“Alice asked the Cheshire Cat, who was sitting in a tree, “What road do I take?” The cat asked, “Where do you want to go?” “I don’t know,” Alice answered. “Then,” said the cat, “it really doesn’t matter, does it?” Alice’s Adventures in Wonderland, Lewis Carroll November 1865
The insurance industry is being quickly surrounded by and immersed within a ‘Cyber Wonderland’. The risk environment is continually changing – significantly – in this Cyber Wonderland from the traditional risk environment that the insurance industry has faced throughout its extremely long history.
Unlike Alice asking for directions because she fully realizes that she is no longer in the world she knows, the insurance industry is taking the usual paths it always takes when identifying new risks (making [false] comparisons, obtaining more data, creating more models) to estimate maximum probable losses of conducting commerce in this Cyber Wonderland. To me, it feels like “The Maginot Line” redux.
The insurance industry is facing a Cyber Wonderland replete with an expanding volume of: 1. intangible assets; 2. cyber technology applications and solutions; and 3. tangible assets infused with or reshaped by cyber technology applications and solutions. These three realities are underpinning the continually changing cyber risk environment. In turn, that could lead to a shrinkage of the total insurable space of profitable underwriting. (Will lead to, in my opinion.)
I’m not sure how viable the insurance industry’s underwriting role can or will be in the ‘Cyber Wonderland’. Increasingly, more of society’s commerce, communication, and collaboration transactions and interactions are, and will continue to be, based on both intangible assets and tangible assets fueled by cyber applications and solutions in the decades to come.
An insurance industry hypothesis and “macro” question:
Hypothesis: Society will continue to use increasingly more applications and solutions of current and emerging cyber technologies to conduct commerce (and to communicate and to consume entertainment, education, healthcare, travel, …).
Question: If it is true that the results of the hypothesis could or would be more frequent cyber attacks and that more of these cyber attacks will be systemic cyber attacks, then will this trigger insurers to lower the cyber coverage amounts they sell? More generally, is it possible that as society uses increasingly more cyber applications and solutions resulting in a more ‘brittle’ commerce environment (or become more involuntarily transparent regarding operations / intellectual property / decision-making / client information / supplier information), might there be increasingly fewer exposures which insurers could underwrite profitably?
Or restated …
Is the “total insurable space to generate profitable underwriting” shrinking as society continues to use increasingly more cyber technology applications and solutions over time? Are insurer’s estimates of maximum probable loss becoming increasingly less dependable? Are the long tails of (systemic) cyber risks simply too long and too hidden too deeply in the “unseen expanding cyber black holes” for either current or emergent risk loss valuation models to ‘find’ (even if the models are generated by LLMs)?
This hypothesis holds true for commerce transactions and interactions for all lines of insurance whose clients (whether B2C, B2B, B2B2C, C2C) are employing increasingly more cyber applications and solutions (and not just personal / commercial P&C insurance). It holds true for increasingly more aspects of life, inclusive of utilities, town governments, city governments, State governments, and Federal (or National) governments.
A corollary to the hypothesis is that risk managers of all flavors (CFOs, CSOs, CISOs, CROs) employed by corporations / organizations of all sizes across the entire spectrum of industries need to craft and continually strengthen cyber security and resilience strategies which have minimal dependence on cyber insurance coverages being available.
Growth and Shrinkage of Total Insurable Space
(Notes: I equate “assets” with “artifacts”, as well as equate “digital assets” and “cyber assets” with “intangible assets” throughout this blog; I distinguish between digital and cyber applications and solutions – but that distinction merits both another blog and a discussion in my next book about the insurance commerce in The Cyber Age.)
The insurable space grew since early times as the world became more filled with analog assets and their attendant risks. If we could visualize the evolution of society from an asset perspective, we would “see” that expansion of analog assets and then an increasing volume of digital assets and their attendant risks until we stopped the images just immediately before the Cyber Age began. At that point, we’d notice the emergence of cyber assets (note: cyber assets differ from digital assets – for me, cyber assets encompass a gradient of mobile, digital, web-enabled, cloud-deployed capabilities amplified by various applications of different AI technologies).
If we start the asset perspective “projector” again, I believe we’ll “see” a world of analog and digital assets joined by an increasing volume of different types of cyber assets with the concomitant risks to each of the three types of risks, and their combinatorial interactions, expanding in types and numbers.
