The crux of this post is the point that there are some risks (and I believe a growing number of risks) which are (and will be) uninsurable. Cyber risks are not insurable.
Back in 2021, I saw a LinkedIn post from Dr. Robert Hartwig that discussed his testimony to one of the US Senate’s subcommittees about the uninsurability of Business Income from the Covid-19 pandemic.
Seeing that LinkedIn post, and reading his testimony, triggered my ongoing belief that uninsurability of certain risks has been happening more frequently over the decades.
More specifically, I believe that as we, as a society, become increasingly more dependent on web-connected devices that uninsurability will become more of an issue for both the insurance market and for corporations (and individuals as well).
I want to thank Dr. Robert Hartwig for giving me permission to use some of his content from his July 21, 2021 testimony to the US Senate Subcommittee.
His testimony is titled: “Examining Frameworks to Address Future Pandemic Risk” and he presented it to the United States Senate Committee on Banking, Housing and Urban Affairs, Subcommittee on Securities, Insurance and Investment.
Criteria for Insurability
The central question: how can an insurance / risk management professional identify risks that are insurable?
Here I introduce some of the content from Dr. Hartwig’s July 2021 Testimony. I’ll let the table below ‘speak for itself’ but I will repeat his point that “The inability of a risk to meet one or more of these criteria reduces or eliminates its insurability.” (My emphasis of bold and underlining of Dr. Hartwig’s point.)
Consideration of a pandemic through the lens of the six criteria
At this point, here – in the table below – is how Dr. Hartwig viewed the Covid-19 pandemic through the six criteria: you can see there is a relentless parade of ‘no’ with his logic given for the requirement of each criteria not being met.
Cyber risk will increasingly become uninsurable
Turning now to cyber risk, I use the same six points of insurability (or uninsurability depending on your point of view) to conclude that cyber risk is uninsurable.
Remember, the risk is not insurable if only one of the six criteria is not met.
By my analysis, I come up with: two criteria of insurability met, two criteria not met, and two criteria with ‘quasi’ meaning maybe yes or maybe no. I answer ‘no’ to the criterium: 3) determinable and measurable loss and 5) calculable chance of loss.
(Added May 29, 2024) I would also add for #5 that another reason that there is no calculable chance of loss is that the cyber attack space is an Nth Dimensional topographic space that is continually unfolding in multiple dimensions and multiple directions. Each instant that:
- A digital artifact is connected to the web, the cyber attack space grows in multiple dimensions and in multiple directions;
- A physical artifact embedded with telco capabilities (and/or data) is connected to the web, the cyber attack space grows in multiple dimensions and in multiple directions;
- An animal with an IP-sensor embedded in it or attached to it is connected to the web, the cyber attack space grows in multiple dimensions and in multiple directions.
Essentially, the cyber attack space will never stabilize nor will the cyber attack space ever ‘mature’.
Cyber insurance underwriters are facing a constantly changing cyber attack space with cyber risks that can become cyber attacks from any point or area (e.g., set of points) at any time for any person or corporation located at any place on the ground, under the oceans, in the air, or in space (assuming their are web-connected digital artifacts or physical artifacts located in those areas).
This is one reason that cyber risks are nothing like the traditional risks which the insurance industry has faced throughout its extremely long history of existence.
Rabkin's Opinions 