Articles - How actuaries can vet out the real risk from cyber threat


With cyber security and the role it plays in today's insurance world increasing daily Matt Cullina from Cyberscout provides detailed information to help actuaries to vet out the real risk versus the more sensationalistic risks reported in the news. He also looks at the best sources for actuaries to look at from a loss perspective in this informative Q&A on cyber.

 By Matt Cullina, CEO of CyberScout
  
 Q: How does the recent nature of cyber related policies and claims make it difficult for actuaries to really get a handle on measuring the risk?
 Take-up of cyber insurance anywhere in the world apart from the United States is very low, with some estimates put at between 1 and 2%. This low uptake reduces the ability to spread risk evenly since, in markets of this kind, higher risk customers are more likely to take up the cover. Also, the volumes are too small to produce meaningful claims data. Even the market leaders in cyber coverage do not produce statistically significant data that could be used as part of the underwriting process.
  
 Combine these limitations with the fact that these policies are still not yet standardized as are other types of cyber cover that address a wide range of policy types. In addition, the extremely complex and rapidly evolving nature of technology that underlies these types of claims means that the losses we saw 3-4 years ago are quite different from the types of losses we see today, and tomorrow’s losses will be still different. From an actuarial perspective, assessing risk is a moving target.
  
 Q: How does the evolving threat landscape in cyber complicate this?
 Recently many people have been discussing the merits of predictive analytics and cat loss modelling as a way to underwrite cyber. However, there are dangers with assessing cyber risk in the same way you might look at an earthquake, hurricane or flood risk since natural events are not liable to change tactics over time and will not react to risk management practices so quickly or adversely.
  
 Exponentially-growing rates of innovation and the never ending “cat-and-mouse” nature of cybercrime ensures that there is, at least for the foreseeable midterm future, a level of variability that predictive analytics and modeling fail to take into consideration. In addition, as we see more machine learning applications being used in government and private industry, black hat hackers have also adopted this technology in their hacking toolkits, pointing to a fundamental change in the threat landscape in the future.
  
 Q: What are the best sources for Actuaries to look at from a loss perspective?
 There are many sources of cyber loss data from government and many large insurance institutions. Some sectors, especially the medical industry, may provide more consistent data. HIPAA requires that data breach incidents be formally reported to the U.S. Department of Health and Human Services and posted on their websites. This data is limited to one industry and only provides reference points for losses of protected health information (PHI). There would be no relevant data for other incidents such as ransomware infections that don’t involve PHI, or claims data related to media liability, instance.
  
 However, there are limitations to consider when looking at any of these data sources. Many sources are limited in regards to the size of business they look at or their definition of a breach. There are also inconsistencies around how they measure the resolution cost. These studies can be aggregated but care must be taken to make sure the figures are comparable.
  
 Q: Does looking at any size of loss or cover provide intel to other segments? In other words, is there benefit for actuaries to study large breaches as they apply to small businesses or small business breaches as they apply to Fortune 100 companies?
 When considering the causes of breaches, there is a great deal that can be compared between large and small businesses. Many of the business exposures to breaches are common to both large and small businesses due to the remote and fairly uniform nature of a web-based risk. However, the mitigation techniques and therefore the costs involved can be vastly different. The approach for a multi-national company with a large risk-management department will be very different from an SME risk.
  
 In addition, the liabilities for a large entity are much higher following a breach than for a small entity. Risks ranging from regulatory investigations and potential fines to class action law suits resulting from a breach increase with the size of the institution.
  
 Most importantly, underwriters need to understand that even when looking at Fortune 100 companies, the world of cyber is really a ‘tapestry’ of IT systems, risks and processes composed of every contractor, subcontractor, vendor and third party that has access to any sensitive data or systems of that large entity. Consider a breach like the one the retailer TARGET announced over the holidays a few seasons back. A small business was the entry point into TARGET’s system. So it’s important to understand that the entire ecosystem of small, medium and large players working together is highly informative for any specific market segment from an underwriting perspective.
  
 Most carriers have developed their own approaches to cyber cat modeling. Over time, the carriers and market are trying to find better tools and solutions that can more accurately assess risk from a catastrophic standpoint.
 
 Q: Where can actuaries look for the expertise to vet out the real risk versus the more sensationalistic risks reported in the news?
 Cyber-security expertise is currently being utilized across the sector to look at ways of identifying particularly high-risk companies and to put best practices into place across a book which will enable them to standardize the risk level.
  
 However, many people overlook the more traditional insurance expertise. Actuaries have a unique ability to look at dynamically shifting risks instead of focusing on past experiences or accepted conventional wisdom.
  
 In addition, actuaries shouldn’t just focus on the technology itself but the manners in which that technology is being used, leveraged and applied by the users, whether it be the entity or their employees. For instance, looking at related but different areas of insurable risks such as EPLI or Media Liability can help provide insights into the actual usage of underlying technologies that cause these real risks.
  
 Q: Can actuaries look at different markets to build a better understanding of this area? For instance, what does U.S. or Canadian-based cyber claims experience say about European risk, if anything?
 The US market evolved before the European market in cyber primarily because of regulation changes. Once breach notification regulations with tough penalties came into force, they drove a change in consumer behavior to buy cyber insurance products. It is expected that similar regulations coming into the European market in 2018 will drive a similar change, provided the penalties get enforced. However, it is also worth remembering the innate differences in the markets. US authorities and entities tend to think about direct financial loss when it comes to cyber risk, while in Europe, an individual’s privacy is considered more of a fundamental right.
  
 There are important and fundamental lessons that can and should be applied to the European market by looking at the U.S. and Canada’s approach to “project management,” such as:
 (a) Immediately responding to, investigating and documenting a data breach event; and
 (b) Properly reporting, notifying and remediating any of the event’s impact on the individuals whose personal information may have been impacted (including working closely with applicable regulators).
  
 To ignore nearly 15 years of experience with data breach notification regulations and liabilities in the U.S. would be foolish. Reluctantly or not, European and U.K. underwriters should avail themselves of learning the hard lessons from North America, taking a smorgasbord approach to adopt what is useful and leave the rest.
  
 Q: What types of more ‘traditional’ risk areas could actuaries rely or learn from to better evaluate Cyber related risks?
 Insurers need to look no further than their existing property and casualty exposures. In the vast majority of commercial portfolios today, there exists a high level of cyber risk. Risks of business interruption due to an aggregated attack on a cloud provider or damage to national infrastructure from a nation state sponsored cyber-attack could all have significant impact on traditional lines of business.
  
 In addition, looking at professional liability exposures especially in data heavy areas like IT, law, medicine and accounting provides a deep book to pull from.
  

Back to Index


Similar News to this Story

Actuarial Post Magazine Awards Winners Edition December 2024
Welcome to the Actuarial Post Awards 2024 winner’s edition and we hope you enjoy reading about their responses on having won their award. The awards
Guide to setting expense reserves under the new Funding Code
The new defined benefit (DB) funding code of practice (new Funding Code) requires all schemes to achieve funding levels that ensure low dependency on
Smooth(ing) Operator
Private equity can be a great asset. It’s generally the most significant way to have any real world impact as an investor (eg infrastructure assets li

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

Email
Password
 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS

WikiActuary

Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.