I hope that insurance actuaries and other insurance professionals tasked with pricing and writing cyber insurance policies ask themselves questions like these:
- Are we taking into account that as we continue to sell cyber insurance in the Cyber Age, that AI technologies and their applications are increasingly making the risk space behave more indeterminate – more probabilistic – meaning more like an ecosystem driven by complex adaptive system behaviors of a natural ecosystem?
- Are we taking into account that the cyber risk space is neither stable nor mature … nor will ever become stable or mature? Are we taking into account the cyber risk space is a never-ending, always-unfolding topographical space where increasingly more complex cyber risks will emerge (making the CrowdStrike cyber incident seem like a young child’s afternoon tea party)?
- Are we comfortable with our estimates of the maximum probable losses (MPL) of the cyber cover we are selling to each prospective client at the time of policy application and that will change throughout the policy time period?
- Are we comfortable offering cyber cover to companies where we will experience long-tail losses at some point in the policy time period that will prove to be too costly for our cyber book of business?
- Are there markets where we should not be offering cyber coverage at all? (e.g. healthcare, utilities / energy firms)
- Are there markets or companies within markets where we should lower the amount of cyber cover we offer to protect our downside?
- Are we comfortable with our analysis of the various ways that our prospective cyber coverage client can be cyber-attacked at the time of policy application and throughout the policy time period? (e.g. Have we taken systemic cyber attacks into account? Do we even agree about our definitions of systemic cyber attacks?)
- Are we comfortable with the amount of financial capacity we are putting at risk for each prospective cyber client and for our entire book of cyber clients?
- Have we identified other cyber risk mitigation avenues to remain as a participant in the cyber market and simultaneously lower the amount of our company’s risk capacity in play? (e.g. For each prospective cyber client, have we identified ways that ILS cyber cat bonds might be used? Have we identified ways that we could front cyber captives for some of our clients?)
- The cyber risk management space is full of “what we don’t know” and, as a kicker, cyber risks continue to evolve in number, shape, and complexity – how can we reduce more of “what we don’t know” regarding the evolving cyber risks and evolving cyber-attack space?
I fully realize these questions are just a very small number of a very large set of questions which insurers should be asking themselves regarding selling cyber insurance.
One principle should guide insurer’s participation in the cyber market: “Just because a risk exists does not mean insurers should offer coverage for that risk.”
Rabkin's Opinions 