At the recent PLUS Cyber Symposium in New York City, experts discussed the evolving landscape of cyber insurance. As rates stabilize, insurance companies are looking to diversify their portfolios to support growth and manage risks better.
Crystal Boch, head of cyber analytics at Aon Re, highlighted that insurers are exploring traditional diversification methods, such as expanding into various industries and regions. However, she noted a shift towards more sophisticated strategies, particularly in understanding technology dependencies that could pose risks. Many carriers are investing in advanced scanning tools to pinpoint these vulnerabilities.
One significant area of focus is cloud outage risks. Recent research from Parametrix and Aon showed that spreading risk across different geographical regions can significantly reduce reliance on any single cloud service. This approach helps mitigate potential losses from cloud outages, which are becoming increasingly common.
Boch also emphasized the importance of engaging small and medium-sized enterprises (SMEs) in purchasing cyber insurance. While larger companies have traditionally dominated the market, there’s been noticeable progress in getting SMEs to recognize the need for coverage. As these smaller businesses learn from cyber incidents, their understanding of risk is improving, leading to better modeling practices.
The discussion also touched on the evolution of cyber risk modeling. Boch pointed out that models have become more credible and accepted among traditional insurers and reinsurers. There’s a growing consensus on the main threats, with malware and ransomware identified as the top risks, followed by cloud-related issues.
Jonathan Hatzor, CEO of Parametrix Insurance, noted a significant shift in how carriers structure their reinsurance. Many are moving from quota share arrangements to excess of loss programs to better manage systemic risks associated with cyber threats. This change reflects the industry’s need for consistent language and understanding when discussing risks.
Mark Camillo from CyberAcuView pointed out that while progress has been made, data collection remains a challenge. Insurers often find it difficult to assess the full impact of cyber incidents immediately after they occur, which can lead to inflated initial loss estimates. This uncertainty can persist for months as claims are processed and actual losses are determined.
Pascal Millaire, CEO of CyberCube, added that while the industry has yet to face a major accumulation event, smaller incidents have provided valuable insights into managing risks. He believes that the evolution of cyber risk models has come a long way in recent years, thanks to significant investments in data and technology.
Overall, the symposium underscored the importance of adapting to the changing cyber landscape. As insurance companies refine their approaches and models, the focus on understanding and managing risks continues to grow, paving the way for a more resilient cyber insurance market.