Tag Archives: tria

PRIA: A Tale of 2 Policyholders

A discussion draft of the “Pandemic Risk Insurance Act” has circulated over recent weeks. Based on the Terrorism Risk Insurance Act, the text is an excellent jumping off point to think about what would work and what would not.

The draft quickly forces to the surface an uncomfortable reality that a TRIA-style “make available” requirement would separate policyholders into the haves and the have-nots. 

Large corporations with the financial wherewithal and sophistication to establish their own pandemic risk insurance companies may structure multibillion-dollar bailout plans free from government intrusion into executive pay, share buyback plans and layoff strategies. More than 500 such “captives” already participate in the Terrorism Risk Insurance Act and could claim as much as 95% of federal funding under that program.

Small and medium-sized businesses, churches, school districts and other nonprofits and local governments would not fare so well. These regular policyholders cannot afford to set up their own insurance companies. The standard insurance policies available to them only cover business interruption losses caused by “property damage.” PRIA’s “make available” requirement would cancel out a pandemic or virus exclusion – it does nothing to address the necessity of property damage.

A large corporation can simply negotiate with itself to remove the prerequisite of property damage. Regular policyholders would have to file lawsuits seeking a judicial finding of property damage as is happening right now in the context of COVID-19. 

The discussion draft should be focusing attention on the needs of regular policyholders. Once we have a solution that works for them, we can worry about what the program can do for insurance companies and large corporations.

You can find the full report here.

Would Form of TRIA Work for Pandemics?

Currently, there is a movement by some industry personnel and legislators to expand the Terrorism Risk Insurance Act (TRIA) to include pandemics. There is a discussion draft of a bill, and a summary of that bill here.

So, is a federal backstop program that is part of, or similar to, TRIA feasible or advisable? It’s too early to tell, but below are some initial caveat emptor thoughts.

FIRST, TRIA has not been tested, so we don’t know if this backstop program actually works, how well it might work and how it might affect the insurance industry’s ability to assume risk in the future, much less be able to effectively respond to terrorist acts. In addition, for a claim to fall under TRIA, it must be caused by a traditional covered peril found in most property insurance policies. In the case of PRIA, the pandemic itself is the peril, and it can affect the entire population.

SECOND, following that thought, the industry has significant financial assets but not manpower. We’ve already seen how difficult it is for government and all of its resources to respond to regionally localized claims involving hurricanes, tornados, flooding and wildfires. The ability of the insurance industry to adjust claims on a nationwide basis would likely be extremely limited, raising the question of whether “insurance” is the proper mechanism for responding to truly catastrophic national or global exposures like pandemics.

THIRD, just as the manpower issue cannot be understated, neither can the required expertise of adjusters. PRIA would likely present a far greater indirect loss exposure than TRIA due to both the scope of losses and the impact of government-mandated business shutdowns, curtailments or operational modifications. The most significantly affected traditional insurance coverage is business income. This insurance product is one of the more complex in the industry, and, as a result, claims are FAR more difficult to adjust and require FAR greater expertise from adjusters than direct property claims.

Specifically with regard to TRIA, so far, most terrorist attacks have been localized. While it’s possible that a terrorism attack could have a much more widespread impact, absent a war-like action of a nation the risk is probably substantially smaller than the potential economic impact of a nationwide pandemic. As a result, the maximum possible (or perhaps probable) loss in a pandemic is likely to be measured in the trillions, not billions, of dollars.

See also: 3 Challenges for Pandemic Coverage  

FOURTH, TRIA is optional. Businesses do not have to buy TRIA coverage. Not long after TRIA was passed, a study conducted by the Council of Insurance Agents & Brokers (CIAB) found that fewer than 10% of small businesses and 20% of larger businesses purchased terrorism coverage where the cost was an additional 10% to 20% of their existing P&C premium. By 2013, the Congressional Research Bureau estimated that 60% of businesses had terrorism insurance, though that number was likely much smaller in higher-risk areas, where the coverage could cost thousands of dollars. According to a more recent report, this number has remained fairly constant, most likely due to the affordability of the coverage given the lack of terrorism incidents.

