Improving risk assessments capabilities through incorporating real-time cyber security data into the product development and underwriting process will open opportunities in a potentially enormous and fast-growing market. Not only by more accurate pricing but also through incentivizing prevention measures for the insureds. The transition requires an improved collaboration in the “cyber ecosystem”, especially with regards to shared data standards.

Cyber insurance faces three main challenges: accurately assessing risk, offering appropriate cover limits, and pricing policies competitively while ensuring profitability. Additionally, there is the difficulty of predicting and mitigating the economic impact of a catastrophic cyber incident like a critical failure of a major cloud provider.

Currently, the cyber insurance ecosystem is in a suboptimal position to meet these challenges and respond well to the threat of a cyber catastrophe. A data infrastructure in its infancy and limited data collaboration are at the root of this. We summarize this as a lack of data maturity.

Cyber is a human-driven risk and its impact potential is fuelled by the drive of digitalisation -- as well rising geo-political volatility. A rapidly evolving threat landscape, digitalisation accelerated by new technologies, and cloud concentration are global challenges amidst a daunting shortage in cyber security professionals and education.

Insurance has a role to play

Here too, insurance plays an important economic role by providing incentives for risk-mitigation behaviour, smoothening volatility, and building societal resilience. To do this effectively the insurance industry must be able to quantify, predict and manage the risk reliably & efficiently. Its ability to do this in the cyber space has been limited due to the difference in the rapidly changing nature of the peril, and the methods insurers traditionally deploy for risk assessment & insurance product design.

Cyber insurance today

Information exchange uni-directional & annual in frequency at best:

Lacking Data Maturity

This lack of data maturity leaves the market in a suboptimal state, leaving millions of companies often under-insured, with high premiums, but not high enough to cover for a catastrophic cyber incident.

An ecosystem of cyber-MGAs, brokers, risk modellers, and cyber service providers are working to gradually overcome the problems listed above. Still, they haven’t bridged the gap sufficiently for insurers’ product design to be able to fully adapt. So, what must happen to change this status quo?

2) The opportunity - data-driven innovation for sustainable growth

The direction of travel seems clear: incorporating real-time cyber security data (next to exposure and claims data) into cyber insurance product design will allow for the risk insights needed to improve price/cover of cyber insurance propositions.

Insurers aiming to lead this technological evolution will want to consider:

1. Model upgrades:
   Cyber risk modelling upgrades enriched with real-time inside-out information on the actual cyber security risk posture of insured.
2. Enriched data: 
   With this enriched information, new avenues in product design open, with dynamic pricing/cover and risk mitigation incentives, becoming powerful tools for insurers and insured to manage cyber security risks.
3. First movers’ advantage:
   Of course, we must get to this stage first. Current scope and availability of inside-out data is limited, but rapidly growing. With time the efforts of the many players in the ecosystem will bare fruit and become more and more useful for the purposes of insurance. Insurers can move early and be at the forefront of these developments.
4. Standards & Taxonomy: 
   This will not work without defining effective standards and taxonomy between cyber security & insurance. Establishing a common understanding of what standards constitute good cyber security hygiene that can be applied in insurance product design are essential.
5. Data collaboration: 
   Collaborating not only on risk-pooling, but also data-pooling is something the insurance industry is known for across different product lines (motor, credit, etc.). Establishing the entities and data pools where information is shared in a secure & compliant manner are important for ensuring quality & trust in the ecosystem.

Data-driven cyber insurance

Enriched with inside-out, real time insights on the insured’s cyber risk posture:

Achieving this state of Data Maturity will not remove the risk a catastrophic cyber incident poses, but it will certainly help in the areas of:

• Prediction: a data mesh of real-time signal networks across the cyber insurance ecosystem for better risk-posture assessment & early-warning.
• Mitigation: with the positive security-enhancing behaviour that dynamic cyber insurance products help create.
• Resilience: better insights into the aggregate risk increases trust for reinsurers and potentially governments to commit more capacity to the market.

Growing Sustainably

Certainly, it’s a long road ahead towards this future state. What’s also certain is enormous and growing market demand for cyber insurance with premiums expected to double in the next 5 years. Insurers who already have a large exposure and the ones willing to further serve this demand will be focusing much of their attention on growing their business sustainably. For that, becoming data driven, as outlined above, will be essential.