Many clients are asking how to manage potential cyber accumulations. Their concern arises chiefly from a couple of key areas: unknown exposure in policy forms and not knowing how to manage potential aggregation from third party IT vendors. As policy forms are fairly unique among clients, I will focus on addressing potential aggregations in this blog post.
Managing accumulations from cyber risks is, without question, challenging. How many of your insureds use Amazon? How many use Rackspace or PayPal? How many have the same DNS provider? If such information is not available in your systems, you have limited options.
One option to measure accumulations is to approximate potential loss through a market share approach. If Vendor X has 30% market share, and Vendor Y has 25% market share, then a simple arithmetic calculation can produce an approximate potential loss. There are challenges with this approach, however, because how bad a scenario could become is still uncertain.
Do you really write substantially more business with one particular third party vendor? Could Business Interruption from a third party disruption cause Contingent Business Interruption loss? Should policy language be adjusted to limit exposure at the potential expense of losing some policies? Although these questions are not pleasing to consider, they must be addressed.
To mitigate cyber accumulations, you could provide sub-limits. These sub-limits could restrict either amounts being claimed or conditions by which loss could be claimed. Both of these restrictions could be unnecessary if there is not ample accumulation of risk, and may create unfavorable market differentiation if competitors are not doing likewise.
Clearly it would be better to know whether an accumulation problem exists. If one existed, a targeted underwriting guideline could be implemented to see if Provider X is contracted by an insured and/or whether proper limitations of coverage to the third party vendor could be instituted.
A simple SQL query
Fortunately, AIR does have the ability to assist with accumulation issues. The VeriskTM data standard already contains needed elements to quickly aggregate vendor information in a simple SQL query. If vendors are not known for all clients, AIR can use industry data to run accumulation outage scenarios from insured third-party IT vendors.
This animation* illustrates one way in which AIR Open Source Cyber Scenarios can be used to explore a portfolio's potential insured losses. In this example, the circles represent seemingly unconnected exposures within a portfolio. By aggregating information, previously hidden connections can be revealed; in this example the insureds use just four cloud providers. An analysis using AIR cyber scenarios can now be focused on one of the cloud providers, enabling insured losses to be determined.
Why wonder what your potential accumulations might be when you can truly own the risk and see customized accumulation scenarios?
*If the animation does not automatically play in Internet Explorer, please open Internet Options from your Tools menu in your browser and check off “Play animations in webpages” from the Multimedia portion of the Settings list under the Advanced tab; click Apply, then OK, and refresh the webpage.