Can PRIA truly be an optional coverage, or must it be mandatory? Because the risk of a pandemic, in both frequency and severity, is presumed to be far greater than anticipated terrorist attacks, insuring it will likely be far more expensive than TRIA coverage. If so, it’s quite likely that few businesses would purchase it if they want to remain competitive with those businesses that don’t buy in. Given that huge numbers of businesses can be affected by a pandemic, what would become of the perhaps sizable majority of businesses that don’t purchase the coverage? Would the government simply allow them to go out of business? Highly unlikely. And, if interest-free loans or grants continued to be available, it’s even more likely that greater numbers of businesses would rely on that fail-safe mechanism than paying large amounts for insurance coverage they may not need in the short term.

In addition, if the impact of a pandemic is likely to be far more significant in densely populated areas, much like flood insurance, adverse selection may play a role whereby even fewer businesses in sparsely populated areas will purchase the coverage even if priced lower than densely populated areas. And how might the uninsured otherwise affect the insured? Contingent business income coverage is critical to some businesses. For example, a business that has one or only a few suppliers or customers could be out of business if they suffered a loss. That likelihood is dramatically increased if they elect not to participate in a PRIA program such that the subject business would have an even greater need for contingent coverage.

Given these possibilities, would a mandated program be more feasible? For example, in response to civil unrest in the late 1960s, the insurance industry implemented a system of civil disorder charges that applied to ALL commercial property rates. The charge varied geographically based on presumptive risks. In the case of a pandemic, where the exposure is far more widespread, to generate the insurance proceeds needed, it’s quite possible that a mandatory funding mechanism could be indicated. Otherwise, an optional program is likely to fare far worse than the current federal flood insurance program, which still does not use actuarially sound rates, suffers from adverse selection and operates in the red year after year.

FIFTH, is traditional business income insurance even a feasible risk management approach to a catastrophic pandemic? As mentioned earlier, business income coverage is a complex product that requires significant financial skill and analysis. Determining loss amounts is far from an exact science and, in fact, often involves a great deal of conjecture and supposition that usually leads to negotiated settlements. In the case of a pandemic that can affect hundreds of thousands (or more) businesses over a very short time, what private sector industry has the manpower and expertise to adjust claims rapidly to the satisfaction of business owners?

IF a PRIA program is remotely feasible, it would probably have to be based on a nontraditional and simplified insurance product. Perhaps, rather than base the amount of coverage on a complex “business income” calculation that requires speculation about all forms of revenue, expenses and profit, the coverage should be limited to only “continuing expenses,” including payroll, to remain in operation for a specified period. The approach would be more analogous to the Maximum Period of Indemnity option currently available in ISO’s business income program.

See also: How to Lead During the Pandemic  

A simplified product covering only continuing expenses for a limited period, such as four months, MIGHT be workable in a mandated basis, but great care must be exercised in constructing and administering such a program. And, keep in mind that, in risk management circles, primary coverage should be provided by the entity with the greatest control over the exposure. In the case of pandemics, that would be the government.

3 Challenges for Pandemic Coverage

The nation’s immediate strategy to support businesses affected by the COVID-19 pandemic has now formed around a portfolio of emergency federal loan and grant programs authorized by the Coronavirus Aid, Relief, and Economic Security (CARES) Act. As these programs become operational, policymakers are turning their attention to the risk of future pandemics.

When confronting the “new” risk of terrorism nearly two decades ago, policymakers forged the Terrorism Risk Insurance Act (TRIA) as a public-private partnership with shared financial responsibility for terrorism losses but heavily relying on the commercial property and casualty insurance industry’s product design, operational and claims administration capabilities.

Naturally, TRIA has emerged as a leading model for a future pandemic program – generally referred to as the Pandemic Risk Insurance Act (PRIA). While a reasonable starting point, TRIA is far from an off-the-shelf catastrophe risk program.

Congress designed TRIA to progressively recede from the terrorism insurance marketplace until expiring three years later. This temporary program is now in its fourth extension, guaranteeing a total program life of at least 25 years. Not a single dollar has been paid out from the federal backstop — owing more to the success of the U.S. law enforcement, defense and intelligence communities than to any beneficial feature of the program itself. While TRIA may offer the reassurance of longevity, this model remains (thankfully) wholly untested, such that any underlying design flaws only become visible on careful inspection.

We can test the efficacy of PRIA by answering three questions related to our current experience with the loan and grant programs authorized by the CARES Act:

  • Which businesses should be entitled to claim benefits under the program?
  • What benefits should be available?
  • Who has the infrastructural capabilities to deliver the necessary benefits?

