Despite the high-profile nature of cybercrime, risk transfer has barely scratched the surface of this peril, with cyber insurance accounting for approximately 0.3% of the global property and casualty market. What is holding insurers back from this potentially profitable market?
Put simply, insurers are cautious because cyber is different to, and more complex than, other risks. A lack of historical data, the potential for catastrophe-scale losses, the presence of an active adversary, and the broad operational scope of cyber have left most insurers observing from the sidelines.
The good news is that progress is being made in addressing these concerns, especially in the area of analytics. The emergence of behavioral analytics has opened up a vast universe of data that enables powerful predictions at an individual, organizational, and portfolio level.
Behavioral analytics is a method which exploits the rapid increase in volume of data externally available about organizations and individuals. It gathers real-time data on enterprise-wide factors and uses machine learning and artificial intelligence to model the changing environment at scale.
Below we explain why, when viewing cyber through the lens of behavioral analytics, many of the concerns about cyber data are in fact myths:
Myth #1: There is not enough data to prudently underwrite cyber.
Historical data is certainly limited for cyber, but real-time data is not.
Any individual or organization connected to the internet leaves a digital footprint, which gives “clues” about the sophistication and effectiveness of their cybersecurity and their attractiveness to a potential adversary.
For example, the turnover of an IT security team, the patching cadence for software, and the presence of unused services are all proxies for whether an organization is in control of its cybersecurity.
Behavioral analytics uses these “clues” to build a powerful predictive model, processing over a petabyte of data a month.
Myth #2: Today’s models do not account for the broad operational scope of cyber.
Cyber risk is not an IT risk, it is an enterprise-wide risk. While many models focus on one aspect of cyber, behavioral models gather data on the entire ecosystem of an organization, including technology, processes, past outcomes, and human factors such as error and intent.
Myth #3: The active adversary component of cyber is opaque and unpredictable.
Cybercriminals’ motivation and patterns of behavior are less understood than a person committing theft or fraud, and traditional models struggle to account for this.
However, criminal behavior is a central component of behavioral modelling. Data on the dark web and behavioral proxies such as employee satisfaction surveys illuminate how cybercriminals operate and which companies are vulnerable.
Myth #4: Global accumulation risk is too unknown and complex to model.
Identifying portfolio risk for cyber is actually no different than for traditional perils, albeit the accumulation indicators are less tangible. Examples include a dependence on a common service provider or using the same version of a particular type of software. Behavioral analytics can identify and model thousands of these digital “fault lines” for an entire book of business.
Leaders within the insurance industry are already deploying behavioral analytics to great effect to underwrite cyber profitably and manage portfolio exposures with confidence, but the wider global insurance industry has yet to catch up.
Insurers that start their cyber journeys today will only maximize their opportunities and the good news is that technological advancements in advanced cyber software are making that possible.
Paul Mang is Chief Innovation Officer at Guidewire Software. Read his full paper on how behavioral analytics is shaking up cyber insurance: Cyber Insurance: Breaking Down Barriers Through Behavioral Analytics.
Learn more about how Guidewire Cyence is using behavioral analytics to support insurers today.