Tag Archives: cyber risk

Milliman’s Elizabeth Bart cited by Canadian Underwriter on cyber insurance

Milliman consultant Elizabeth Bart recently spoke with the magazine Canadian Underwriter for an article on cyber insurance. In the article, entitled “Cyber insurance policies expected to become more similar in next few years: CIFF speaker,” Bart discusses how the Internet of Things (IoT) could influence personal lines of insurance, and how moving forward the collection of data could prove critically important.

As a consulting actuary for Milliman, Bart has published a number of papers on cyber insurance including case studies and questions to consider before offering cyber coverage.

Pokémon GO and the non-augmented reality of risk

Pikachu and his friends have caused quite a frenzy recently. While people are enthralled with Nintendo’s Pokémon Go, the GPS-based augmented reality (AR) game presents several risks to its developer and its gamers. In his article “Pokémon Go and augmented reality: Not all fun and games,” Milliman consultant Michael Henk discusses some of these AR technology-related risks.

Concerning personal injury risks:

Firstly, AR products like “Go” provides yet another “distraction.” We’re all aware of the dangers of being “distracted.” Texting while driving is illegal in a number of cities and states throughout the country. However, drivers aren’t the only ones being distracted. Distracted walking is a growing problem, one that has arisen naturally with the increasing dependence on mobile electronic devices and one that “Go” is already contributing to. There are anecdotes all over social media about players so engrossed in catching virtual monsters that they’re running into walls and walking in traffic. …

…“Go” may lead to an increase in distraction-caused injuries and pedestrian-vehicle injuries, which is currently the fifth-leading cause of death for children ages 5 to 19. It’s not inconceivable to imagine an incident in which both the driver and the pedestrian are distracted, maybe by the same “rare” Pokémon.

What about cyber risks?

Aside from “IRL” (in real life) dangers, there’s a data security concern with some early installs. Some iOS installs of the software require the user to provide the app with full access to their google accounts, which allows access to their Gmail (theoretically being able to send e-mail from your account), files stored on Google Drive and Google Photos, among other content. The developer has responded and said this was done erroneously, and that permissions will be corrected soon, but it’s important to make sure that users know exactly what programs on their devices have access to. There are other concerns about downloading the program from non-official app stores as well, but that stands for all programs and is definitely not a “Go”-specific concern.

Legal risks?

…There’s a significant risk for trespass with AR games that utilize real-world locations. It remains to be seen whether an AR developer placing cyber-content on your property constitutes trespassing or if AR users are “engaged on a cyber plane on which you have no exclusive property claim.” There’s another legal concern with “attractive nuisance,” which states that property owners are responsible for eliminating dangerous conditions on their property which may attract children. “An individual who fails to rectify an attractive nuisance on their property is civilly-liable to injury a child sustains on it, even if the child was trespassing.” Sounds like something that may happen in the pursuit of a rare Pokémon.

Cyber risk landscape exposes insurers to new opportunities

As the cyber liability insurance market catches up with constantly evolving exposures, opportunities also continue to present themselves. In a recent Risk & Insurance article, Milliman’s Tom Ryan and Elizabeth Bart discuss some of the cyber market’s challenges and opportunities. They also discuss the sector’s current state and what lies ahead.

Here is an excerpt:

Tom Ryan, principal and consulting actuary at Milliman, describes the cyber insurance market as both “crystalizing and diversifying.”

“There are at least 40 different policy forms in use right now for cyber liability,” he said. “It’s like comparing apples to oranges to kumquats. However, Insurers are now in the process of smoothing out the wrinkles and developing some standardization of language and coverage.” …

…Insurers benefit by going beyond coverage and offering risk management tools and services to their insureds.

“Some carriers are getting really savvy about cyber. They want to avoid the losses as much as their insureds do,” [Elizabeth] Bart said. “So they get the right people in the right place. The right lawyers, the right PR team, and the right IT vendors.”

“We are seeing a lot of experts come into the insurance industry with knowledge of the hardware and software components of internal systems,” Ryan said. “They have a better understanding of how hacking happens.”

Limited capacity in cyber liability insurance is another hurdle that companies and insurers must navigate. The formation of an industry cyber insurance pool could increase options on the market and reduce the risk incurred by individual insurers. Tom’s article “Cyber liability insurance: As the market heats up, is it time to cool off in a pool?” provides more perspective.

Insurance pool may increase cyber liability market capacity

The cyber liability insurance market faces several challenges limiting insurers’ offerings. Forming cyber liability insurance pools could result in greater capacity for the market and less risk to individual insurers, according to Milliman consultant Tom Ryan. In his co-authored article “Cyber liability insurance: As the market heats up, is it time to cool off in a pool?,” he details the benefits of such a pool.

