Staying with the theme of last week’s post – which was an exercise in exasperation over the ongoing stream of high-profile data breaches – I decided to examine the insurance industry’s readiness/appetite to respond to this risk. My conclusion? The demand for cyber insurance is clearly surpassing the available capacity for such coverage. That conclusion certainly isn’t a surprise to anyone, and the reasons given for limited cyber insurance capacity are logical. Nevertheless, your humble blogger senses that there is reason to be concerned that the nascent cyber insurance market may not develop as risk managers hope and expect.
Insurance Journal reports that there are just a few insurers cautiously wading into the cyber insurance market at this time, and that their offerings are limited by policy exclusions and low limits of insurance. Insurance buyers are seeking far more coverage than the insurance industry is ready and able to supply at this time, reportedly because the actuarial data is insufficient to properly model cyber risk and to price the risk appropriately. More time and data is needed, experts say. Red flag alert.
Underwriting more conventional risks such as property losses caused by fires and storms, or liabilities for slips/falls, will clearly benefit from mounds of historical data. Fires, storms, and slip/fall hazards present relatively stable risks. One can argue the nuances, such as improvement of flooring technology to reduce slips/falls, and better fire protection systems, but the inherent nature of fire, slips/falls, etc. are fairly constant. Personally, I am not convinced that the cyber actuaries and underwriters are going to find anything close to a stable risk model for the cyber risk insurance products they are working on.
If we have learned nothing else over the past 20 years, we have learned that “internet time” passes by very quickly. Just as we become comfortable and proficient with the latest technology, obsolescence sets in. In my past life as a software developer, I spent a fair amount of time with my fingers in source code and I know just how quickly those coding skills atrophy simply because of the swift passage of time that brings about new software tools, methods, and insights. The basis of many cyber risks is in the billions of lines of source code throughout our systems. It stands to reason that just as the insurance industry grows comfortable with the cyber risk threat from an actuarial and modeling perspective, the target will have moved as the software and systems rapidly evolve – frequently with insufficient time to harden and protect the code from the creative attacks of hackers.
There should also be some concern over the extent to which cyber risk is or is not an insurable risk according to the textbook definition. The insurance industry functions best when the law of large numbers can work across a multitude of similar exposure units, and when losses are independent and not catastrophic. Geographic concentration of a book of business without adequate reinsurance in hurricane-prone locations has killed some insurance carriers in the past. What might a particularly nefarious and unanticipated piece of viral source code do to the Fortune 500 and their cyber insurers if it proliferates through a common and previously unknown code vulnerability in common platforms such as Oracle databases or Cisco routers?
Cyber insurance is in great demand, and the headlines provide witness to why this is so. The unanswered question remains, to what extent can and will the insurance industry have the capacity to meet this demand or will alternative risk management techniques be forced to fill the gap? The cyber insurance market may well be even more challenging than the terrorism risk insurance market.
We live in interesting times.