October 15, 2020
In the last few years, despite an increase in the frequency of cyberattacks, the market has seen cyber insurance rates decline and coverage broaden. This broadening of cyber coverage has led insurers to be exposed to more complicated cyber risks and has increased the complexity in identifying, assessing, and managing cyber risk. In 2018, for example, many insurers broadened coverage to include Non-IT vendors of insureds, leaving insurers exposed to a broader range of events.
One example is that it increased the covered risk to include a workforce management platform for the supplier of the insured. If the supplier was then targeted by a cyber event that caused disruption to them and consequently the insured; this event would now trigger a business interruption claim.
Other examples of the increasing reach of aggregation can include payroll and accounting software that might lead to privacy claims, as well as aggregations of underlying content delivery networks and other critical network points of failure.
In addition, a number of factors are constraining the market’s capacity to write business. These include regulatory concerns around capital adequacy related to the Covid-19 pandemic, as well as Lloyd’s efforts to reduce poor performance across all business lines.
As insurers finalize a renewal strategy within this context, it is important to more accurately understand the expected performance of individual policies. This will enable them to calculate a long term loss ratio. When taking the longterm loss ratio into consideration alongside other renewal factors (such as customer relationships, catastrophe concentrations, company, and industry concentrations), insurers can make more data-driven decisions for their renewal strategy focused on policy profitability.
When considering renewing policies, most insurers can place their business into the following five buckets which then drives their renewal approach. Note that discounting is not recommended below, however, it may be appropriate in some circumstances.
In addition to the usual factors used to make decisions around renewal options in each bucket, access to the following data can bring to light unique aggregations within a portfolio and alter renewal decisions:
To fully understand the extent to which each policy contributes to normal portfolio performance and adverse risk, insurers need to calculate the expected loss ratio per policy and the extent to which this might vary. Enhanced visibility of the cyber security posture of the companies insured can allow for greater precision in understanding the risk and thus the portfolio’s exposure to attritional, large loss, and catastrophic cyber events.
In order to calculate the loss ratio per policy, one needs to calculate a long term loss ratio using simulation techniques and to take into consideration the premium collected.Segmenting by profitability in this way, allows insurers to steer their portfolios and provide better underwriting guidelines.
In order to better diversify an existing book, an insurer would need to know which scenarios are likely to affect multiple companies. One way to do this is to quantify whether a new policy correlates with existing risks or if it adds diversification to the existing policies in a book. This is important to reinsurers thinking about how a book of business diversifies against their other books, and to primary insurers writing higher limits.
Kovrr identifies the main contributors to the annual average loss and to the events driving the tail. This allows exposure managers to understand how potential hidden aggregation stacks up to substantial damage caused by multiple small events (“death by a thousand cuts”), or which events cause significant damage to a large part of the portfolio at a single point of time.
The Kovrr platform can surface the areas of greatest risk aggregation. For example, there are many common technologies that are shared by a majority of clients, such as a Windows operating system for employee endpoints. However, obscure third-party libraries or service providers that power other products can often lead to an unintentional aggregation significantly out of line with their market share. Awareness of this enables insurers to consider if they wish to reduce these exposures.
In cyber risk, understanding the underlying technologies and services used by companies within the portfolio is key to understanding avoidable aggregations. These aggregations concentrate your exposure to a single risk which may lead to greater losses than expected if that risk were to be triggered. Use of cloud services is one such example.
Small- to medium-sized businesses in the legal and accounting industries in the United States are likely to use Azure cloud services, but other specific industries have a tendency to use Amazon Web Services. While portfolio managers may be expecting a particular aggregation in a cloud provider such as AWS, there may also be more obscure aggregations, which can be useful knowledge for managing their portfolio’s exposure.
Kovrr has identified three cyber risk elements: location, industry, and entity size. The CRIMZON™ framework defines the minimal elements needed to provide a view of aggregated cyber exposure. CRIMZON allow for analysis across multiple portfolios of risks and monitoring of exposure trends.
Insured risks with these characteristics in common will tend to “occupy” the same or neighboring, CRIMZON.
They tend to be exposed to similar types of cyber issues, and therefore potentially contribute to cyber catastrophe events. They are likely to have cyber proximity, similar to geographical proximity within a CRESTA Zone.
Additionally, applying the limit per CRIMZON enables insurers to show particular concentrations or, conversely, that their risk profile is spread across a large number of risks.
Understanding the proportion of the loss ratio that relates to catastrophic events enables better alignment of the renewal portfolio with your risk appetite.
This proportion can vary significantly by industry. A healthcare institution could have significant losses due to a negligent breach of health data, whilst a data breach at a charity is likely to be less catastrophic in terms of the data’s value.
However, even within the healthcare sector, a particular institution could be more vulnerable to catastrophic cyber events as a result of its hardware and software infrastructure and configuration. This may make it more susceptible to the data breach or make it a more attractive target. Both the catastrophe exposure of different industries and between industry peers are relevant when considering which risks are more attractive at renewal.
Gathering the information above will help segment policies according to profitability levels. In order to illustrate an example decision process below, numbers have been applied to represent reasonable “claims ratios.” The use of these numbers is in noway suggesting what claims ratios should be for an organization. Kovrr recommends tailoring these numbers to your organization’s preferences. This will enable proper segmentation according to your organization’s risk appetite and other elements related to your company’s cyber risk exposure.
Given the general increasing level of cyber threat, Kovrr would recommend against actively discounting unless the expected loss ratios are significantly favorable. This is because this ensures it is easier to retain flat rates or limit price increases going forward.
Below is an example based on a hypothetical target claims ratio of 60%, segmenting existing policies into five buckets:
When rates are significantly below the target claims ratio, if the other elements taken into consideration are also positive and policy coverage is not being broadened, it is key to ensure that the policy remains within the insurer’s book. Therefore, it may be sensible to discount upfront or in a negotiation to ensure the policy is retained.
When rates are below the target claims ratio and other characteristics are positive, some discount could be considered in negotiation in order to retain the policy. However, by staying flat or even, if possible applying a small uplift, this enables any future price rises to remain limited.
As per bucket B, it is sensible to uplift the price, but if the loss ratio is favorable and other characteristics are positive, staying flat might be considered in negotiation in order to retain the policy.
If other characteristics are adverse and the renewal strategy is working well, it may be worth declining to renew. If other characteristics are positive then the level of uplift might be considered to such a level that would bring the insurer closer to their target claims ratio over a two to three year period.
If other characteristics are favorable, renew with a sufficient uplift to bring the insurer closer to breaking even, with the intention to continue the increases.
At the same time that the market is experiencing increasing cyber insurance rates, some insurers are constrained in the extent to which they can take advantage of the premium rate rises. This creates an opportunity for portfolio optimization for insurers who have, until now, been following a year on year growth strategy. When considering renewing policies, insurers can combine their traditional considerations with additional data points to better target rate rises and potentially apply reductions to retain the best risks.
The Kovrr platform can be used to calculate expected loss ratios by policy, gain quantitative and qualitative insights on aggregations of technologies and services used, understand the catastrophe element of loss ratios, and gain additional insight on the policies that can better diversify their portfolio.
February 15, 2024
Combining traditional cyber risk methods with CRQ turns ambiguity into actionable data for CISOs, driving informed decision-making.
February 12, 2024
Risk Progression feature empowers CISOs and CRQ users to inspect and understand the changes in their cyber risk over time.