Cyber risk and insurance continue to gain momentum. More companies realize they need it. And insurers are expanding coverage – and enjoying profitability. That said, cyber insurance continues to be an especially risky insurance line.
This is part of what I discuss in my recently published article, “Expansive Variance.” Published in Actuarial Review, I titled the article very deliberately. The variance of risk expands in new ways every time I investigate cyber risk and insurance.
And frankly, the more I learn about cyber risk, the more concerned I become.
Cyber risk and insurance are expanding.
My article digs into the reasons behind the growing risk and new tools for actuaries and underwriters. Two particular trends stick out. First, Internet of Things technologies continue to introduce vulnerability to cyber attacks and personal privacy. Perhaps the best example of hacking through via app is last year’s Facebook data breach.
Meanwhile, the bad guys, who have the creativity to walk the gauntlet of cyber protections, are quite innovative. Last year’s Equifax breach, the largest in United States history, is a case in point. Despite tight cybersecurity, the breach pulled the personal data of more than 145 million Americans in a seven-week period. Another attack, less widely known to consumers, turned off factories and interfered with commerce all over the world.
The bad actors are also discovering ways to deploy artificial intelligence to mask coding to reach directly into personal computers. And for the less innovative, the old-fashioned and tried-and-true attack methods, such as email phishing, remain effective. Many companies still need to get religion on cybersecurity. Hackers are sometimes getting away with their dirty deeds because companies do not keep up with security patches.
These breaches serve as warnings of what could come. Everyone who knows about cyber risk and insurance fear “big one” — that cataclysmic breach that could put the world on its knees. Insurers are also very concerned about it, spreading risk across individual industries to reduce exposure.
Cyber Risk and Insurance
The article also describes the unique challenges insurers are facing beyond cyber risk itself. Currently, cyber insurance is generally profitable. The market is so competitive that it is sometimes underpriced. Executives of non-cyber insurance lines are also concerned that their coverages are picking up cyber loss.
Insurers have very different philosophies on covering cyber risk. For Warren Buffett, chairman of Berkshire Hathaway, Inc., cyber risk and insurance just too risky. He believes that each year carries a 2% chance of a super catastrophe costing $400 billion or more in insured losses. Not surprisingly, his insurance group is mostly staying away from covering cyber risk.
But there’s plenty of insurers – about 170 depending on classification – which are happy to offer cyber insurance. AIG and Chubb are two examples. Insurers also have more insurance scores for cyber risk than ever before. Depending on the product, such cyber scores can evaluate risk potential by company and can watch how the risk changes.
Privacy Regulations and Laws
Consumers have little remedy when personal data breaches occur. Cyber insurance covers cybersecurity protections for a limited amount of time, say two years or so. However, there is nothing that can be done to get the information back. The bad guys have it forever. Thankfully, cyber insurance for individuals is just starting to become available.
Last week I attended a seminar on protecting personal privacy sponsored by the Atlantic magazine and Salesforce.
Speakers discussed a social contract, which presumes entities collecting our data will protect it. However, this social contract has little law to support it. One privacy attorney says that the Facebook breach, while unethical, is not illegal.
The bad guys,
who have the creativity to walk
the gauntlet of cyber protections,
are quite innovative.
Americans assume the government is making sure our data is respected and kept private. But in truth, our public policymakers are behind the curve. As someone at the seminar joked, “Europeans regulate what Americans innovate.” Legislative remedies are being considered by Congress. During the seminar, Senator Mark Warner (D-VA) mentioned a recent hearing where the nation’s largest search engine’s representatives were notably absent. The company, however, is showing up to help China with their internet although its employees are protesting and some have quit. This is the country that is following every move of their citizens to determine their “trustfulness” and is also blamed for particular cyber breaches.
My article describes new regulations from the European Union that affect American companies. California also passed an aggressive law to protect consumers. It goes into effect January 1, 2020. Not surprisingly, technology companies are fighting the restrictions the new law will impose. After all, they need personal data to sell ads. The European and California laws have potential ramifications for cyber insurers, but those details are yet to come.
Note: My last article about cyber insurance discusses particular challenges for actuaries. To see more of my cyber articles, just enter “cyber” in the search bar below.