The Bitesize Insurtech comments from Oxbow Partners (notable: no middle 'e' in Insurtech to those in the know), has provided their commentary on our business and what might be perceived as the dark arts of cyber risk analytics. I'm happy to report that there are no magic wands, illusions, or murky shadows. As a community, we're grappling with hard problems, and using lots of data to model potentially catastrophic and systemic losses and scenarios that could impact the (re)insurance universe as a result of the hyper-connected digital world that we all occupy (often without a moment's contemplation of its complexity).
These are in some cases, unprecedented, yet entirely plausible and technically feasible events that have the potential to create shockwaves through the insurance industry. The analogy used by Oxbow Partners relating to natural catstrophe modelling has some legitimacy - it's been around for approximately 25+ years; it focuses on specific systemic exposures, and it regularly updates models to reflect new realities.
There are however important differences with cyber risk modelling. True: there is plenty of incident data, but little in an organized format which can be easily digested by (re)insurers. True: there have been previous insured losses in the class of business, but many of these may not be relevant to future exposures given the rapidity of changing risk landscape. And true: there may be some visible insights around technology dependencies, but these connections are little understood and rarely reflect other key aspects around the criticality of such dependencies.
We are in the foothills of our journey but our goal is to de-mysitify some of the complexities around cyber risk modelling, and enable our clients in the (re)insurance ecosystem to better understand (and manage) cyber risk.