The challenge of pricing cyber risk - does it feel like nailing jelly to the wall?

According to the Allianz Risk Barometer 2018 business owners consider cyber incidents to be the second greatest threat to their organisations. Cyber threats were second only to business interruption, with respondents citing a cyber incident as the most feared cause of business interruption.

Companies are becoming more concerned with the security of their data and the consequences they might face should they suffer a breach. Last year’s implementation of GDPR across Europe means that negligent businesses could face fines of up to four percent of turnover or €20m, whichever is greater, alongside the significant costs and damage that a cyber breach would cause.

Clearly, cyber risk protection and mitigation present an enormous business opportunity for insurance carriers. During 2018 many businesses turned to cyber insurance to protect themselves from potential risks, with one insurer, Hiscox, seeing annual growth of 40% in cyber insurance business.

However, calculating cyber risk is far removed from calculating typical commercial risks and presents a unique set of challenges. Besides being a relatively new threat, the nature and potential of cyber risks are changing at such a rate that data needs to be collected in a dynamic, real-time manner for insurers to keep pace with ever-changing threat vectors. If underwriters are to keep ahead of these changes and price cyber risks accurately, they need to change from an approach based on hindsight to one based on foresight, grounded on the most up to date data available. To achieve this, and properly account for future risks, underwriting needs to be based on predictive models created by the intelligent use of data and machine learning technologies.

It is worth noting that cyber risk models cannot purely look at technology. Whether malicious or benign, human actions often play a part in cyber incidents and represent a risk that cannot be prevented by technology alone. Accordingly, a holistic, data driven approach that understands the nature of the cyber risk faced by companies should be employed to calculate cyber threats accurately.

Underwriting requires turning data into an economic model. Doing this dynamically, and at the scale required to make it useful, necessitates having an analytics platform that leverages artificial intelligence to cope with all the relevant data sets. Compounding this, insurers are focused on performance across their business, so cyber risk models need to consider the economic impact of risk accumulations, aggregated events, and disaster scenarios.

We have reached a point where no amount of cyber security software is going to protect a business entirely from the evolving threat landscape faced by companies today, making cyber insurance a necessary tool in a business’s arsenal. The rapidly changing threat landscape also means a significantly different approach in how insurers assess and price risks. If they are unable to price cyber risks accurately or competitively this will mean a bad deal for customers; more than likely a terminal blow for the insurers.