Eligible Businesses

CARES Act loan or grant programs are available to nearly all businesses that meet the size requirements. An otherwise eligible business must certify merely a general need for financial relief as a result of the pandemic such as that “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the applicant.”

PRIA would reach far fewer businesses. Under that program, insurers must first offer a policy of commercial property insurance without a virus or pandemic exclusion. No business is required by law to purchase it. In fact, under TRIA, only half of all businesses pay a premium for the removal of the terrorism exclusion. According to data released by the U.S. Treasury, 29% are informed that there is no additional charge for removal of the terrorism exclusion and the rest simply opt not to pay the average 2.5% additional premium.

We do not know how much insurers would charge to remove a virus or pandemic exclusion as required by PRIA. However, it is likely to be much more than the current charge to remove terrorism exclusions. As a rough benchmark, it takes the insurance industry about 10 years to charge enough terrorism premium to equal the amount of commercial property insurance losses from Sept. 11. It would take 125 years to collect enough premium just to equal the initial round of funding for the CARES Act’s Paycheck Protection Program.

See also: Rethinking Risk Management in a COVID-19 World  

Take-up rates for policies without virus or pandemic exclusions under PRIA will certainly be somewhere far less than 100%. Even if three-quarters of policyholders pay for the removal of the exclusion, many U.S. businesses would be left with no economic support in the event of another pandemic. If the cost of coverage is more than a couple of percent of total policy premium, take-up rates would be even lower, leaving vast amounts of the U.S. economy “willingly” exposed.   

Covered Losses

CARES Act programs are largely aimed at encouraging businesses to keep employees on the payroll. For example, Payroll Protection Program loans can only be used to cover expenses for payroll, rent, mortgage interest and utilities. If at least 75% of the loan proceeds are spent on payroll (subject to caps on high earners) during the first eight weeks, the entire loan is forgiven.

Business income coverage under a standard commercial property insurance policy also covers the expense of continued payroll, rent and utilities. However, insurance also covers the profits a business would have made and the full amount of salaries, including those paid to high-earning executives. While those benefits are more generous while they last, Civil Authority Coverage typically only extends to the first four weeks of a government-ordered shutdown (half the time period of the Paycheck Protection Program).

Of course, not every policyholder purchases a typical policy. Under TRIA (and therefore our hypothetical PRIA), captive insurance companies are full-fledged participants in the program. A captive is an insurance company set up and owned by its policyholder, typically a large corporation. Hundreds of large corporations (including the New York Times, Credit Suisse and the New York Stock Exchange) have established captives, allowing access to TRIA on far more favorable terms than those available via the traditional insurance market. For example, while small businesses are effectively shut out of property insurance coverage for terrorist attacks using nuclear or radiological weapons, a large corporation can negotiate with its insurance subsidiary for hundreds of millions or even billions of dollars of such protection, with 80% of the losses picked up by the federal backstop.

Large corporations would surely deploy these same strategies to maximize the value of PRIA. While a small business may be lucky to afford the standard four weeks of Civil Authority Coverage, a big business could ask its captive to provide coverage for 40 weeks or even 400. Certainly, the captive would not impose on its corporate parent restrictions on share buybacks, dividends or executive bonuses such as those demanded by the CARES Act’s Main Street Lending Program. 

Claims Administration Capacity

TRIA contemplates that insurance companies possess the claims administration capacity to manage up to $100 billion of shared industry and federal losses. Hurricane Katrina was the largest property insurance event in U.S. industry’s history, resulting in about half that amount in paid claims.

Under the CARES Act, U.S. lenders have been called on to administer $349 billion in loans through the Paycheck Protection Program and a further $600 billion through the Main Street Loan Facilities. Just the initial funding of the Paycheck Protection Program is the equivalent of insurance companies facing down claims from Hurricanes Katrina, Maria, Irma, Andrew, Harvey, Ike and Wilma, Sept. 11 and the Northridge earthquake all at the same time, together with 10 years of National Flood Insurance Program and National Crop Insurance Program claims. The insurance industry is simply not designed to operate at that scale.

See also: 10 Moments of Truth From COVID-19  

A Path Forward

While there are other “glitches” in the Terrorism Risk Insurance Act that should give us pause before expanding the model to include pandemics, the three points explored here should be enough to warrant a thoughtful debate about the objectives of any proposed pandemic risk management program and how best to implement it.  

