Cyberprotection: the next frontier of the insurance industry

The escalating geopolitical tensions, coupled with market and societal uncertainties and the advancement of digital technologies, have fueled a surge in cyberattacks that are increasing lethal and sophisticated. According to statistics from authorized sources, these threats experienced a global uptick of 38% in 2022 compared to 2021¹, with ransomware and cyber warfare as the most prevalent and perilous.

Attackers are honing in on specific targets: critical infrastructures (telecommunications networks, hospitals, public administrations, data centers, etc.) and digital supply chains². These sectors are pivotal to economies, where the potential impact of losses is substantial and can escalate quickly. Regardless of their size or industry, both public and private entities must persist in prioritizing cybersecurity strategies and investments. This entails a comprehensive and holistic approach encompassing monitoring, prevention, response, and incident remediation.

The insurance sector plays a pivotal role in this landscape, working to substantiate its contribution. Despite significant growth in the cyberinsurance market in recent years, a substantial insurance deficit persists, slowing efforts. Public-private collaboration, bolstered by government budgets—exemplified by initiatives like the Insurance Compensation Consortium—is not only instrumental in addressing this deficit but is crucial for upholding economic and social resilience in the face of severe cyber incidents.

A relevant cyberinsurance market, tailored to today’s new realities, empowers companies to swiftly address identified cybersecurity challenges³.

While there is a widespread acknowledgment of the strategic window of opportunity that cyberinsurance offers insurance companies, there is also a clear imperative for a more profound understanding of cyber risk necessary for the continued evolution of the European sector in this domain⁴. Among the challenges to overcome for enhancing the offering are precision in gauging the impact of covered events, the scarcity of historical data, and other factors.

Ricardo González García, Director of Analysis, Sectorial Research and Regulation at MAPFRE Economics, explains in the Economics Café podcast, “There is a lack of data and limitations in predictive models for extraordinary events that allow for pricing and reserves, whether related to cyber risks or natural disasters. The solution to these gaps remains complex and even requires public-private collaborations.”

The Geneva Association has been investigating obstacles to insuring extreme or catastrophic cyber risks. Their findings underscore the limitations of current predictive models: the factors driving substantial cybersecurity losses resist modeling through “conventional statistical approaches, among other things because the extent of damage depends largely on the interaction between the incentives and resources of both attackers and victims.”⁵

For insurance and reinsurance companies, the calibration and quantification of such cyber risks is not easy. Yet, the imperative to improve in this area is undeniable, given the business opportunities and their pivotal role as indispensable agents for ensuring business continuity, as well as overall economic and social stability.

Establishing partnerships with government security agencies, critical infrastructure providers, technology companies, and other stakeholders within the cybersecurity sector is crucial for the insurance industry to adeptly comprehend and address evolving cyber risks, enabling the industry to create portfolios that align with realities and needs of today. Oscar Taboada, Head of Cyber Business at MAPFRE RE explains that “The nature of these risks, and the complex role they play in a dynamic, shifting, and worldwide context, means that it’s fundamental for us to correctly understand, analyze, control, and measure them.”

These synergies also enable the sector to expand the scale and scope of cyberinsurance protection, always considering the constraints in underwriting and assuming financial losses.

Innovating through the exploration of data models and technologies like Artificial Intelligence (AI) contributes to more effective control of these digital risks. MAPFRE, for instance, directs its focus beyond post-event response and recovery, also concentrating on the identification, protection, and detection of cyber events through innovative means.

Through proprietary solutions and those developed together with insurtechs, there are initiatives that involve the application of AI models for system risk and vulnerability analysis, response, and recovery. This collaborative effort has resulted in the development of insurance products tailored for businesses and individuals. A notable example is the “CIBER ON” insurance designed for the self-employed and SMEs, currently available through MAPFRE Spain.

Taboada highlights that “At MAPFRE RE we are actively working to understand and analyze different catastrophe accumulation models and scenarios in the face of large-scale events. We use AI, and this allows us to generate predictive and differential statistical models that can estimate potential losses.”

In the area of cyber risks, MAPFRE recently signed an agreement with Cyberwrite, an AI solutions provider for cyberinsurance. This collaboration aims to provide real-time insights into cyber risks for SMEs, offering a more precise understanding of risk during the underwriting and renewal phases of cyberinsurance. We recently spoke with Cyberwrite Chairman Hartmut Mai about this project and the current landscape of cyber risks:

MAPFRE RE has collaborated on a project with KOVRR, a company specializing in modeling and quantifying cyber risks, to enhance its understanding, analysis, and assessment of cyber risks.

Beyond corporate initiatives, MAPFRE is also actively exploring the needs of individuals in the area of personal insurance. An example of this focus is cyber protection for minors, positioned as a value proposition for families with children aged between 10 and 16. This addresses the specific risks associated with their early use of internet-enabled digital devices.

References:

1. Executive summary of the report “Cyber Risk Accumulation”: Fully tackling the insurability challenge”, page 1. Geneva Association. https://www.genevaassociation.org/sites/default/files/2023-11/Cyber% 20Accumulation% 20summary _ WEB.pdf
2. Executive summary of the report “Cyber Risk Accumulation”: Fully tackling the insurability challenge”, page 1. Geneva Association. https://www.genevaassociation.org/sites/default/files/2023-11/Cyber% 20Accumulation% 20summary _ WEB.pdf
3. “Cyber risk for insurers: challenges and risks” report, page 5. EIOPA.
4. “Understanding Cyber Insurance – A Structured Dialogue with Insurance Companies” report, page 4. EIOPA.
5. Executive summary of the report “Cyber Risk Accumulation”: Fully tackling the insurability challenge”, page 2. Geneva Association. https://www.genevaassociation.org/sites/default/files/2023-11/Cyber% 20Accumulation% 20summary _ WEB.pdf

RELATED ARTICLES: