NEW YORK — The time to manage cyber risk aggregation is now and it may be an uphill battle against lack of historical data and certainty of the risk, but the industry appears to be on the right track, according to a panel of experts speaking during Advisen’s Cyber Risk Insights Conference here on Oct. 26.
Currently, determining whether insurers are well capitalized to handle the cyber risk aggregation is “basically impossible” due to lack of data, according to Fred Eslami, senior financial analyst and cybersecurity leader for A.M. Best. Traditionally, the roads to impairment for insurers have been underreserving, expanding too quickly, and natural catastrophe losses. Ratings firms have metrics to input into their capital models for those risks – not for cyber, but Eslami added that they are making strides.
For insurers to accurately reflect cyber risk in their pricing, according to Tracie Grella, global head of cyber risk insurance, AIG, they must gain more granularity about their clients’ operations including the type of data they hold, vendor relationships, and software they use. She added that the greater level of detail needs to be not only within the cyber product, but the exposure across the entire book of business.
“All of that needs to come together,” said Grella. “I haven’t seen a lot of underwriting for cyber on the non-cyber products. I think that needs to change. We have to ask the right questions of our clients.”
“I’m almost certain none of those risks were underwritten [for cyber],” she said, adding that the cyber market would have underwritten the exposure, priced for it, and managed limits on it. However, many companies write both cyber and property, so a full enterprise look at the risk is necessary.