Pricing cyber risk
A challenge indeed, but there are solutions
Cyber risk is growing in importance for both organisations and individuals, and consequently the insurance industry has a great opportunity to provide meaningful risk transfer and management solutions for it. However, when it comes to determining risk-adequate pricing for cyber insurance contracts, there are many challenges that make it difficult to apply standard actuarial techniques.
1. Data quality and quantity
- Insurers may have little historical underwriting and loss experience to draw from. Where there is experience, coverage for cyber risks may have been packaged with other types of insurance making it difficult to separate for analytical purposes.
- The data attributes captured may be limited to generic insurance items like premium, policy limits and loss amounts. Attributes of specific importance to cyber may not be available or captured in a consistent way.
- Further, unintended exposure to cyber risk can exist in other types of insurance (known as ‘silent cyber’ risk). This is another area of unidentified cyber exposure and losses.
This generally means that actuaries do not have the data sets available of the standard that they are used to working with.
For this reason, commonly agreed data schema should be used. Such schema allow more efficient data transfer between industry participants (client to broker to insurer to reinsurer), and can facilitate anonymised data sharing mechanisms that the whole market would benefit from. Munich Re is supportive of the development of such data sharing mechanisms.
Capturing more data brings additional but necessary administrative burden. But there is also an innovation opportunity for the insurance industry here, by developing data capture mechanisms that don’t only rely on the clients.
Silent cyber risk must be dealt with, by removing coverage ambiguities such that it is either clearly included or excluded in each contract. Wherever it is included, relevant data should be captured to allow the cyber risk to be understood, quantified and adequately reflected in the pricing.
2. Changing risk dynamics
- Dependency on new technologies (e.g. cloud computing, IoT, industry 4.0, digitisation) in everyday life and business is increasing rapidly, meaning exposure to cyber risk is also increasing.
- The attack techniques used by cyber threat actors are constantly evolving through innovation and in response to improvements in cyber defences.
- Regulatory change (e.g. GDPR) can both reduce and increase cyber risk. For example, regulation may be a catalyst for improved cyber risk awareness and mitigation. Conversely, costs in the event of a cyber incident may increase, for example, due to increased incident reporting requirements, compensation payments for affected third parties, and the potential for larger fines.
These changing risk dynamics mean that the usefulness of historical data for predicting future outcomes is limited. Actuaries therefore need to place greater reliance on their professional judgement incorporating expertise from cyber risk specialists and underwriters.
3. Market conditions and uncertain accumulation risk
- The cyber insurance market has grown significantly in recent years, and has further significant growth potential. This makes for a buyer-friendly market in some respects, as certain insurers or brokers look to differentiate themselves to clients by offering expanded coverage terms.
- Conversely, certain insurers are cautious about increasing their exposure to cyber, given that understanding the accumulation potential remains a key challenge. Recent events such as NotPetya have demonstrated the accumulation potential that exists. Accumulation models employed by insurers are rapidly improving, yet market capacity remains limited compared to the breadth and size of coverage that some buyers would like.
The coverage differentiation can result in challenges for underwriters to maintain adequately tight contract wordings, to avoid unintended exposure, such as any accumulation risk that has been deemed uninsurable. For example, unintended ‘holes’ in exclusions will undermine the pricing process, before it has even begun.
Care needs to be taken when analysing rates observed in the market. Even in cases where markets have been historically profitable, this doesn’t necessarily mean that the market is charging a risk adequate price for the accumulation risk it is accepting.
Actuaries need to fully understand the intended coverages, and consider which loss events would and would not be included, and how severe they could be expected to be under the specific terms of each contract.
4. Reflecting individual risk characteristics in pricing
The impact of differences in exposure and protection attributes from one risk to the next, on both expected claim frequency and severity, should be considered.
The effectiveness of an insured’s risk mitigation activities should be determined through a suitably robust individual risk assessment, relative to the complexity of the risk in question, and be adequately reflected in pricing.
It follows that pricing in the market should tend towards reflecting true relativities between risks, with the following impacts:
Impact on insureds
As the drivers of claim frequency and severity become better understood and reflected in pricing approaches used in the market, larger pricing differences between ‘good’ and ‘bad’ risks can be expected. The ‘good’ risks can expect favourable pricing outcomes, while the ‘bad’ risks should be motivated to improve their cyber ‘hygiene’.
Impact on insurers
Insurers that use better risk-based pricing approaches in the market, can reduce margins for uncertainty within their pricing, as their understanding of the underlying risks improves. In a competitive market, these reductions can be passed onto clients.
Munich Re has been recognised by industry peers as the world’s leading cyber reinsurer1. Feel free to speak to us to find out more.