The evolution of cyber risk modeling from “interesting to useful”

The evolution of cyber risk modeling from “interesting to useful” | Insurance Business

The evolution of cyber risk modeling from “interesting to useful”

Data and analytics have become household names in the global cyber insurance industry. They shore up risk selection, underwriting, and pricing for accounts, while also providing insight into portfolio management, risk aggregation management and other systemic risk considerations.

At first, the major data analytics firms to break into the insurance market focused around risk selection and giving underwriters some kind of tool to enable decision-making. These early companies often focused on rating risks and providing insurance companies with scores. After that, the next generation of data analytics firms increased their value proposition by presenting risk scores with explanations of what those scores mean to the insurance industry in dollars and cents, frequency and severity, or likelihood and impact.

Read next: Why data literacy is so important for your clients

Arguably the place where data and analytics have generated the most interest among cyber insurers is around questions of aggregation management, systemic risk, and catastrophe loads on policies, according to Jonathan Laux, managing director and cyber analytics practice head at Aon's Reinsurance Solutions business. Cyber insurers are most interested in events yet unseen and the “unprecedented risks” that will drive the cyber insurance product in the future, he pointed out.

“When it comes data analytics and cyber modeling, I like to look at model maturity,” Laux told Insurance Business. “Cyber risk models have come a long way in the last five years, but they’ve still got a long way to go. If you think about nat cat modeling or the property cat modeling space – they’re extremely mature. That doesn’t mean the models are always right, but most in the industry agree that they’re as good of a gauge into cat risk that you’re going to get. They’re sort of a gold standard in terms of data and analytics.

“Then there are a lot of casualty lines where the risk modeling is not that mature, but there’s useful directional input. That input is not exclusively relied on, but it certainly has a role to play. Finally, there’s the less mature end of the spectrum, where the modeling is an interesting thought experiment, which maybe gives an underwriter a way to think about a risk in a way that they haven’t before, but they’re not necessarily relying on it much.”

Read more: Remote workers are the biggest cyber blind spots for small businesses

According to Laux, cyber risk modeling has now “made the leap from being interesting to being useful”. Based on his framework of judging data analytics companies, he described cyber risk modeling as having “some navigational value” at this point, but he stressed that these models are not totally to be relied upon.

“We cannot rely totally upon cyber risk models just yet,” he said, “but if the model tells you something, particularly something unfavorable, for example, you need to at least pull your thoughts together and determine whether that insight bears any fruit. If you disagree with what the model is saying, you need to be able to explain why you disagree with it rather than just throwing it out.

“I believe cyber risk models have really progressed in the past two years, particularly for companies that are looking to do risk aggregation work. A lot of the models so far have focused predominantly on the cyber product coverages and the risk that sits there. The broader cyber as a peril and non-affirmative exposures are where we really see the frontier being and the places where the cyber risk models need to go.”

As insurance companies and their end clients look for enterprise-wide risk solutions, data analytics firms are under pressure to provide cyber risk models that can “pivot, flex, and address all issues” that present themselves, Laux explained.