get insights about what’s happening on their book? When will they align it with threat intelligence? And how will they do that?

The challenges to accurate cyber pricing

In other words, present-day cyber pricing is driven by competition, rather than rigorous risk assessment. To be fair, there are a few challenges to risk-based pricing for cyber. First, because cyber risk is relatively new, carriers don’t have much information to inform their pricing decisions. And unlike other lines of business where loss data can be predictive of future risks, the constantly evolving nature of cyber means that historical data may not be that useful anyway. It also means that the risk may change significantly after the point of underwriting.

Carriers may also find it challenging to estimate losses. In other lines of business, claims are based on the cost of lost or damaged inventory and premises, plus lost revenue due to business interruption. With cyber, trickier issues must be accounted for—such as data theft that results in reputational damage, lost customer trust or other costs that are hard to calculate.More pertinently, carriers may not have access to a prospect’s unique security and cyber risks. Prospects may not be willing to share the results of cyber security tests or provide details regarding their security capabilities, and that makes it difficult for carriers to accurately assess risk. In addition to covering risk, carriers would be smart to mitigate risk, especially aggregation risk. For example, if malware took down a leading software provider, that could affect organizations across geographies and industries. But prospects may be reluctant to share such details of their organization’s internal workings.

That said, the lack of historical data shouldn’t be a barrier to more sophisticated cyber underwriting. Increasingly, emerging fintech companies are aiming to quantify the risk and help carriers set more accurate, data-driven cyber limits. More to the point, accurate pricing isn’t just the duty of the carrier; it’s critical for the bottom line. The size and extent of a possible claim could be significant, and insurers must have the means to pay on those claims—and that means they must find a way to accurately assess and price cyber risk, or not write it at all.

Partnerships are essential to profitable cyber offers

In other lines of business, carriers are finding that partnerships are the key to extending their value proposition, better engaging customers and enabling better outcomes for all stakeholders. As I’ll discuss next week, partnerships are essential in cyber insurance, both to enable carriers to implement risk-based pricing, and to mitigate losses in the inevitable case of a breach.

To discuss how Accenture can help carriers support more rigorous cyber underwriting, please get in touch.

Submit a Comment

Your email address will not be published. Required fields are marked *