Cybersecurity insurance companies run into data smog
Cybersecurity insurance, a new buzzword among Indian insurers, has crucial barriers to hurdle before it can live up to the potential promised by the companies.
Lack of actuarial data on cyber-attacks, murky disclosures by corporate victims, and the incredible speed at which a breach may spread globally have companies in a bind. Actuarial data help insurers evaluate financial implications of risk and uncertainty by applying mathematical and statistical methods, while devising solutions to reduce chances of any future risks and occurrence of any undesirable events. In case of cyber security insurance, actuarial data are scarce as it is a new line of business. And the little data that insurance companies have lose relevance because cyber threat keeps getting deadlier.
This comes after a report from Carnegie Endowment for International Peace which found that Cybersecurity Insurance is a must. It found that “harnessing the full potential of cyber insurance will be imperative for preventing systemic cyber incidents of concern for governments and the private sector alike.”.
The report argued that the private sector cannot rely on the Federal government for full cybersecurity protection, and should instead look to cyber insurance to reduce its exposure. However, before private sector companies can depend on cyber insurance, the insurance marketplace needs to change.
Earlier this year, Warren Buffett said cybersecurity incidents will rise, and with them the potential to significantly harm the insurance industry. He said he doesn't want much underwriting exposure to cybersecurity threats for Berkshire Hathaway's insurance businesses, and expressed scepticism that any insurance company can assess the risk for cybersecurity events.
“While the insurers are confident about how cyber risk affects different businesses, they currently face a challenge of lack of enough actuarial data in this new space. Hence, insurance companies rely on qualitative underwriting assessments to evaluate the risk exposures of each client and their security posture,” said Sushant Sarin - Executive Vice President - Commercial Lines & Reinsurance, Tata AIG General Insurance Co. In order to get the insurance market from where it is to where it needs to be, the report also highlighted actions that both the insurance companies and the Federal government can take to improve the strength of cyber insurance. These include relaxing barriers to cyber risk information sharing among insurers and adjusting recruitment and training to enhance cyber expertise and expand collaboration with cyber risk and threat intelligence professionals.
The cybersecurity insurance segment is growing anywhere between 50 and 100 percent annually, according to aggressive growth projected by various insurance companies and brokers. However, with the growth has come some caution on how to assess a cyber-risk. Bajaj Allianz, HDFC Ergo, ICICI Lombard, and Tata AIG are seeking help from either cyber experts or global reinsurance companies.
“There is reason for concern. The risk is new and the effects are global. Cyber risk can affect different entities of one company across the globe or different companies at one go. Underwriting cyber insurance is a challenge because there aren't too many models for risk assessment,” said Sanjay Datta - Chief Underwriting, Claims and Reinsurance, ICICI Lombard.
“There is a lot of scare but data on losses caused by attacks are not known. A scientific analysis is not possible. We don’t price insurance, we depend on reinsurance players,” said Anurag Rastogi, Member of Executive Management, Chief Actuary and Chief Underwriting Officer at HDFC ERGO General Insurance. “It is indeed complex - cyber insurance. We will take time to understand it.”