MIRIS COO chairs epic cyber insurance debate at Airmic Conference

A packed room of Airmic Conference attendees were treated to an ensemble cast of cyber insurance expertise in a Tuesday afternoon seminar which asked the question: “Cyber insurance – going nowhere or going somewhere?”

Asking the questions was Mark Pollard, chief operating officer of MIRIS, the newly-created mutual insurance and reinsurance company for cyber risks, member-owned and incorporated in Belgium.

Pollard began proceedings by providing the panel with an assumption to discuss, that insurers have struggled with cyber risks for some time.

“There are two reasons for this,” he said. “First, they’ve struggled to produce a credible stochastic model.”

Secondly, he blamed a lack of useful historical data for insurance’s shortcomings.

He added: “The evolution of cyber risk has been so rapid that it is difficult to create a stochastic model, even if the data were good. The result is you can’t Monte Carlo model the future out of the past.”

First to answer was a risk modelling expert from Marsh. Scott Stransky is head of Marsh McLennan’s Cyber Risk Analytics Centre.

“It’s an interesting assumption, and I think parts of it are true,” Stransky said.

“There are different types of cyber models; there's what we call attritional or individual risk models, which look at single events, hitting single companies, that I think we can actually model quite well,” he said.

This is largely due to a wealth of claims data for data breaches, he noted. However, a lack of transparency around cyber loss events means this data is kept in the dark, unlike, say, hurricane data used for the insurance industry’s more advanced catastrophe risk models.

“Then there are the catastrophic or systemic events, that lead to many companies getting hit at the same time, across multiple insurance carriers. It’s on these that I think we're doing less of a good job, and that's where your assumption does hold up,” Stransky conceded.

Much of this is because nobody has the answers yet, for a scenario such as a major cloud provider going offline due to a major cyber-attack, he suggested.

“You're going have a lot of insurance going down at the same time; there are going to be a lot of business interruption losses; there's going to be lost revenue, extra expense, all sorts of things,” he said.

“We don't really know how likely this is to happen. There are a lot of experts who can tell you it’s a one-in-100 or 150 year event, but nobody really knows,” he added.

Much cyber insurance is actually not insurance but risk management, according to the type of work that takes up Vanessa Leemans’ time. She is head of cyber for the UK and Lloyd’s at AXA XL.

“I think it's important to look at the key differentiation of individual risks to assess them. We meet clients face to face and ask probing questions,” she said.

“For example, do they have multi factor authentication? We also look if clients have critical backups and are these tested every year? We look at the Incident Response Management of a client, which is really important that it's put into practice through cyber incident response exercises. We ask questions all the way up to supply chain risk management,” Leemans added.

Kieran Shiret, cyber underwriter, Tokio Marine Kiln, noted that with 20 years of claims data, his firm is able to tailor, for example, to be appropriate for a UK retailer, noting that exposure might be radically different than for historical losses in the manufacturing sector.

He noted that 30% of British businesses have in the last 12 months faced some form of cyber-attack or intrusion to their network, such as denial of service attacks.

“From personal perspective, my mortgage relies on this market going somewhere!” Shiret said. “The demand is there. In the six years since I joined the cyber market there's been a huge evolution, to the point now where we're using threat intel methods, and underwriting analytical platforms, which feed into our day-to-day underwriting.”

From a buyer’s perspective, Stuart Turner, director of risk management, Europe and APAC at Schneider Electric, agreed that demand is high.

“The minute we enter into a contract, we're asked to evidence that we have cyber insurance. Whether the people who review that certificate understand what it is or not is another matter, but it’s something that we need to do,” Turner said.

Bringing a broker’s perspective, Shannan Fort, partner, cyber, financial lines, McGill and Partners, noted that complaints about inconsistency in the cyber market – in pricing for example – are partly just a symptom of risk being unique to each organisation, more so than for many more established, commoditised lines of insurance, such as motor business.

“It's less about inconsistency more about the evolution of the risk with the underlying technology,” she said. “We tend to forget that cyber insurance is less than 50 years old. And we're comparing it to something that has been around for three 400 years.”
Bringing a business continuity focus, Ben Hobby, partner, Baker Tilly, suggested this is a more complicated aspect to cyber events, because the cost in revenue terms is hard to gauge.

“Business interruption is much more challenging to deal with, principally, because there's a significantly greater number of variables,” Hobby said.

“For instance, you can look at the infrastructure setup, the age of the various applications that exist on the network, the quality of the disaster recovery plan, the timing of the event with regard to seasonality and sales, and the nature of the product itself. All of that comes together and you can get some very different outcomes,” he added.