Cyber risk is one of the newest forms of insurance coverage because its media, the Internet and computers, have only been available to the public quite recently. It is a frontier that the insurance industry has not yet fully explored, creating significant room for growth, but large amounts of uncertainty, as well.
In an interview with ratings agency AMBest, Jacob Rosengarten, chief enterprise risk officer of XL Catlin, said that the field of cyber insurance is still evolving, and that the language and framework is still to be standardized.
Clients have varying states of protocols, levels of interconnectedness, and quality of mitigants, making it difficult to come up with a concrete model of risks. Most firms still work on a scenario or case-by-case basis and have yet to lay down concrete guidelines with how to deal with situations.
The legal system, according to Rosengarten, still lacks standardization when dealing with cyber risk. Many courts are still not used in dealing with cyber attacks, and because the laws are quite new, the lack of jurisprudence can lead to varying interpretations of laws. Courts must also be able to define clearly what consists an act of terror, political hacking, individual crimes, and other classifications with regards to cyber security. Identification of perpetrators, whether groups in individuals, is another challenge.
The government also has a role to play, by protecting national security, such as protecting its cyber territory from criminals or agents from hostile nations.
Differentiating cyber insurance risks from traditional risks such as natural catastrophes, Rosengarten noted that natural calamities have a defined scope of effect or damage. However, cyber threats have wider reach and can affect even entire nation-states. Also, the low logistical burden for cyber criminals may give them an incentive to commit an attack.
Offering recommendations for the industry, Rosengarten said that if the risk cannot be measured, then it cannot be managed effectively. The lack of tools to measure risk makes it difficult, but the industry must adapt and find ways. Company directors and clients must be educated about the risks. The legal system should also be standardized. New insurance products can be developed to address new types of exposure. It is an issue of relevance for the insurance industry to keep up with changes.
“If [insurers] don’t solve it, some other industry will,” he said.