For example, we may find insurance companies can make available policies without virus or pandemic exclusions, but small businesses are unwilling to bear the consequent cost. A program with low take-up rates is worse than no program at all. Today, we can extend loans and grants to businesses that did not have the choice whether to buy insurance coverage. Once we have PRIA, we cannot. 

Similarly, we may find the business income loss benefits made available to small businesses are modest and difficult to trigger compared with loan forgiveness under the Paycheck Protection Program. Meanwhile, large corporations can use their captive insurance companies to engineer bailouts that make the terms of the airlines’ $25 billion Payroll Support Program look stingy.

Finally, we may conclude business income coverages in standard commercial property insurance policies are too complex to quickly administer during a pandemic. We may also come to believe insurance companies should invest more heavily into maintaining robust catastrophe claims management capabilities.

If we do not get to the bottom of these challenges before committing to a new pandemic program, we will surely struggle with them when we most desperately need the program to work.

Rethinking Risk Management in a COVID-19 World

If there was ever a moment for risk managers to shine, this is it. In many companies, risk managers have won kudos because backup plans have made the transition to telework smoother than it easily could have been (though I feel awful for those working in restaurants, hotels and other businesses who have been furloughed or fired because their jobs simply can’t be done at a distance.) Even when there have been unanticipated problems–and so very many companies face problems that go well beyond any telework issues–no one can play down the importance of risk management in a world turned upside-side so suddenly by the COVID-19 health crisis and the economic chaos that has followed.

Last week’s “Future of Risk” conference, held by The Institutes, hit some risk-management themes that I think will be key as we all prepare for the new normal, and I’ll highlight the boldest one I heard. It came during the opening session, a panel moderated by The Institutes’ CEO Peter Miller.

Markham McKnight, CEO of BXS Insurance, said the U.S. needs a national risk strategy, rather than the current piecemeal approach–one bit of legislation providing flood insurance, one addressing terrorism, etc., with much of the work being done through emergency legislation crafted in the middle of the crisis that a virus, a hurricane or a wave of wildfires produces. A robust national strategy would provide an overarching framework for assessing all the risks and for funding ways to reduce those risks, as well as to pay for redress when the inevitable occurs.

“The absence of a national program leaves us just kicking the can down the road,” McKnight said. “Legislation gets renewed, but only so we can keep doing business.”

He said there should be a national risk pool in the U.S. that would take a comprehensive look at exposures and suggested the insurance industry could provide leadership on how to quantify and mitigate the risks.

Tony Kuczinski, CEO of Munich Re America, agreed with the need for industry involvement, saying he had signed a letter encouraging such a plan. “It’s four or five times as expensive to fix a problem after the fact than it is to be proactive,” Kuczinski said. “You just have to have the stomach to tackle the problem up front.”

Joan Lamm-Tennant, CEO of Blue Marble Microinsurance, which operates in the developing world, said she’d “globalize those thoughts.” She said she’s “experiencing a real call to action on behalf of governments and quasi-governments and a willingness to work more with the private sector.”

She recommended a model along the lines of the Terrorism Risk Insurance Act (TRIA), enacted in the U.S. in 2002, following the 9/11 attacks. Under TRIA, insurance is provided via the private sector, but government acts as a backstop. That backstop “gradually recedes as the private markets get more data and get stronger,” Lamm-Tennant said. Such a public-private approach, she said, would let us avoid setting up “some new government agency”–a goal that I’m sure we all applaud.

Perhaps I’m jaded from decades of watching inaction in Washington, but I doubt Congress will get as far as a national risk plan. I imagine most risks will still be treated piecemeal. I do think that, as long as people are throwing trillions of dollars around, considerable resources could be brought to bear. Legislators, like generals, tend to fight the last war, so the focus will surely start with public health, but other risks could win attention if a compelling enough argument is made.

I like this one: The U.S. spends north of $700 billion a year on the military as a sort of insurance policy against the chance that Russia will lob a bunch of missiles on New York City; maybe it’s time to mitigate some other risks, too.

And I hope the insurance industry can lend its expertise in identifying, quantifying and managing those risks.

In the meantime, I dearly hope you all stay safe.

