Cyber Insurtech Coalition released the Active Cyber Risk Model, a practical framework for understanding cyber risk aggregation that provides an ongoing view into organizations’ cyber risks and identifies preventive measures to protect against new threats.
Cyber threats are among the most pervasive facing most organizations, with cybercrime and cyber insecurity ranked as the 8th most severe global risk according to the World Economic Forum over two- and 10-year periods.
Across the insurance industry, there is much discussion about the possibility of a catastrophic cyber incident resulting in significant simultaneous losses across many organizations or critical infrastructure, leading some insurers to claim that cyber risk is uninsurable.
Unfortunately, the message these insurers deliver is clear: they don’t fully understand the risk, and organizations that purchase cyber insurance from them will get increasingly restrictive coverage or none.
As the industry continues to dwell on catastrophic cyber events and how best to offer coverage, if at all, one thing remains abundantly clear: cyber risk is insurableJoshua Motta, Chief Executive Officer and co-founder at Coalition
The model – which simulates how a singular cyber risk event can trigger a chain reaction resulting in substantial economic losses – illustrated the possibility of nearly $30 bn in total insured losses if an aggregated cyber event occurred.
The insurance industry is uniquely positioned and capable of mitigating and protecting organizations from emerging cyber risks.
Built on Coalition’s proprietary data collection platform and knowledge graph, which captures 48 trln monthly events, the Active Cyber Risk Model offers a more accurate picture of cyber risk for organizations and the broader economy.
In a simulation modeled against a sampling of 5,000 American companies, Coalition found that a one-in-250-year cyber event could cost more than $370 mn in losses. When extrapolated across the entire U.S. economy, a catastrophic cyber event could cost an estimated $29.8 bn in total losses (see Zero-Trust Cybersecurity Strategy & Cyber Risk Reduction).
The Active Cyber Risk Model leverages Coalition’s technology platform that actively monitors both the internet and the ever-changing landscape of vulnerabilities and attack vectors across hundreds of thousands of companies.
More data exists on cyber than any other risk. Using the right tools and systems to measure this risk can dramatically reduce potential impactShawn Ram, Coalition’s Head of Insurance
“We cannot prevent a catastrophic cyber event, but we can measure and contain catastrophic loss. For insurers, mapping cyber events to policyholders and the technologies they use are key to modeling aggregate risk.”
For businesses, the key to preparing for a catastrophic event is adopting proactive measures, like Coalition’s Active Insurance, and building a thoughtful response plan.
Coalition monitors the digital technologies and third-party vendors that its policyholders use to inform its model. These shared technology dependencies create aggregate cyber risk.
Coalition uses its ATV data to track and measure the interconnectedness of technologies and identify where cyber risk aggregates. Going forward, Coalition will use its model to determine which companies in its portfolio could be impacted by a cyber event.
Cyber is a different kind of risk
With the widespread adoption of digital technology, cyber insurers fear a single event could cause losses across many policyholders due to shared technology infrastructure, such as cloud computing, or vulnerabilities in ubiquitous software and hardware products.
Although the insurance industry has yet to experience a systemic cyber event resulting in catastrophic financial loss, this hasn’t stopped the ill- and uninformed from pushing narratives of fear, uncertainty, and doubt, most notably claiming that cyber is “uninsurable.”
Some legacy insurance companies make this claim primarily because they lack the technology and expertise to assess cyber risk. Instead, they would prefer to push responsibility onto their customers or the taxpayer rather than innovate to develop new underwriting capabilities.
They also fail to recognize that cyber risk fundamentally differs from terrorism risk. Unlike terrorism, a vulnerability or failure of a particular technology is measurable, and the probability and breadth of exploitation or failure can be predicted.
While many insurers claim they don’t have enough data to assess cyber risk, the irony is that there has never been more data in history to do so than there is now.
Moreover, more data exists to quantify cyber risk than almost any other. Yet, most insurers simply don’t have or use it. What separates active cyber insurers from legacy insurers are the right tools and systems to measure risk and dramatically mitigate its impact on organizations.