Cyber insurance exposure is hard to measure - but are we "kidding ourselves"?
“Anybody that tells you now they think they know in some actuarial way either what the general experience is like in the future, or what the worst case can be, is kidding themselves.”
Warren Buffett’s opinion on the uncertainty associated with measuring cyber insurance exposure was the challenge put before us on a panel at the NetDiligence Cyber Risk Summit in Bermuda. I joined Erica Davis of JLT Re, Ridhima Kale of Guidewire Cyence and Tom Harvey of RMS to discuss some of the hot topics in aggregation modeling for cyber insurance. It was a great opportunity to engage with others in the industry on how we are confronting some of the hardest questions facing the cyber insurance market.
I commented that cyber presents us with unique challenges because it combines 3 general characteristics: it is systemic, intangible and driven by human action. These qualities can be found in other classes of insurance, but no other combines them to the same level of complexity as that found in cyber risk. They mean that data is hard for insurers to obtain and make sense of; events can take on a ‘chaotic’ quality with effects cascading in ways that are hard to predict; that threat assessment must account for a very wide spectrum of capability and intent.
Returning to Mr. Buffett’s comments – if the cyber risk is systemic, intangible and driven by human action, how will we ever achieve a foundation for sustainable insurance? We agreed that the answer lies in developing tools that can reduce uncertainty and enable better decision-making. It specifically does not mean creating a ‘black box’ that generates numbers to be believed as an act of faith. These tools are developed through high-quality and diverse sources of data, and the long-term commitment of multi-disciplinary teams to develop the specific analytics required for (re)insurance.
We then turned to the question of how these tools are being used today. At CyberCube we are seeing our cyber insurance analytics platform being used in increasingly sophisticated ways to enhance our clients’ own view of risk and directly inform risk transfer decisions. We are constantly challenged on the assumptions in our model, on the design of scenarios and myriad other questions relating to the ways in which we assess cyber risk. This is a sign that the (re)insurance market is learning quickly and is on a path of innovation through critical evaluation. We are making great strides in meeting Mr. Buffett’s challenge.
The answer lies in developing tools that can reduce uncertainty and enable better decision-making. It specifically does not mean creating a ‘black box’ that generates numbers to be believed as an act of faith.