Cheers,

Paul Carroll

Editor-in-Chief

P.S. I was delighted to see that more insurance companies are staking a claim to the moral high ground in the pandemic. Following reports two weeks ago that some health insurers were waiving out-of-pocket costs for coronavirus patients, two auto insurers said Monday that they are rebating premiums to customers, as long as driving has dropped so much. Allstate said it is rebating $600 million, and American Family Insurance, $200 million. As I wrote a week ago, I hope the entire industry will do whatever it can for customers during what will surely be a defining stretch. So far, so good.

Actuaries Beware: Pricing Cyber Risk Is a Different Ballgame

Growth in the cyber insurance market has recently occurred at warp speed, with more than 60 companies writing in the U.S. alone and with market premiums amounting to approximately $2.5 billion annually. The impressive year-over-year growth is expected to continue into the foreseeable future, with a variety of estimates placing market premium between $7.5 billion and $20 billion by the end of 2020.

This impressive premium growth is because of several factors — perhaps most notably, reporting of the various types of cyber attacks in the news on a regular basis, driving both awareness and fear. Not surprisingly, cyber risk has become a board-level concern in today’s increasingly connected world. Additionally, recent growth of the Internet of Things has given rise to the seemingly infinite number of attack vectors affecting every industry. Individuals and entities of any size, spanning all regions of the world, are potential victims.

The apparent need for new apps and devices that link to one another without focus toward security of those apps or devices gives reason to worry. It also creates an immediate need for a suite of security analytics products that helps insurance companies write cyber insurance more confidently.

State of Data

Actuaries are creative and intelligent problem solvers, but this creativity and intelligence is tested thoroughly when pricing cyber insurance. Actuaries still need the same suite of products used within any other catastrophe-exposed lines of business, but there are many challenges and complications with respect to cyber insurance that make this a particularly difficult task. That is, we still need an underwriting tool, an individual risk-pricing tool and a catastrophe-aggregation model, but certain aspects of these tools vary significantly from what we’ve seen in the past or have grown accustomed to as actuaries.

Data lies at the center of any actuarial project, but data in this space is very limited for a number of reasons. To consider why this is the case, let’s take a step back and consider the wider context. We first want to think about both how to define the cyber peril and what types of attacks are possible.

Risks could lie anywhere between smaller attacks on individuals involving brute-force attempts to steal credentials and conduct identity theft; and state-sponsored attacks on another government entity involving both physical damage and theft of critically sensitive intelligence. We may see malware deployed on a commonly used piece of software or hardware at a massive scale; infrastructures or processes taken down using denial of service; or a breach of a popular database or platform that affects many entities simultaneously.

Many of the attack variants in this hypothetical list have never happened, and some may never happen. Even within those that have happened, information pertaining to the breach — both in terms of the attack specifics used or the actual dollar impact of the attack — is hard to come by.

Several third-party data sources are currently available, but they tend to concentrate primarily on those pieces of data or attack types that are most accessible — particularly data breach and privacy violation claims. This, naturally, is a very small subset of what we need to price for as actuaries.

Unfortunately, there is fairly loose regulation around the reporting of different types of attacks. Even within the data breach family, there exists tremendous lack of standardization across states with respect to reporting. Criteria for whether a report is required may include whether the data is encrypted, how many people were actually affected by the breach and the type of data stolen (PHI, PII, PCI, etc.).

See also: How Actuaries Can Be Faster, More Efficient  

External research can be done on public sources to find the aggregate amount of loss in some cases, but there is little to no incentive for the breached entity to provide more information than is absolutely required. Thus, while we want to price data breach events at a very granular level, it’s often difficult to obtain dollar figures at this level. For instance, a data breach will lead to several costs, both first party and third party. A breached entity, at minimum, will likely have to:

  • Notify affected customers;
  • Offer credit monitoring or identity-theft protection to those affected;
  • Work with credit card companies to issue new credit cards;
  • Foot bills associated with legal liability and regulatory fines; and
  • Endure reputational damage.

It’s impractical to assume that a breached entity would find it attractive to publicize the amount lost to each of these individual buckets.

Worse, other events that either don’t require reporting or have never happened clearly give us even less to work with. In these cases, it’s absolutely critical that we creatively use the best resources available. This approach requires a blend of insurance expertise, industry-specific knowledge and cyber security competence. While regulation will continue to grow and evolve — we may even see standardization across both insurance coverages offered and reporting requirements by state or country — we must assume that in the near future, our data will be imperfect.

