Actuaries, insurers, regulators, and individuals—all play a part in mitigating the evolving risks.
October marks Cybersecurity Awareness Month, a crucial time to reflect on the evolving landscape of cyber risk. In an age where digital threats are becoming increasingly sophisticated, the role of actuaries in assessing, managing, and mitigating cyber risk has never been more vital. Casualty actuaries are at the forefront of this challenge, developing models and strategies to navigate the complex world of cyber insurance.
To gain insights into the current state of cybersecurity, Contingencies spoke with Wanchin Chou, chairperson of the Academy’s Committee on Cyber Risk. Chou serves as chief actuary and assistant deputy commissioner for the Connecticut Insurance Department; he sits on many committees of the National Association of Insurance Commissioners, including the Cybersecurity Working Group; and he is a current Casualty Actuarial Society board member.
Our conversation delves into the challenges facing casualty actuaries, the evolving nature of cyber insurance, and the critical steps individuals can take to safeguard their digital lives.
For Actuaries Operating in the Cyber Space:
How have risk modeling techniques for cyber risk evolved in recent years, and what challenges remain for casualty actuaries in accurately quantifying these risks?
There are human behaviors added to the complexity of the cyber security, and there are also various impacts via continue changing landscape of the cyber events.
Cyber risk models are different from natural catastrophe models and need more comprehensive data statistics from the industry. We have a few cyber model vendors in the industry, and the cyber models continue evolving in how to evaluate the risks effectively. It will take a few more years before we have more mature cyber models for the industry.
What are the primary sources of data that casualty actuaries rely on for assessing cyber risk, and how is the increasing use of artificial intelligence and machine learning influencing the analysis and prediction of cyber events?
From my understanding, casualty actuaries rely on the underlying cyber incidents from their cyber insurance experiences in assessing the cyber risk. They also use deterministic modeling approach on realistic scenarios from inputs of the subject experts. Companies use model vendors like CyberCube, Cyence, RMS, and a few others in reviewing their cyber risk. The differences in probable maximum loss estimates from vendors are getting closer, but they’re still developing—and it will take a few more years for more stable, refined models.
Increasing use of AI and machine learning should be valuable in the cyber modeling work, but I cannot add more comments until the Academy’s Committee on Cyber Risk and other actuaries conduct an in-depth review of the cyber models.
For Insurers Writing Cyber Policies:
What are the main challenges that insurers face when underwriting cyber policies, particularly in distinguishing between different types of cyber incidents (e.g., data breaches vs. ransomware)?
Insurers have learned the different types of cyber incidents from data breaches, ransomware, and others. The cyber underwriting experiences are very important. The industry is still working to have a good cyber database collectively to enhance the cyber pricing and modeling accuracy.
How have cyber insurance policies evolved in response to the changing nature of cyber threats, and what are the emerging coverage gaps that insurers and actuaries need to address?
A report published in late August by cybersecurity training firm KnowBe4 calls cyberattacks on power grids, communication systems, transportation networks, ports, and other infrastructure “the new geopolitical weapon,” because such cyberattacks are often linked to foreign nations. The new report shows how cyberattacks on critical infrastructure are a rising threat to state and local governments, not only because of the data hackers might extract, but because of the potential damage they could inflict on any of the systems and physical assets that societies rely on to function properly.
Insurers have learned and tightened their underwriting criteria to better assess the risks they are assuming. However, it is a challenge for actuaries and insurers to address the coverage gaps and changing cyber incidents effectively until the data and cyber models are more developed.
For Regulators:
How are current regulatory frameworks addressing the complexities of cyber risk, and what gaps exist that regulators can focus on to better protect consumers and the financial system?
Regulators have been working with the NAIC’s Cybersecurity (H) Working Group in following the definitions and provisions of the NAIC Insurance Data Security Model Law (#668), specifically the process detailed in Section 6, “Notification of a Cybersecurity Event,” and related sections.
Regulators are working with the NAIC and the Academy’s Committee on Cyber Risk to get a better understanding of cyber risk insurance, and they are also working together to discuss the cyber data governance and cyber modeling work in the future.
What role do regulators play in standardizing data reporting and transparency requirements for cyber incidents, and how can this improve the ability of actuaries and insurers to assess and price cyber risk accurately?
Standardizing data reporting in cyber incidents and transparency is very important to improve the ability of actuaries and insurers to assess and price cyber risk accurately. The NAIC’s Cybersecurity (H) Working Group is working with other NAIC working groups to refine the cyber claims reporting, and it also expanded the working agenda to work with the Academy’s Committee on Cyber Risk and other cyber modelers to develop a better framework for cyber data and cyber models in the future.
In what ways can regulators and practitioners collaborate more effectively to enhance cybersecurity resilience, and what initiatives are currently in place to foster such cooperation?
The NAIC Insurance Data Security Model Law (#668), mentioned above, lays out a Cybersecurity Event Response Plan (CERP). A CERP is intended to support a department of insurance (DOI) in its response following notification from a regulated entity or otherwise becoming aware of a cybersecurity event at a regulated insurance entity. During a cybersecurity event, law enforcement agencies and other regulators may request information from the responding DOI. Engaging with law enforcement officials and regulators can benefit overall cybersecurity and inform the DOI’s response, provided such communication is permitted under the relevant state regulation.
Currently, the NAIC’s Cybersecurity (H) Working Group and the Academy’s Committee on Cyber Risk are coordinating meetings in cybersecurity, cyber risks education, and follow-up initiatives to enhance cybersecurity resilience.
For Individuals:
Given the increasing sophistication of cyber threats, what steps can individuals take to protect themselves, and how can actuarial insights help in promoting better cybersecurity practices among the public?
Education is very important for individuals to understand the cyber risks. The Academy’s Committee on Cyber Risk is working on promoting better cybersecurity practices among the public—more to come.
How viable is the market for personal cyber insurance, and what factors can individuals consider when deciding whether to purchase a policy?
The Committee on Cyber Risk released a new chapter in the Cyber Risk Toolkit, “Personal Cyber: An Intro to Risk Reduction and Mitigation Strategies.” The chapter identifies some penetration points of cyberattacks from an individual’s perspective and examines how an individual can work to minimize their risk of being hacked.
~ ~ ~ ~ ~
The landscape of cybersecurity is continually shifting, presenting new challenges and opportunities for actuaries, insurers, regulators, and individuals alike. Actuaries are essential in understanding and quantifying cyber risks, contributing to more effective insurance solutions in this rapidly changing field. Insurers must stay agile, adapting their underwriting practices and coverage options to meet emerging threats. Regulators play a crucial role in shaping the future of cybersecurity by closing regulatory gaps, setting data standards, and fostering collaboration with various stakeholder groups to strengthen resilience. Meanwhile, individuals must remain vigilant, armed with knowledge and resources to protect their personal information.
Cybersecurity is a collective responsibility, and as we advance into an increasingly digital world, the insights and expertise of actuaries will play a pivotal role in shaping a safer and more secure future.
