16
individualised and detailed IT security audits.
These underwriting processes also help identify
areas of vulnerability and provide an opportunity
for the insured to improve their resilience and
reduce the overall level of risk.
A qualitative assessment also supports the
insurer’s ability to form a comprehensive
understanding of its client base’s overall security
defences, and improves its ability to differentiate
risks and refine pricing among policyholders. This
leads to the development of certain standardised
data protocols used to measure cyber-risk in an
insurer’s portfolio.
Similarly, supervisors can also
play a role in reviewing an insurer’s practices to
ensure appropriate risk management. As part of
this effort, insurers and supervisors can review
external standards and incorporate them into
their own risk assessment processes.
Insurers may also attempt to measure risk
by analysing scenarios or using other risk
assessment tools.
33
Data availability
The market suffers from a lack of experience
data, which makes underwriting cyber-risk
difficult. Although
more data are becoming
available, most cyber-incidents are underreported
by companies, whether due to fear of reprisal or
concerns about reputational damage. In addition,
cyber-risk experience data can quickly become
dated and lose value as attackers rapidly adapt
to exploit new vulnerabilities and evade cyber-
security measures.
Only a few big players with extensive experience
in the cyber-market can generate their own
mass of data, and they are reluctant to share that
experience with other
companies to ensure they
remain competitive and gain an advantage in
underwriting.
34
This data paucity may weaken the
insurer’s confidence in pricing and underwriting
cyber-insurance. At the same time, buyers may
question the appropriateness of the premium and
coverage offered. These factors depress sales
and reduce the penetration rate.
35
Although current measurement methods attempt
to access a broad range of information, insurers
still need a centralised source of information/
data repository about cyber-events.
Consensus
is building that the evolving nature of cyber-risk,
combined with the cross-border and cross-
industry economic implications of a cyber-attack,
demand an increased level of coordination – both
within the insurance industry and beyond.
Insurance supervisors can assist with monitoring
overall cyber-risk aggregation within the
industry by collecting data. In the US, the National
Association of Insurance Commissioners
(NAIC) requires insurers to include a cyber-
supplement in their annual data reporting.
Supervisors can also help mitigate systemic risk
by facilitating
the sharing of information
related to cyber-risk, and encouraging insurers to
share information with each other. Not only
does this increase resilience levels of similarly
situated policyholders, but the collected
information could contribute to the ability of the
insurance industry to accurately assess
aggregate risk levels and predict how risk may
evolve in future. Although an insurance-centric
repository
is ideal, current information-sharing
repositories include:
»
Financial Services Information Sharing
and Analysis Center (FS-ISAC):
Do'stlaringiz bilan baham: