Actuarial Science: Cyber Insurance a Challenge for Actuaries
Technology, social media and transactions over the Internet play key roles in how most organizations conduct business and reach out to prospective customers today. Those vehicles also serve as gateways to cyber attacks. Whether launched by run-of-the-mill hackers, criminals, insiders or even nation-states, cyber attacks are likely to occur and can cause moderate to severe losses for organizations large and small.
As part of a risk management plan, organizations routinely must decide which risks to avoid, accept, control or transfer. Transferring risk is where cyber insurance comes into play.
What is cyber insurance?
A cyber insurance policy also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. According to PwC, about one-third of U.S. companies currently purchase some type of cyber insurance.
The main issues related to cyber insurance can be summarized as follows:
• Evolution of information system: The system of an organisation may easily change and new technologies appear, changing the landscape of cyber risks;
• Information asymmetry: There are many obstacles for an insurer to get reliable information about the risk exposure of an insured and it is difficult to know if this exposure will be maintained during the whole period of policy operation;
• Evolution of attacks: It is very hard to determine the rate of occurrences and, as a consequence, the assessment of risk exposure;
• Interdependence of security: Security level of an information system may depend on the security of others;
• Impact determination: Damage for cyber risks is very hard to estimate in advance because of the intangible nature of information assets. Moreover reputation cost, which accounts for a large portion of the whole damage, is very difficult to estimate;
• Lack of statistical data: Data lie at the center of any actuarial project, but data are very limited in this field. Companies often do not want to reveal breaches, since they cause secondary damage, e.g. to reputation.
Challenges for cyber risk management
- Continuous change and digitalization of traditional business models − For example, increased vulnerability of information privacy (e.g., purchase of insurance via online platform)
- Knowledge and data deficits:
- Asset valuation in terms of identifying valuable assets
- Identification and estimation of threats as well as possible losses
- Risk culture is crucial (lack of awareness for cyber risk)
When it comes to determining risk-adequate pricing for cyber insurance contracts, there are many challenges that make it difficult to apply standard actuarial techniques. Actuaries also don’t have experience dealing with digital security incidents, which makes assigning dollar values to any available bits of data even more valuable.
For instance, actuaries aren’t knowledgeable about white hat and black hat hackers, so it would be difficult for them to predict loss propensity or measure cyber risk for corporate networks that oftentimes extend across national borders, grant partner companies some level of access, and consist of technology that’s always changing.
According to a report, it is thought that a good starting point is to determine the costs or expenses the company needs covering and the types of incidents that cyber insurance wants
Instead of general insurance able to cover all cyber attacks, considering the peculiarity and the repercussions behind different attacks, it is thought that each kind of threat can be managed by different insurance policies and furthermore that different companies can exhibit a different risk between these kinds of threats.
Read all the latest articles on Actuarial Science New Curriculum Click