Q: What do US paper mills fires, a 1992 North Atlantic hurricane and cyber threats have in common?
A: No-one was fully prepared for these new disasters and the fallout from the losses changed insurance forever.
As the insurance industry tackles the looming cloud of cyber risk and how to underwrite it sustainably, it is important not to rely solely on historical data, or one view of risk.
So said JLT Re’s Erica Davis, Willis Towers Watson’s Tom Srail and CyberCube’s Oli Brew in a recent webinar, hosted by Advisen’s Erin Ayers.
CyberCube’s Oli Brew used the example of Hurricane Andrew in 1992, stating that 11 insurance companies filed for bankruptcy after the Cat 5 hurricane veered off it’s expected course and caused record levels of damage and insured losses. Many insurers had not contemplated such an event and were left with crippling losses. Why? Because it hadn’t happened before.
Brew cautioned the cyber insurance industry not to “underwrite via the rear-view mirror” and make similar mistakes, as threats can move on very quickly in this dynamic risk area.
“One challenge is how to underwrite in a forward-looking way,” he said on the webinar. “That’s where the power of data: security metrics, loss data and internet-scanning insights can inform in a forward-looking manner.”
It is healthy to apply a dose of skepticism, when it comes to the current offerings of underwriting tools and analytics for cyber, the panel said. We are still in the early stages of the maturity curve on analytics in the cyber insurance sector.
Although underwriters are increasingly open to adopting new data sets to apply to the underwriting process, they can’t provide a 100% accurate picture of the exposures inherent in a single risk or portfolio.
“The industry is aware that it should be using different insights to help understand risk,” said JLT’s Davis. “But it is naive to think an underwriter looking at an application form would have the full picture of risk and controls – but also dangerous for them to put full faith in an analytical tool….”
Tom Srail emphasized the importance of taking a holistic view of cyber risk, including face-to-face meetings, historical loss data, standard information such as ISO or NIST and other internal and external data sources, when underwriting a risk.
It’s important that underwriters continue to be flexible in the data sources they apply to underwriting, Srail said. “Clients want the best coverage, terms and conditions – but they are also very motivated to ensure their insurers and reinsurers are financially strong,” he added.
Davis agreed: “In the reinsurance sector, we really care about aggregation. It’s important to consider how cyber insurance products are created for the long-term,” she said.
“The industry needs to be thinking about aggregation now – not once capacity shrinks after a large loss. There is aligned interest for buyers and carriers in creating a sustainable market that allows insurers to understand their exposures,” Brew noted.
If we are to learn from the mistakes of other sectors – such as fire and hurricane insurance, underwriters need to embrace a range of data points, from the past, present and into the future.
Davis is encouraged that carriers are using more data to inform underwriting: “Finding the right balance between submission information, underwriting questions and data is important. Not one approach is the be-all, end-all – there is value in using a number of methodologies.”