Cyber insurance: Overcoming the risk barriers and moving forward with growth
Moody’s RMS’ Damini Mago explores the evolution of cyber modelling.
Cyber represents a sizeable insurance market, with current global cyber premiums valued at $11.9bn. As businesses grow increasingly reliant on digital infrastructure and cyber threats become ever more sophisticated, by 2027, the market is set to reach $29.2bn.
But last year’s hardened market highlighted insufficient levels of cyber capacity, as insurers remain unsure about systemic aggregation risks. Vital risk diversification for cyber is difficult using traditional parameters such as industry, company revenue and country, with a minimal effect in certain cyber scenarios, as attacks may exploit vulnerabilities in common operating systems or cross-platform software.
With traditional nat cat risk differentiation found wanting, the constantly evolving nature of cyber threats means that to accommodate growth, cyber insurers need new, dynamic approaches, and to develop coverages that adapt and mirror this ever-changing cybersecurity threat landscape.
When navigating this complexity, insurers turn to two fundamental pillars of cyber risk management: risk selection and risk modelling.
First, risk selection. An essential cyber underwriting step, it typically involves a thorough examination of a client’s IT network using questionnaires and external data sources, including ‘outside-in’ scans that detect network vulnerabilities, such as open ports that could expose a client to cyber threats like ransomware.
Scans and questions can reveal a client’s current risk management practices, but fail to predict future vulnerabilities or how a client might tackle them. Using retrospective views can lead to oversimplified models that overlook or misrepresent the continually evolving nature of cyber risk, from the volume and types of attacks to the shifting targets.
Second, cyber risk modelling, akin to natural catastrophe risk modelling, aims to apply robust methodologies to quantify risk for technical pricing and the understanding of portfolio and catastrophe risk.
Applying catastrophe modelling principles to cyber risk is challenging due to the vast complexity and variability of cyber risk scenarios. Reflecting the countless software interactions and varying responses to disclosed vulnerabilities across companies, a cyber model would potentially require billions of unique scenarios to accurately characterise the risk.
Avoiding overly prescriptive event definitions for broader definitions that encompass the risk, Moody’s RMS’ approach adheres to the law of large numbers, exploring the physics and dynamics of the cyber ecosystem, allowing for more effective cyber risk modelling by smoothing over individual uncertainties and accounting for the ‘unknown unknowns’.
The risk landscape has seen considerable evolution in the past year, especially in the realm of attrition risk which is in constant flux. Additionally, the IT industry’s ongoing updates and evolutions in exclusionary language mean insurers need to use tools with the flexibility needed to experiment with insurance wordings and exclusions, thereby enabling them to explore a range of possible outcomes.
Viewed through a lens of system physics and broader data now allows modellers to capture the existing cyber risk landscape more effectively, with refreshed threat actor and vulnerability data in the model framework.
It is now also possible to delve deeper into individual nodes within modelling frameworks, using technographic data for account-level differentiation. This includes important factors like patching cadence – examining how often an organisation reviews systems, networks, and applications for updates that remediate security vulnerabilities.
Patching cadence is now a secondary technographic modifier in our contagious malware/ransomware model to assess the variations in patching speed within a vulnerable population.
Selecting risk characteristics such as patching cadence allows users to shape the view of risk more accurately and present an objective measure of sensitivity to a catastrophe event, allowing better preparation and response.
Evolving cyber risk modelling to more effectively capture the risk landscape will help insurers to explore and gain confidence with cyber risk, and open up new opportunities.
Damini Mago, senior product manager, Moody’s RMS