Granular data on cyber risk crucial to increasing capacity: Swiss Re
While insureds hold significant amounts of data on their exposure to accumulative events, most of it is unstructured and the market needed to develop ways of collecting and modelling that information
Better data on individual insureds’ exposures to large cyber events would encourage more capacity into the market
Better data on companies' exposure to large cyber attacks could help increase capacity in the cyber insurance market, according to a senior underwriter at Swiss Re.
Alex Podmore, senior cyber underwriter at the re/insurer, said the insurance industry needed to improve the way it collects and structures data on individual businesses. While many companies hold data on their potential exposure to accumulative events, most of that data is unstructured, he said.
Cyber insurance promises to be one of the fastest-growing markets. Swiss Re estimates premiums will more than double from $10bn in 2021 to $23bn by 2025, an annual growth rate of 20%.
However, the market has been stifled by a lack of capacity, driven by concerns about large accumulative events including a major malware attack or an outage at one of the large cloud computing service providers many businesses rely on.
While Podmore said exclusions for war, state-backed attacks and attacks on critical infrastructure were likely to become a permanent feature of the cyber market, better data on exposure to other accumulative risks could encourage more capital into the market.
Most of the data used to evaluate accumulative risk at the moment is “firmographic”, he said, meaning the underwriter makes assumptions of an insured’s exposure based on its geographic location, the industry it is in and size.
For example, knowing the industry a company operates in can give “a bit more of an understanding what sort of software it’ll be using, what sort of dependencies it will have depending on specific common software within that type of industry”, Podmore explained. But a lot of that work at present is done at a macro level and is assumptions-based. Insureds do have more detailed information of their own exposures, but that data is often unstructured and can only be gathered through questionnaire, he added.
“What we hope the market will begin to transition to do – and something we’re working towards – is trying to get what is generally unstructured information around the technographic profile of the insured and build it into a structured template so, if there is a systemic type of events, we have a better understanding of exactly how an insured’s business will be impacted from a revenue generation perspective,” Podmore said.
This is important because a lot of the concerns about accumulation risk revolve around exposure to business interruption claims. “The more we can understand that type of information, the more capital we can get into the market in the longer term because you get a better understanding of how diversified one risk might be in one portfolio versus another,” Podmore said.
Giving the example of a multi-day outage of a large cloud provider– for example, Amazon Web Services or Microsoft Cloud – Podmore said any two companies would be affected differently. If an insurer knows such an event will not have a huge impact on an insured’s ability to generate revenue or profit, the business interruption component could be lower than feared.
“We might say we can’t pull a risk into the portfolio because there’s too much accumulation potential [from a cloud outage]. But if we understand their reliance on generating revenue from a lot of those cloud services is slim, we can factor that into the equation and have a true understanding of where these risks diversify from one another,” he said.