One of the most pressing challenges cyber insurers face is a lack of in-house data for evaluating their risk. Insurers have typically relied on vast amounts of data collected over many years to develop tools based on statistically significant results. With cyber, this model doesn’t work because either insurers have just entered the market and have no data or they have been writing cyber for a while but find that historical data loses relevance fast.
Cyber insurers understand this reality, but market dynamics prevent them from actively solving the issue on their own. Here are the two main problems insurers face:
- Highly competitive markets incentivize insurers to ask few questions from buyers, who prefer to keep their sensitive information confidential and not share more than the minimum required
- Insurance buyers don’t understand their exposure to cyber risk and can’t provide the data themselves even if they wanted to
The Vicious Cycle of Cyber Data
This market dynamic results in a vicious cycle that further prevents insurers from collecting more cyber risk data.
Cyber insurers lack the confidence to underwrite risk they don’t understand, so to prevent unexpected losses they have employed a conservative strategy by mostly offering narrow coverage with low limits, high deductibles, or long waiting periods. As a result, insurance buyers may feel the product does not adequately meet their needs, leading to a lower adoption of cyber insurance and in turn to insurers being unable to collect more data.
Breaking the Cycle with Technology
As people and processes have become unreliable, the cyber data problem has now become a problem that technology is best suited to resolve. The digitization of society and business, which is increasing cyber risk is also allowing for valuable information to be extracted and organized by technology in a way that informs decision-making processes.
AIR has come to realize that cyber data is not as scarce as some believe. Instead it’s in the hands of technology firms that are providing a diverse range of data, including:
- Firmographics—organizational characteristics, such as industry, revenue, and employee count are extracted from public and private data sources
- Outside-in scans—sensors on the public space of the internet scan a company’s network perimeter to identify their virtual supply chains and monitor security outcomes
- Inside-out scans—sensors installed in a company’s network scan their internal architecture to identify assets, device configuration, access points, and other security aspects
- Threat monitoring—machines read streams of data from the surface, deep, and dark webs to uncover intelligence on compromised organizations and new vulnerabilities
- Process and policy—data exchanges, used by organizations to assess compliance with security process and controls, are mined for cyber information
- Incident data—scraping algorithms compile cyber incident and loss data from governments and other public sources
Leveraging Multiple Sources of Cyber Data
By supplementing their own data with third-party data, insurers can simplify the process of selling cyber insurance and confidently provide adequate coverage and expand to segments of the market that aren’t willing or capable of providing more thorough data. The key to making this third-party data useful is consolidating it in a way that makes it easy for insurers to access and cross-reference with their own. Matching algorithms that can map the insurer’s data to third-party data are becoming essential.
AIR has begun to address this challenge by releasing the cyber risk data analytics platform ARC, which features a comprehensive exposure database developed in partnership with leading cyber data providers. With over 12 million organizations worldwide and growing, this database represents the insurable cyber market and can be used to augment the data within a cyber insurer’s portfolio.
How do you see the cyber data challenge be resolved?