In the first part of this series — The Ever Changing Face of Data — we looked at a simple but uncomfortable problem: cyber data is not stable. The structure of the Internet has changed, attribution has become harder, and the meaning of the data we observe can shift over time.
That matters because models do not just consume data. They turn observations into signals that either increase or decrease our understanding of risk. If the meaning of the underlying data changes, then those signals can weaken or drift as well.
So, what does that mean for cyber insurance?
Insurance likes stability. At its core, pricing assumes that the relationship between observable data and underlying risk is reasonably stable over time. That assumption is what allows underwriters to estimate loss, set premiums, and build portfolios with confidence.
The problem is that this assumption is becoming increasingly fragile.
If the meaning of cyber data itself is shifting, then the relationship between signals and risk is shifting with it. A model calibrated on last year’s data may still produce outputs this year that look reasonable, but those outputs may be systematically wrong. The challenge is not just that models degrade — it’s that they degrade quietly, while continuing to appear valid.
This creates a fundamental time mismatch. A policy is priced at inception based on a snapshot of the world, but by the end of the policy period the underlying system — and the data used to describe it — will have materially changed. The model is effectively pricing one system while insuring another.
From a portfolio perspective, this matters. Small, systemic shifts in signal quality or attack economics can translate into broad changes in loss frequency that are difficult to detect and even harder to attribute. What looks like noise may in fact be structural drift.
This does not mean cyber risk cannot be insured. But it does mean that pricing, underwriting, and portfolio management need to adapt to a world where stability cannot be assumed. Models must be continuously challenged, recalibrated, and understood as approximations of a moving system, not static truths.
The implication is simple, but uncomfortable: if the relationship between data and risk is no longer stable, then the foundation of pricing itself becomes less certain.
If you work directly on quantifying cyber risk you likely already know much of this, but your customers might not — or they may be simply putting their heads in the sand.
My thinking is that the changing face of both data and risk requires that we put far greater emphasis on recent data than older data. The past is important, but our modeling reasoning needs to be willing to discount or even completely discard data as it ages. It's worse than accepting it is less useful; it's accepting it can be downright harmful to efficacy if the shift is large enough.
You must recognize that you are not modeling something that is static across your training period. As such, the goal is no longer to build a model that lasts. It's to build a process that adapts.
Furthermore, most companies don't generate the data they rely on themselves: they buy it. That's good in some ways as it leverages economies of scale (we don't need yet another company trying to scan the whole internet). It's bad in that you're at the mercy of a third-party when it comes to spotting the need for methodological change in data collection. Having a vibrant and ongoing conversation with your provider about not just what but how is critical.
Lastly, your stakeholders are very possibly asking for something impossible: a long-lived model that accurately represents future risk. That's not going to happen — and so managing those stakeholders is important. The problem here isn't technical: it's dealing with the very human tendency to sweep difficult truths under the rug. You'll get pushback. Live with it. Better yet, overcome it.
The core challenge is not that cyber models are useless, or that cyber risk cannot be insured. It is that the environment those models are trying to measure is moving, and the data used to describe that environment is changing with it.
Insurance is important — a necessary enabler of innovation and commerce, and that hasn't changed. Neither has our fundamental job: to predict the future well enough to price it. What has changed is what that job now requires. In a domain where the environment is moving, predicting the future demands more than extrapolating from the past. It demands understanding how the system is changing right now, which requires accepting that the data used to describe it, and what that data means, are changing with it. The past tells you where the system has been. In cyber, that is no longer enough to tell you where it is going.