The key to keeping cyber insurable is modeling aggregate risk: Coalition

By Erin Ayers, Advisen

A one-in-250-year cyber event could cost U.S. businesses nearly $30 billion in total losses, according to a new model aimed at assessing catastrophic cyber risk released this week by cyber insurance provider Coalition.

Zeroing in on a sample portfolio of businesses developed by Coalition, such an event would result in more than $370 million in total losses.

However, cyber risk remains insurable, according to Joshua Motta, CEO and co-founder of Coalition.

“If measured appropriately, cyber risk is insurable,” Motta told Advisen in a recent interview. However, the industry has fallen into a “rut” by attempting to compare catastrophic cyber events to other, more familiar catastrophic events like natural disasters.

“Then they panic because the general thing that allows insurers to get comfortable with natural disasters is that they tend to have geographic boundaries,” Motta explained. The common refrain of “cyber risk has no boundaries” ignores “all the other boundaries that exist” that would prevent a systemic cyber event from occurring, he added.

“The uncertainty around cyber risk has led to conservative modeling,” Coalition said in its report on the model. “For example, market-leading cyber catastrophe models consider the possibility that all of Amazon Web Services (AWS) go down for an extended period, a doomsday scenario detached from the reality of geographically distributed data centers. The AWS cloud spans over 100 discrete data centers globally, each with redundant power, networking, and connectivity.”

There is far more diversification among organizations’ cyber profiles than the industry may realize. Every organization has different hardware, different versions of software, different approaches to structuring networks. And, even if a ubiquitous cloud provider went down or a common Windows vulnerability were exploited, the likelihood of it impacting all users across the nation at once is slim.

Motta told Advisen, “All the redundancies that are built into the ecosystem effectively serve as the equivalent of geographic boundaries.”

With its Active Cyber Risk Model, Coalition aims to offer a more accurate perspective on cyber risk, he noted. It builds out from the firm’s continuous-scanning technology that tracks “billions of devices and tens of millions of organizations” and its “Active Insurance” program for policyholders.

For the report, Coalition outlined eight different types of cyber risk events, from domain name system (DNS) outages to email, hosting, and payment outages, and weaponized zero-day vulnerabilities. The model evaluated events by frequency, root cause, aggregated technology and vendors, and severity. Shared technologies do indeed boost aggregation risk, the model confirmed.

The model will be publicly available for other insurers to use, although Coalition’s combination of cyber research data, policyholder data, and underwriting methods will remain proprietary.

The cyber insurance industry can already access all the data it needs to effectively model and insure cyber risk, according to Coalition.

“More data exists on cyber than any other risk. Using the right tools and systems to measure this risk can dramatically reduce potential impact,” said Shawn Ram, Coalition’s Head of Insurance. “Unfortunately, we cannot prevent a catastrophic cyber event, but we can measure and contain catastrophic loss. For insurers, mapping cyber events to policyholders and the technologies they use are key to modeling aggregate risk.”

While a cyber event that produces $30 billion in total losses would be rare and unlikely to be fully borne by the insurance industry, understanding the potential impacts will be key to promoting future market growth, according to Motta. More and more organizations will continue to derive value from intangible assets – data, software, intellectual property – and those assets will need insurance coverage, Motta said. Like any line of insurance, demand will ramp up.

“Back in 1910, how many cars were on the U.S. roads compared to now? I don’t think there’s any reason cyber won’t grow in the same way,” he said.

Managing Editor Erin Ayers can be reached at erin.ayers@zywave.com