Broader participation and greater capacity. Smaller insurance companies looking to expand their business could participate in a cyber liability pool. This would allow them to access this growing market without the customary start-up costs and limit their liabilities to match their own appetite for risk. In addition, capital could be provided by other financial entities looking to diversify their investment portfolios.

Sharing of information regarding risks. As pool members and policyholders are confronted with new types of cyberattacks, they can share information rapidly. This can result in a quicker reaction and response, hopefully limiting the spread of the problem. A possible additional benefit of a pool (particularly one with a credible number of participants) could be to seek government approval for liability protection for the sharing of data between pool members and insureds. Similar protections for sharing of information were implemented previously to combat the perceived Year 2000 (Y2K) threat.

Standardization of application process. Applications for cyber insurance today have become increasingly detailed and complex and vary by insurer. It is often hard for potential policyholders to get all the information required, which may discourage them from purchasing the insurance. A standardized application may lead to greater efficiency in the underwriting process and to more potential insureds entering the market.

Elevation of cyber protection standards. Cyber protection standards for acceptance by the pool can be selected and maintained at higher levels. Pooling information can result in quicker identification of best practices, which can be shared with all members. This may result in improved protection and lower projected losses.

Uniformity of policy coverage. Pools could offer standardized policies making it clear what is covered and what is excluded. This would cut down on the time and expense policyholders currently spend comparing policy offerings.

Elimination of duplicate claims costs. The greater the number of insureds covered by the pool, the less likely claims will overlap. For example, if there were multiple breaches at different retail entities covered by the pool, identity theft monitoring could be performed by the pool for those consumers with exposure at each of the retail entities, instead of multiple monitoring covered by each different insurer if the retail entities were covered separately.

Protection of insurer pool members. A larger pool results in greater business volume and greater leverage for the potential purchase of protection for the pool from reinsurance or capital markets. The concentration of risk may also help in the discussion of potential government backstops that could become available.

Bolstering insurers’ cyber defences

This latest edition of Milliman Impact entitled “Bolstering insurers’ cyber defences” explores the efforts of U.S. insurance regulators to address cyber security risks.

Here’s an excerpt:

Unsurprisingly, insurer cyber security has become an important issue for US regulators in recent years.

In the spring of 2015, the New York insurance supervisor wrote to more than 160 insurers encouraging them to view cyber security as an integral aspect of their overall risk management strategy. It also announced enhancements to the IT examination framework to include more detailed questions on an insurer’s cyber security policies, protections, and procedures.

More significantly, the NAIC has engaged in a burst of activity, having taken the significant step of establishing a Cyber Task Force in November 2014.

Creating the task force demonstrates US insurance supervisors’ commitment to addressing cyber security in the insurance sector, according to Christine Fleming, claims management consultant at Milliman in Boston….

The task force’s comprehensive work plan and timetable speaks volumes to the significance and urgency that US insurance supervisors and commissioners now place on cyber security, explains Fleming.

The task force is concerned with both the protection of consumer data held by insurers and improved monitoring of insurers cyber underwriting activities and exposures. During 2015, the NAIC embarked on four major work streams:

• Establishing guiding principles on cyber regulation
• Creating a Consumer Bill of Rights
• Modernising examination protocols to include cyber security
• Including a cyber security statement in insurers annual statement

Pricing cyber risk, difficult but not impossible

Exposure to cyber risk concerns many organizations. However, sparse insurance-specific data make it difficult for actuaries to price cyber risk for small- and mid-size organizations. In this article, Elizabeth Bart explains three cases where she used untraditional methodologies to develop cyber insurance services. The excerpt below highlights one of the three situations.

A new cyber writer

A European cyber reinsurer with a focus on small- to mid-sized businesses started offering a cyber insurance product in the United States that is similar to its European one. Its original filing submission to states’ departments of insurance (DOIs) was based on reinsurance pricing which responded to competitive rates in the market. However, the DOIs rejected a majority of the filings because they lacked actuarial support.

For the same reasons cyber insurance buyers have a hard time comparing policies, comparing rate filings among competitors is equally challenging. With each insurer offering different cyber coverages, services, and limits, the severities, frequencies, and underwriting guidelines tend to be very different.

Relying on publicly available, generally accepted, nonspecific cyber frequency and severity information was the most straightforward way to support the premiums. There was not sufficient credible historical loss data available from the insurer, there was nothing comparable from other insurers’ filings, and, as mentioned, there was no aggregate insurance industry data available. With the insurer’s focus on small- to mid-sized businesses, the competitive marketplace was dictating premiums under $10,000 (depending on the size of the insured and the coverage limits). For this pricing, the Ponemon Institute’s often referenced $15 million loss event is not a likely scenario for this group.

By working with a combination of the client’s own reinsurance data and by data mining publicly available cyber data specific to the target insured, we were able to determine applicable frequencies and severities to demonstrate the appropriateness of the originally filed rates and successfully get approval for the premiums in all states.