(Image credit: Robinraj Premchand.)
Cyber liability is one of the few new lines of business in the insurance industry in the last decade. Adoption is growing at double-digit rates—an attractive offering for insurers looking to expand their books and client base. Cyber liability also presents new challenges to insurers: it’s a departure from traditional underwriting and product development. The market is growing faster than other commercial lines nevertheless, and new analytics and modeling technologies can help compensate for lack of history and experience.
Cyber Coverage: Rapid Evolution
Cyber liability insurance covers risks that relate to information technology and internet-connected systems. The cyber liability market is challenging to size as it is so new. However, AON reports that 170 U.S. carriers actively wrote cyber liability as of 2017 and that the market saw a 37 percent increase in direct written premium between 2016 and 2017.
Initial cyber liability policies were narrow in scope. Insurers since have lifted initial limits and lessened exclusions to allow broader risk coverage as they sought ways to differentiate their product offerings. Many policies now go beyond simple payout in the event of a breach; they can include coverage for resulting injury or physical damage from hacking or malware as well as for other secondary or tertiary losses.
The Role of IT in Product Development
Cyber risk is a highly technical area that requires specialized subject matter expertise. Expertise-driven insurance is nothing new; technology has always influenced risk evolution to some extent. Recent examples include telematics to incentivize better driving behavior or IoT sensors to reduce manufacturing risk. Yet cyber risk is one of the first lines of business in which information technology is itself the core risk being covered.
Organizations are turning to internal IT infrastructure and security management experts to define the cyber liability risks a policy covers and to build metrics to evaluate policyholder risk level. Carriers have asked CIOs and CISOs to direct their internal IT expertise externally for the first time. CIOs and CISOs find themselves on the insurance product definition side of operations; some have stepped into new roles as line of business leads.
Challenges in Underwriting Cyber Risk
The danger for insurers is that new insurance products don’t have the same history of claims experience—especially against a risk that is also emergent. Models for rating and underwriting new business cannot rely on past losses to estimate future losses. Assessing risks without fostering undue burden on applicants is an additional challenge. Insurers have relied on questionnaires that cover security practices and solutions in place to compensate for lack of substantive loss histories.
The proper underwriting of cyber risk is a critical issue for insurers as they see strong growth in new lines of business and deal with many unknowns. How can the industry continue to invest in this growing line of business while also ensuring that growth is profitable?
Offsetting Lack of Loss History via AI
Artificial intelligence technology is also emerging and evolving at the same time as the cyber liability line of business. AI vendors are hoping to step in and alleviate the need for extensive claims loss history and lengthy underwriting forms. A new marketplace of vendors who offer cyber liability risk assessment solutions has sprung up in response: cyber liability risk assessment solutions are relatively non-intrusive, do not burden insurer and insured, and may still provide a way to score and predict risk.
AI has its limits, however: models need a critical mass of data for training, and fully understanding risk requires human intelligence. These models will help underwriters feel more confident in their ability to assess cyber liability risk. The combination of human evaluation with an AI/model-driven assessment is better than either one alone, especially when the line of business is new.
The industry won’t know for sure that these predictions and assessments were correct until some time has passed, and losses have been evaluated. Moreover, like all models, these will require refinement over time as more data becomes available.