5 minutes to read With insights from... Richard Polya Principal Business Development Manager Richard.polya@zuehlke.com Improving risk assessments capabilities through incorporating real-time cyber security data into the product development and underwriting process will open opportunities in a potentially enormous and fast-growing market. Not only by more accurate pricing but also through incentivizing prevention measures for the insureds. The transition requires an improved collaboration in the “cyber ecosystem”, especially with regards to shared data standards. 1) The challenge - a lack of data maturity limiting product innovation Cyber insurance faces three main challenges: accurately assessing risk, offering appropriate cover limits, and pricing policies competitively while ensuring profitability. Additionally, there is the difficulty of predicting and mitigating the economic impact of a catastrophic cyber incident like a critical failure of a major cloud provider. Currently, the cyber insurance ecosystem is in a suboptimal position to meet these challenges and respond well to the threat of a cyber catastrophe. A data infrastructure in its infancy and limited data collaboration are at the root of this. We summarize this as a lack of data maturity. Cyber is a human-driven risk and its impact potential is fuelled by the drive of digitalisation -- as well rising geo-political volatility. A rapidly evolving threat landscape, digitalisation accelerated by new technologies, and cloud concentration are global challenges amidst a daunting shortage in cyber security professionals and education. Insurance has a role to play Here too, insurance plays an important economic role by providing incentives for risk-mitigation behaviour, smoothening volatility, and building societal resilience. To do this effectively the insurance industry must be able to quantify, predict and manage the risk reliably & efficiently. Its ability to do this in the cyber space has been limited due to the difference in the rapidly changing nature of the peril, and the methods insurers traditionally deploy for risk assessment & insurance product design. Cyber insurance today Information exchange uni-directional & annual in frequency at best Challenges for Cyber Insurance Product Design Data Availability Data collection restrictions Claim data pooling Missing Insight Inadequate Product Design Data Availability A true, real-time view of the cyber security risk posture of customers has thus far not been available for risk assessment purposes mostly because of missing provisioning infrastructure. Data collection restrictions Collecting information on cyber security risk posture of an insured happens via underwriting Q&A disclosures (usually once at application) and costly due diligence which is restricted to high ticket policies due to commercial feasibility. Claim data pooling Comprehensive pooling of incident (claims) data as known for other lines of business (like motor insurance) has not yet been achieved. Missing Insight Insight into the risk-predictive nature of cyber security related information of customers is therefore underdeveloped. Inadequate Product Design Product pricing and cover limits often don´t reflect customer needs – creating almost an economic disincentive for customers to improve their cyber security risk posture (once they are accepted for insurance). Lacking Data Maturity This lack of data maturity leaves the market in a suboptimal state, leaving millions of companies often under-insured, with high premiums, but not high enough to cover for a catastrophic cyber incident. An ecosystem of cyber-MGAs, brokers, risk modellers, and cyber service providers are working to gradually overcome the problems listed above. Still, they haven’t bridged the gap sufficiently for insurers’ product design to be able to fully adapt. So, what must happen to change this status quo? 2) The opportunity - data-driven innovation for sustainable growth The direction of travel seems clear: incorporating real-time cyber security data (next to exposure and claims data) into cyber insurance product design will allow for the risk insights needed to improve price/cover of cyber insurance propositions. Insurers aiming to lead this technological evolution will want to consider: Model upgrades: Cyber risk modelling upgrades enriched with real-time inside-out information on the actual cyber security risk posture of insured. Enriched data: With this enriched information, new avenues in product design open, with dynamic pricing/cover and risk mitigation incentives, becoming powerful tools for insurers and insured to manage cyber security risks. First movers’ advantage: Of course, we must get to this stage first. Current scope and availability of inside-out data is limited, but rapidly growing. With time the efforts of the many players in the ecosystem will bare fruit and become more and more useful for the purposes of insurance. Insurers can move early and be at the forefront of these developments. Standards & Taxonomy: This will not work without defining effective standards and taxonomy between cyber security & insurance. Establishing a common understanding of what standards constitute good cyber security hygiene that can be applied in insurance product design are essential. Data collaboration: Collaborating not only on risk-pooling, but also data-pooling is something the insurance industry is known for across different product lines (motor, credit, etc.). Establishing the entities and data pools where information is shared in a secure & compliant manner are important for ensuring quality & trust in the ecosystem. Data-driven cyber insurance Enriched with inside-out, real time insights on the insured’s cyber risk posture Achieving this state of Data Maturity will not remove the risk a catastrophic cyber incident poses, but it will certainly help in the areas of: Prediction: a data mesh of real-time signal networks across the cyber insurance ecosystem for better risk-posture assessment & early-warning. Mitigation: with the positive security-enhancing behaviour that dynamic cyber insurance products help create. Resilience: better insights into the aggregate risk increases trust for reinsurers and potentially governments to commit more capacity to the market. Growing Sustainably Certainly, it’s a long road ahead towards this future state. What’s also certain is enormous and growing market demand for cyber insurance with premiums expected to double in the next 5 years. Insurers who already have a large exposure and the ones willing to further serve this demand will be focusing much of their attention on growing their business sustainably. For that, becoming data driven, as outlined above, will be essential. Contact person for Switzerland Dr. Raphael Reischuk Group Head Cybersecurity & Partner Raphael Reischuk is the author of numerous scientific publications in various areas of IT security and cryptography, many of which have received awards. BILANZ and Handelszeitung listed him among the Top 100 Digital Shapers in Switzerland in 2021. Reischuk is a member of multiple international programme committees for IT security and Vice-President of the Cybersecurity Committee at digitalswitzerland. He is also the co-founder and a board member of the National Test Institute for Cybersecurity (NTC). In 2017, he joined Zühlke, where he channels the expertise he has gained in various industries into his role as Group Head Cybersecurity & Partner. As an experienced IT security expert, he is driven by curiosity, innovation, technology, a sense of commitment and a strong business ethos. Contact raphael.reischuk@zuehlke.com +41 43 216 6611 Your message to us You must have JavaScript enabled to use this form. First Name Surname Email Phone Message Send message Leave this field blank Your message to us Thank you for your message.