As the volume of cyber assets expands, I am hypothesizing that the total insurable space to generate underwriting profit will shrink. I don’t have a % underwriting profit amount of shrinkage or estimated speed of shrinkage. (See visual.)
Insurance Industry Origins and Continuing Evolution
The insurance industry was born from a world of analog assets (e.g. physical artifacts or tangible assets). Risk management / mitigation was primarily focused on the losses from risks occurring between:
- people and elements of nature
- people and analog assets
- people and other people
- people and elements of nature and analog assets.
As the decades progressed from “earlier times”, increasingly more digital assets (e.g. intangible assets) emerged which changed the risk landscape from the various combinations of people with analog, digital, and elements of nature entities that could or did cause loss events to happen.
Expanding cornucopia of intangible assets
Intangible assets are generated through abstraction, conceptualization, and design (three innate capabilities of humans). These three innate human capabilities either alone or in some combination enable intangible assets to emerge from digitization and modeling. The insurance industry has been at an inflection point witnessing an expanding cornucopia of intangible assets since before and certainly at the beginnings of The Cyber Age.
With this expansion, risk management / mitigation has to contend with increasingly more entities – and their various interactions – that could or do cause loss events to happen (e.g., entities are people, elements of nature, physical artifacts, digital artifacts, and increasingly cyber artifacts).
Evolving nature of intangible assets
The nature of intangible assets is changing from pre-Cyber Age. The major (historical) intangible assets are no longer intellectual property, reputation, brand, and goodwill. Obviously, these continue to exist and are becoming more important to protect in the Cyber Age.
However, intangible assets now include digital assets and cyber assets.
I suggest the historic elements of intangible assets are becoming more fragile, more brittle, more ‘exposed’ to theft, damage, or destruction in the Cyber Age. But one key evolutionary change of the risk space is that intangible assets also encompass digital and cyber pathways (interactions, processes, activities) and products which companies use to enable fulfillment of commerce objectives.
The word ‘satisficing’ comes to my mind as table-stakes which every member of a commerce interaction must offer (to customers, to other employees, to any and all participants in every ecosystem that a company relies on to complete the commerce transaction or interaction) in the Cyber Age involving intangible assets.
(From Wikipedia: Satisficing is a decision-making strategy or cognitive heuristic that entails searching through the available alternatives until an acceptability threshold is met, without necessarily maximizing any specific objective.)
Intangible assets – encompassing both digital artifacts and cyber artifacts – are becoming more and more important in the Cyber Age. Moreover, the number of intangible assets is continually expanding.
The evolution of the mixture of physical assets to intangible assets is increasingly skewing to intangible assets. Moreover, intangible assets are being chained together with other intangible assets (and physical artifacts) to form an ever-expanding mesh network. Commerce participants are not just more reliant on intangible assets; they’re becoming immersed in the ever-expanding mesh network of intangible assets. An associated expanding robust set of potential systemic cyber risk opportunities is a very real outcome.
Is profitable underwriting possible throughout the decades of the present and future Cyber Age?
Can the insurance industry (profitably) maintain its role as a risk management / risk mitigation player in a world with a seemingly never-ending growing volume of stand-alone and linked intangible assets?
My point is that as the elements of risk change, so does the risk environment. In turn, so does the abilities for insurers to generate combined ratios under 100% from the evolving risk environment. The “models” of generating underwriting profit which existed before the Cyber Age do not apply during the present and future Cyber Age.
To repeat again: Is the “total insurable space” that enables profitable underwriting shrinking as society continues to use increasingly more cyber technology-enabled tangible and intangible assets throughout the current and future Cyber Age?
Related questions:
- Are insurer’s estimates of maximum probable loss becoming increasingly less dependable? Will they become increasingly less dependable?
- Is the long-tail nature of (systemic) cyber risks becoming all too real and too complex to justify selling cyber insurance (assuming the insurer wants to generate profitable underwriting)?
You know my answers to both of the above questions. I believe the total insurable space to generate profitable underwriting is shrinking as the nature of commerce becomes increasingly brittle and involuntarily more transparent.
What’s your answers? And why are those your answers?
Note: The repetition of phrases and terms in this blog are some of the excellent reasons why I’m fortunate to work with an editor – Patrick Wraight from Wells Media Group, Inc. – to ensure they don’t occur in my book.
Rabkin's Opinions 