Editor's Note:
Sasha Romanosky recently co-published research on cyber insurance, called “Content Analysis of Cyber Insurance Policies: How Do Carriers Write Policies and Price Cyber Risk?,” together with the RAND Corporation’s Lilian Ablon, Andreas Kuehn, and Therese Jones.
Cyber insurance is a broad term for insurance policies that address first- and third-party losses as a result of a computer-based attack or malfunction of a firm’s information technology systems.
For example, one carrier’s policy defines computer attacks as “a hacking event or other instance of an unauthorized person gaining access to the computer system, [an] attack against the system by a virus or other malware, or [a] denial-of-service attack against the insured’s system.”
Despite the strong growth of the cyber insurance market over the past decade, insurance carriers are still faced with a number of key challenges: How to develop competitive policies that cover common losses but also exclude risky events? How to assess the variation in risks across potential insureds? And how to translate this variation into an appropriate pricing schedule?
In our research, we seek to answer fundamental questions concerning the current state of the cyber insurance market. Specifically, by collecting more than 100 full insurance policies, we examine the composition and variation across three primary components: the coverage and exclusions of first- and third-party losses, which define what is and is not covered; the security application questionnaires that are used to help assess an applicant’s security posture; and the rate schedules that define the algorithms used to compute premiums.
Overall, our research shows a much greater consistency among loss coverage and exclusions of insurance policies than is often assumed. For example, after examining only five policies, all coverage topics were identified, while it took only 13 policies to capture all exclusion topics.
By examining these components of insurance contracts, we hope to provide the first-ever insights into how insurance carriers understand and price cyber risks.
However, while each policy may include commonly covered losses or exclusions, there was often additional language further describing exceptions, conditions or limits on the coverage. The application questionnaires provide insights into the security technologies and management practices that are (and are not) examined by carriers.
For example, our analysis identified four main topic areas: Organizational, Technical, Policies and Procedures, and Legal and Compliance. Despite these sometimes lengthy questionnaires, however, there still appeared to be relevant gaps. Information about the security posture of third-party service and supply-chain providers are notoriously difficult to assess properly, despite numerous breaches occurring from such compromise.
In regard to the rate schedules, we found a surprising variation in the sophistication of the equations and metrics used to price premiums. Many policies examined used a very simple, flat-rate pricing, based simply on expected loss, while others incorporated more parameters, such as the firm’s asset value, firm revenue or standard insurance metrics (e.g., limits, retention, coinsurance), and industry type.
More sophisticated policies also included information specific information security controls and practices as collected from the security questionnaires. By examining these components of insurance contracts, we hope to provide the first-ever insights into how insurance carriers understand and price cyber risks.