In our personal and professional lives, we seek to minimize risk. Certainly, we want to avoid the risk of injury and disease, but almost every risk contains a threat of financial loss. Which is better—to sustain a financial loss and then be compensated or to avoid the loss entirely?
This is where we need to think and act like risk managers, officially or unofficially, in nearly every major decision we make. Do you wear a seat belt, exercise, eat a balanced diet, and avoid extreme sports? You are managing risks to your health. Do you have a fire extinguisher, an investment adviser, a 401(k), an individual retirement account, or an insurance policy? In all of those ways, you are managing financial risk.
The Risk Management Toolbox
Insurance is a key tool for managing risk, but it’s just one tool in a pretty diverse toolbox. Think about the “mature” risk of fire, which we understand pretty well. We build and buy fire-safe homes and buildings, and we have sprinkler systems, fire hydrants, fire extinguishers, and fire drills. We avoid storing greasy rags next to the furnace. We practice all of this useful hygiene to mitigate the risk of fire. Just in case we still fail, we buy fire insurance. Insurance can’t prevent the fire, but it can alleviate the financial loss in the wake of one.
When we consider cyberrisk and the accompanying cyber claims in the same light, the fundamentals are the same, but we are at a distinctly different level of maturity because it’s a relatively new risk. It frightens those in risk, and it frightens insurers. Some of those in risk choose to ignore the threat, doing little or nothing to mitigate the risk of a breach. Others, sometimes in a panic, scramble to insure the risk or call on their information technology professionals to “handle” it. Few are trying to methodically find ways to manage the cyberthreat using all the tools in the box.
Cyber Hygiene
Insurers are a step ahead, but sometimes it is just a small step. The early response from insurers was “How can we exclude coverage for cyber?” Then, we saw a flurry of fragmented policies offering narrow coverage, sometimes just for third-party liability exposures, sometimes for specific first-party losses like damage to electronic records or business interruption. All in all, it was confusing for everyone.
Keep in mind, there was a time when the threat of fire was considered too volatile to insure. But over the centuries, we developed good hygiene in managing fire risk in the form of fire brigades and building standards, and now no one is panicked about fire risk.
Cyber is an immature risk. Not only in the sense that so few are taking a holistic view toward managing the risk, but also because we have relatively little empirical data about it. It’s a fundamental principle of insurance that we let the law of large numbers work for us to measure and price risk. For an easy example, think about auto insurance. Based on a huge population of relatively homogenous cars and drivers, we can measure the exposures (in terms of cars insured or miles driven), and we can know with some precision the loss costs that result from those exposures. With that data in hand, actuaries can establish future rates that are fair and adequate.
Dude, Where’s My Data?
Where is the data for cyberrisk and cyber losses? We see the headlines about the major events, but these can serve more to distract than to inform. Cyber insurance still is too new to have generated much exposure or loss data. Further, we haven’t yet seen the first catastrophic cyber loss event. How can we begin to know how to price it? Insurers are scrambling to put together policies that address the unique exposures of organizations in different industries without sufficient data to measure those exposures or price the risks.
There’s plenty of predictive modeling that attempts to gauge that risk, and perhaps even assign probabilities for the maximum size of a possible loss, but we’re still in the very early stages with cyber. We know just how hard it is to predict and price “normal” naturally occurring catastrophic events like hurricanes; just look at all of the insurers that became insolvent in the wake of Hurricane Andrew. Without any long history of events, cyber is just that much more challenging.
At this point in time, we have models but not much data on cyberrisk. For just about any line of insurance, the long trail of historical data on exposures and losses provides not only critical pricing information, but also a basis for crafting and revising policy language. Over time and with a body of evidence about loss events and court decisions, the industry can craft policies that protect those in need while not subjecting insurers to a greater threat of insolvency.
Implications for Claims Professionals
For most lines of business, claims professionals have a lot of training opportunities. But because the history of cyberrisk and cyber claims is relatively brief, there’s a shortage of either formalized or on-the-job training for claims involving cyberrisk. There can be a need for a lot of legal help on claims involving third-party cyber liability, and a lot of technical expertise to investigate a cyberbreach of any nature.
For claims like cyber, with a small but growing frequency and the potential for large losses, claims handling expertise is at a premium. Can an insurer hope to handle cyber claims with the same claims staff that handle other general liability claims? Where do you find experienced claims professionals who also understand the technology behind cyber forensics? Insurers may look first to outsource the handling of these complex claims.
Future State of Cyberrisk Management
Over the next several years, insurers will accumulate first-party and third-party cyber losses to inform future policy language and rates. And, of course, claims professionals will learn, often the hard way, about best practices for helping insureds in the wake of cyber claims.
One might expect that the future state of cyberrisk insurance will more resemble equipment breakdown (boiler and machinery) coverage. In other words, the focus of the insurer will be much more on loss control (that is, loss avoidance) rather than paying claims in the wake of a loss. Insurers embrace that role in almost every line of business, but with mature risks, the insured already has plenty of information about good fire safety habits.
Boiler and machinery exposures are sufficiently complex that it’s difficult for insureds to master best practices in loss control, and that is why the insurer has such a valuable role. Until we reach the state when cyber is just another risk, insurers have a big opportunity to step up and provide some critically needed loss control services for cyberthreats.