Why Insurers Should View Cyber as a Human Risk, Not an IT Risk

  • Guidewire Staff

November 11, 2020

Untitled

The impact of cybercrime on the global economy is growing at a rapid pace. By next year, global cybercrime losses could reach a staggering $6 trillion according to the World Economic Forum. And yet the global cyber market is currently worth a mere $7 billion.

Munich Re expects the cyber market to almost triple to $20 billion by 2025, but even then, insurance spend will be just a drop in the ocean compared to the magnitude of this peril.

In short, insurers are extremely cautious about this risk. And for understandable reasons: historical data is scarce and the potential for catastrophe-scale losses is real. Cyber is a new and intangible risk with broad operational impact and an invisible trigger. It is moving so fast that traditional actuarial models are struggling to keep pace. How can insurers be expected to prudently underwrite large volumes of this risk in such circumstances?

That is, at least, the conventional thinking. As early movers in the insurance market are discovering, an entirely new approach to underwriting based on behavioral analytics is enabling exciting progress.

IT is a small percentage of the cyber risk map

At the heart of the new approach is the recognition that cyber risk is not an IT risk. The reach of 5G and the web of connectivity it creates mean that cyber touches the entire ecosystem of an organization. It is impacted by people, processes, and behavioral factors such as error and intent.

Understanding technology and cybersecurity is of course important for mapping cyber exposures – but it will only reveal a small section of the cyber risk map.

For example, an organization may have the latest cybersecurity software, but there is no guarantee that the software is being used appropriately. Nor does it provide information on how desirable the organization is as a target to potential adversaries.

To fully understand cyber exposures, underwriters need models that capture the reality of cyber, not the theory of cyber. And this is where behavioral analytics is breaking new ground.

Understanding cyber through behavioral proxies

Behavioral analytics is a method which exploits the rapid increase in volume of data externally available about organizations and individuals. It gathers real-time data on enterprise-wide factors and uses machine learning and artificial intelligence to model the changing environment at scale.

What makes this approach unique and well-suited to cyber is that, as well as profiling an organization’s technological sophistication, it also gathers data on factors such as processes, people risk, and an organization’s attractiveness to cybercriminals.

For example, the turnover of an IT security team, the patching cadence for software, and the presence of unused services are all proxies for whether an organization is in control of its cybersecurity. Meanwhile, scrutiny of the dark web and data, such as employee satisfaction surveys, illuminate how cybercriminals operate and which companies are most vulnerable to attack.

Behavioral analytics uses these proxies to build powerful predictive models, processing over a petabyte of data a month to ensure it keeps pace with the fast-moving cyber universe.

At the heart of this approach is a recognition that organizations and potential adversaries are human. They are not predictable in the way that natural catastrophes are, and therefore understanding perils such as cyber requires data that encapsulates this.

The behavioral approach is not a niche proposal for cyber alone. Property insurer Lemonade is a well-known example of an insurtech company disrupting the market by putting a combination of artificial intelligence and behavioral economics at the heart of its business model.

As Lemonade’s chief behavioral economist Dan Ariely explains, “Wouldn't economics make a lot more sense if it were based on how people actually behave, instead of how they should behave?”

Paul Mang is Chief Innovation Officer at Guidewire Software. Read his full paper on how behavioral analytics is shaking up cyber insurance: Cyber Insurance: Breaking Down Barriers Through Behavioral Analytics.

Learn more about how Guidewire Cyence is using behavioral analytics to support insurers today.