Actuarial Challenges

Though many companies have entered the cyber insurance space, very few are backed by comprehensive analytics. Insurers eager to grab market share are placing too much emphasis on the possibility of recent line profitability continuing into the future.

The problem here is obvious: Cyber insurance needs to be priced at a low loss ratio because of catastrophic or aggregation risk. Once the wave of profitability ends, it could do so in dramatic fashion that proves devastating for many market participants. The risk is simply not well understood across the entirety of the market, and big data analytics is not being leveraged enough. In addition to the glaring data and standardization issues already discussed, actuaries face the following eight key challenges:

1. No Geographical Limitation

On the surface, the cyber realm poses threats vastly different from what we’ve seen in other lines of business. Take geography. We are used to thinking about the impact of geography as it pertains to policyholder concentration within a specific region. It’s well understood that, within commercial property insurance, writers should be careful with respect to how much premium they write along the coast of Florida, because a single large hurricane or tropical storm can otherwise have an absolutely devastating effect on a book of business. Within the cyber world, this relationship is a bit more blurry.

We can no longer just look at a map. We may insure an entity whose server in South Africa is linked to an office in Ireland, which, in turn, is linked to an office in San Francisco. As existing threat actors are able to both infiltrate a system and move within that system, the lines drawn on the map have less meaning. Not to say they’re not important — we could have regulatory requirements or data storage requirements that differ by geography in some meaningful way — but “concentration” takes a different meaning, and we need to pay close attention to the networks within a company.

2. Network Risk From an External Perspective

In the cyber insurance line, we need to pay attention to the networks external to an insured company. It’s well documented that Target’s data breach was conducted through an HVAC system. By examining Target’s internal systems alone, no one would have noticed the vulnerability that was exploited.

As underwriters and actuaries, we need to be well aware of the links from one company to another. Which companies does an insured do business with or contract work from? Just as we mentioned above with apps and devices that are linked, the network we are worried about is only as strong as the weakest link. Another example of this is the recent attacks on a Bangladeshi bank. Attackers were able to navigate through the SWIFT system by breaching a weaker-than-average security perimeter and carrying out attacks spanning multiple banks sharing the same financial network.

3. Significance of the Human Element

Another consideration and difference from the way we traditionally price is the addition of the human element. While human error has long been a part of other lines of business, we have rarely considered the impact of an active adversary on insurance prices. The one exception to this would be terrorism insurance, but mitigation of that risk has been largely assisted by TRIA/TRIPRA.

However, whenever we fix a problem simply by imposing limits, we aren’t really solving the larger problem. We are just shifting liability from one group to another; in this case, the liability is being shifted to the government. While we can take a similar approach with cyber insurance, that would mean ultimately shifting the responsibility from the insurers to the reinsurers or just back to the insureds themselves. The value of this, to society, is debatable.

See also: Cyber Insurance: Coming of Age in ’17?  

A predictive model becomes quite complex when you consider the different types of potential attackers, their capabilities and their motivations. It’s a constant game of cat and mouse, where black hat and white hat hackers are racing against each other. The problem here is that insurers and actuaries are typically neither white hat nor black hat hackers and don’t have the necessary cyber expertise to confidently predict loss propensity.

4. Correlation of Attacks

In attempting to model the “randomness” of attacks, it is important to think about how cyber attacks are publicized or reported in the news, about the reactions to those attacks and the implications on future attacks. In other words, we now have the issue of correlation across a number of factors. If Company A is breached by Person B, we have to ask ourselves a few questions. Will Company A be breached by Person C? Will Person B breach another company similar to or different from Company A? Will Person D steal Person B’s algorithm and use it on entirely different entity (after all, we’ve seen similar surge attacks within families such as ransomware)? If you as the reader know the answers to these questions, please email me after reading this paper.

5. Actuarial Paradox

We also have to consider the implications on the security posture of the affected entity itself. Does the attack make the perimeter of the affected company weaker, therefore creating additional vulnerability to future attacks? Or, alternatively, does the affected company enact a very strong counterpunch that makes it less prone to being breached or attacked in the future? If so, this poses an interesting actuarial dilemma.

