Risk Management is a discipline that deals with uncertainty and, simply put, involves the process of identifying, assessing, and controlling the impact of risks that form part of the life of a business.
This much is obvious to everyone involved in risk management whether your role involves managing risks of your own company, assuming risks as a professional risk taker or safeguarding the financial system or the general community at large as a regulator. The challenge to successful risk management is the differing nature of risks and industrial cyber risk presents a significant challenge.
This blog is an introduction to a series of commentaries regarding the management of industrial cyber risk with emphasis on the transfer of it via insurance and alternative capital mechanisms. It is seeking to, amongst other things:
- Identify the serious limitations currently holding back the successful growth of the necessary risk transfer market for industrial cyber risks.
- Provide suggestions and potential solutions on how those limitations could be counteracted and possibly eliminated over time.
- Learn lessons from actions taken in the past that enabled the subsequent growth of risk transfer capital after the market experienced events that seriously impaired risk capital availability and, in some cases, threatened the existence of those markets.
Static vs Dynamic
Most risks traditionally undertaken by risk transfer capital have “static” characteristics. Essentially, changes to the risks may take place, but usually over an extended period of time and, in many respects, is why insurance policies have durations of one year. As further evidence of this view of static, insurers have not been keen to issue policies for durations of greater than 3 years. The inference is that changes to risk will take place over time, but the general consensus seems to be that a 3 year period will not normally cause a significant change. This also exemplifies the practice of underwriting based on information that is time lagging.
This is not the case for cyber risk. It is highly dynamic with changes potentially taking place daily and not a slow burn over months or years. Intellectually, everyone knows this results in the need for real-time data feeds and dynamic risk transfer mechanisms designed to account for that data, but the challenge is how to structure and create the processes required to pragmatically achieve this. A holy grail in many respects, but hopefully not as elusive.
The Data Conundrum
(Note: As insurance is the main mechanism utilized for the risk transfer of industrial cyber risk, the points made herein are geared to that market).
Currently, cyber insurances for industrial risks are mainly underwritten on qualitative data based on the cyber defenses of a company. While this is one important ingredient in the assessment of cyber risk, evidenced-based quantitative (and auditable) data on actual exposures is essential, and insurers need for this is not just geared to pricing of the risk. Such data is required for various, and very important, aspects that are essential for the security, profitability, and longevity of the insurer. These include capacity setting, capital allocation, loss reserving, accumulation assessment / control and catastrophe scenario analysis. Basing your underwriting on a qualitative score of “A” doesn’t really help you, for example, in accurately establishing capital allocation which impacts your profitability and could give rise to regulatory and rating agency challenges. Paradoxically, evidenced-based quantitative data is the foundation of underwriting traditional classes of insurance.
The shift from qualitative to quantitative data-sets are required for accurate cyber risk policies and mitigation strategies.
The above limitations are some of the issues that will be addressed in future blogs and commentaries from the DeNexus team. More importantly, we will address what are the potential actions that can be taken by large underwriting institutions trying to reconcile a growing cyber risk market.
For more information on DeNexus and how the DeRISK Platform solves cyber risk for (re)insurers, download the DeRISK Insurance Brief above.