How cyber risks are managed by insurance companies ? (1/2)
The digital revolution has changed the face of the global economy. Technological progress and development of new information and communication systems have considerably changed our societies. Indeed, the development of new technologies is evidence of a real societal change, wherein digital information and electronic communications are the keystone, as they are impacting on the way we communicate, exchange and understand the world around us.
Nevertheless, the ubiquity of computing in our lives – leading to a situation of cyberdependence on digital systems – is not without risk, as it inexorably leads to increased exposure to cyber security incidents.
In this context, insurance companies saw an opportunity for growth, and began to think about and offer new insurance products that aim to cover the damage that would result from an IT security incident. While this market has been constantly evolving in the United States since the early 2000s, this market appeared more recently in Europe and is struggling to take off.
Nevertheless, while cyber risk is by nature complex and dynamic, there are a number of difficulties in analyzing this risk, slowing down its transfer to the insurance industry. In this article, we will focus on two of these difficulties: the particular expertise required for the analysis of this risk, and the strong correlation of this risk.
A risk analysis requiring special expertise
Risk pooling requires a precise actuarial analysis to determine, on the one hand, the final burden that will fall on the insurer in the event of a claim and, on the other hand, the premium that will be paid by the insured. The actuarial approach to the definition of cyber risk does not only require a purely mathematical and historical approach, but also requires specific technical skills, in particular in terms of computer security and information systems architecture.
A highly correlated risk
Digital technology has fostered a situation of cyberdependence on information systems, which has led to the development of interdependence between organizations. However, this interdependence of organizations is not without risk, as it leads inexorably to a greater simultaneous exposure of entities to a cyber threat. According to the principle of risk mutualization, at the heart of the insurance activity, the contribution paid by an insured person is added to contribution paid by all other insured persons. The totality of the contributions paid must thus be used to settle the claims of some of the insured. Consequently, mutualization is only worthwhile if a sufficiently small number of insured persons are affected simultaneously by the same claim. This correlation poses some difficulties, firstly, in terms of determining the premium and, secondly, in terms of assessing the losses incurred, which is made complex (or even impossible) by the multitude of actors who are victims simultaneously, often located in different places.
In our next article, we will discuss the lack of reliable statistical data and the legal uncertainty surrounding the insurability of certain risks.