Specifically, if a company gets breached, and that company has a very strong counterpunch, can we potentially say that a breached company is a better risk going forward? Then, the even-more-direct question, which will surely face resistance, is: Can we charge a lower actuarial premium for companies that have been breached in the past, knowing that their response to past events has actually made them safer risks? This flies directly in the face of everything we’ve done within other lines of business, but it could make intuitive sense depending on incident response efforts put forth by the company in the event of breach or attack.

6. Definition of a Cyber Catastrophe

Even something as simple as the definition of a catastrophe is in play. Within some other lines of insurance business, we’re used to thinking about an aggregate industry dollar threshold that helps determine whether an incident is categorized as a catastrophe. Within cyber, that may not work well. For instance, consider an attack on a single entity that provides a service for many other entities. It’s possible that, in the event of a breach, all of the liability falls on that single affected entity. The global economic impact as it pertains to dollars could be astronomical, but it’s not truly an aggregation event that we need to concern ourselves with from a catastrophe modeling perspective, particularly because policy limits will come into play in this scenario.

We need to focus on those events that affect multiple companies at the same time and, therefore, provide potential aggregation risk across the set of insureds in a given insurance company’s portfolio. This is, ultimately, the most complicated issue we’re trying to solve. Tying together a few of the related challenges: How are the risks in our portfolio connected with each other, now that we can’t purely rely on geography? Having analytical tools available to help diagnose these correlations and the potential impacts of different types of cyber attacks will dramatically help insurers write cyber insurance effectively and confidently, while capturing the human element aspect of the threats posed.

7. Dynamic Technology Evolution

If we can be certain of one thing, it’s that technology will not stop changing. How will modelers keep up with such a dynamic line of business? The specific threats posed change each year, forcing us to ask ourselves whether annual policies even work or how frequently we can update model estimates without annoying insurers. Just as we would write an endorsement in personal auto insurance for a new driver, should we modify premium mid-term to reflect a newly discovered specific risk to an insured? Or should we have shorter policy terms? The dynamic nature of this line forces us to rethink some of the most basic elements that we’ve gotten used to over the years.

8. Silent Coverage

Still, all of the above considerations only help answer the question of what the overall economic impact will be. We also need to consider how insurance terms and conditions, as well as exclusions, apply to inform the total insurable cost by different lines of insurance. Certain types of events are more insurable, some less. We have to consider how waivers of liability will be interpreted judicially, as well as the interplay of multiple lines of business.

It’s safe to assume that insurance policy language written decades ago did not place much emphasis on cyber exposure arising from a given product. In many cases, silent coverage of these types of perils was potentially entirely accidental. Still, insurers are coming to grips with the fact that this is an ever-increasing peril that needs to be specifically addressed and that there exists significant overlap across multiple lines of business. Exclusions or specific policy language can, in some cases, be a bit sloppy, leading to confusion regarding which product a given attack may actually be covered within. This becomes the last, but not least, problem we have to answer.

Conclusion

The emerging trends in cyber insurance raise a number of unique challenges and have forced us to reconsider how we think about underwriting, pricing and aggregation risk. No longer we can pinpoint our insureds on a map and know how an incident will affect the book of business. We need to think about both internal and external connections to an insured entity and about the correlations that exist between event types, threat actors and attack victims. In cases when an entity is attacked, we need to pay particular attention to the response and counterpunch.

As the cyber insurance market continues to grow, we will be better able to determine whether loss dollars tend to fall neatly within an increasing number of standalone cyber offerings or whether insurers will push these cyber coverages into existing lines of business such as general liability, directors and officers, workers’ compensation or other lines.

Actuaries and underwriters will need to overcome the lack of quality historical data by pairing the claims data that does exist with predictive product telemetry data and expert insight spanning insurance, cyber security and industry. Over time, this effort may be assisted as legislation or widely accepted model schema move us toward a world with standardized language and coverage options. Nonetheless, the dynamic nature of the risk with new adversaries, technologies and attack vectors emerging on a regular basis will require monitored approaches.

See also: Another Reason to Consider Cyber Insurance  

In addition, those that create new technology need to realize the importance of security in the rush to get new products to market. White hat hackers will have to work diligently to outpace black hat hackers, while actuaries will use this insight to maintain up-to-date threat actor models with a need for speed unlike any seen before by the traditional insurance market.

Some of these challenges may prove easier than they appear on paper, while some may prove far more complicated. We know actuaries are good problem solvers, but this test will be a serious and very important one that needs to be solved in partnership with individuals from cyber security and insurance industries.