By Gian Calvesbert | May 24, 2018
Cyber Data Challenge

One of the most pressing challenges cyber insurers face is a lack of in-house data for evaluating their risk. Insurers have typically relied on vast amounts of data collected over many years to develop tools based on statistically significant results. With cyber, this model doesn’t work because either insurers have just entered the market and have no data or they have been writing cyber for a while but find that historical data loses relevance fast.

Cyber insurers understand this reality, but market dynamics prevent them from actively solving the issue on their own. Here are the two main problems insurers face:

  • Highly competitive markets incentivize insurers to ask few questions from buyers, who prefer to keep their sensitive information confidential and not share more than the minimum required
  • Insurance buyers don’t understand their exposure to cyber risk and can’t provide the data themselves even if they wanted to
Figure 1: Cyber insurers will be challenged to acquire data unless they break the cycle (Source: Deloitte Center for Financial Services)

The Vicious Cycle of Cyber Data

This market dynamic results in a vicious cycle that further prevents insurers from collecting more cyber risk data.

Cyber insurers lack the confidence to underwrite risk they don’t understand, so to prevent unexpected losses they have employed a conservative strategy by mostly offering narrow coverage with low limits, high deductibles, or long waiting periods. As a result, insurance buyers may feel the product does not adequately meet their needs, leading to a lower adoption of cyber insurance and in turn to insurers being unable to collect more data.

Breaking the Cycle with Technology

As people and processes have become unreliable, the cyber data problem has now become a problem that technology is best suited to resolve. The digitization of society and business, which is increasing cyber risk is also allowing for valuable information to be extracted and organized by technology in a way that informs decision-making processes.

AIR has come to realize that cyber data is not as scarce as some believe. Instead it’s in the hands of technology firms that are providing a diverse range of data, including:

  • Firmographics—organizational characteristics, such as industry, revenue, and employee count are extracted from public and private data sources
  • Outside-in scans—sensors on the public space of the internet scan a company’s network perimeter to identify their virtual supply chains and monitor security outcomes
  • Inside-out scans—sensors installed in a company’s network scan their internal architecture to identify assets, device configuration, access points, and other security aspects
  • Threat monitoring—machines read streams of data from the surface, deep, and dark webs to uncover intelligence on compromised organizations and new vulnerabilities
  • Process and policy—data exchanges, used by organizations to assess compliance with security process and controls, are mined for cyber information
  • Incident data—scraping algorithms compile cyber incident and loss data from governments and other public sources

Leveraging Multiple Sources of Cyber Data

By supplementing their own data with third-party data, insurers can simplify the process of selling cyber insurance and confidently provide adequate coverage and expand to segments of the market that aren’t willing or capable of providing more thorough data. The key to making this third-party data useful is consolidating it in a way that makes it easy for insurers to access and cross-reference with their own. Matching algorithms that can map the insurer’s data to third-party data are becoming essential.

AIR has begun to address this challenge by releasing the cyber risk data analytics platform ARC, which features a comprehensive exposure database developed in partnership with leading cyber data providers. With over 12 million organizations worldwide and growing, this database represents the insurable cyber market and can be used to augment the data within a cyber insurer’s portfolio.

How do you see the cyber data challenge be resolved?

What is holding cyber insurance back, and how can the industry push forward? Read the issue brief “Insuring Cyber Risk”

Categories: Cyber

Don't miss a post!

Don't miss a post!
Subscribe via email:



You’re almost done.
We need to confirm your email address.
To complete the registration process, please click the link in the email we just sent you.

Unable to subscribe at this moment. Please try again after some time. Contact us if the issue persists.

The email address  is already subscribed.

You are subscribing to AIR Blogs. In order to proceed complete the captcha below.