Tag Archives: Cyber

RiskScan 2024 reveals risk priorities across the insurance marketplace

By Mary Sams, Senior Research Analyst

Cyber incidents, changes in climate, and business interruption are the chief risk concerns among key marketplace segments in the insurance industry, according to RiskScan 2024, a new survey from Munich Reinsurance America Inc. (“Munich Re US”) and the Insurance Information Institute (Triple-I) reveals.

RiskScan 2024 provides a cross-market overview of top risk concerns among individuals across five key market segments: P&C insurance carriers, P&C agents and brokers, middle-market business decision makers, small business owners, and consumers. The survey explores not only P&C risks, but also how economic, political, and legal pressures shape risk perceptions. 

Methodology

To produce a compelling snapshot of cross-market views, Munich Re US and Triple-I engaged independent market researcher RTi Research in the summer of 2024 to survey 1,300 US-based individuals.

Market surveys typically focus on a single audience, but RiskScan 2024 is a multi-segment survey offering a comprehensive view of risk perceptions and yielding comparative results between audiences. The key insights present a variety of commonalities and disparities across the five distinct target segments, covering the full range of insurance buyers and sellers across the United States.

This online survey was conducted across gender, age, geographic region, household income, business revenue, and company size. 

Two primary cohorts make up five segments of participants in the RiskScan research:

  1. consumers and small business owners (n=700) and
  1. Insurance industry participants, which included carriers, agents, and brokers as well as middle market businesses (n=600). 

Research participants were presented with various risks across five segments and then asked to select their top three risk concerns. 

Key Insights

More than one-third of respondents chose economic inflation, cyber incidents, and climate change as their top three concerns based on insurance risks and market dynamics. All three of these reflect post-pandemic news topics. Economic inflation has increased over the last several years.  Consumers and small business owners have experienced direct impacts with increased costs and industry participants have seen these impacts on increased replacement costs and P&C insurance premiums.

There are significant disparities in the ranking results between the two primary cohorts within the research. Insurance professionals tend to identify a variety of risks and have significant awareness of all risk categories, including emerging technologies. As expected, these audiences exhibit broader knowledge and awareness of risk transfer and mitigation of new and emerging risks. Consumers identified a smaller number of risks associated with more immediate and direct impacts on themselves. 

The structure of RiskScan 2024 research yields a more complete understanding of the “white space” that exists between risk perception and action. The gaps were identified along three key risk areas: 

  • Flood risk
  • cyber risks, and
  • legal system abuse

Flood risk was also indicated as one of the chief concerns for each audience. However, consumers lack awareness that flood events are typically excluded from homeowner’s policies. Industry professionals are more aware of flood coverage exclusions, the importance of purchasing flood coverage before a flood event, and the likelihood of these events occurring.

Cyber incidents are a primary concern in all five market segments. Most audiences in the research, both consumer and commercial, feel unprepared as this threat vector is constantly emerging, expanding, and changing. Many people are knowledgeable about cyber risks and are concerned about how to mitigate new cyber threats. Troubling stories have come to light as the frequency and severity of cyber threats grow.

“The knowledge gap about insurance risks demonstrates the continued need for education of consumers and businesses, especially about flood, cyber, and legal system abuse,” says Triple-I CEO Sean Kevelighan. “Increasing knowledge will be instrumental for the collective work needed to better manage and mitigate future risks.”

The report includes additional results for each of the five primary audiences: consumers (n=500), small business owners (n=200), insurance carriers (n=200), insurance agents and brokers (n=200), and middle market businesses (n=200).

Download the full RiskScan 2024 report to review the details. Triple-I aims to empower stakeholders by driving research and education on this and other key insurance topics. Follow our blog to keep abreast of these essential conversations.

Bridging the Cyber Insurance Data Gap

 

 

Cyber risks are opportunistic and indiscriminate, exploiting random system flaws and lapses in human judgment.

Underwriting cyberrisk is beyond difficult. It’s a newer peril, and the nature of the threat is constantly changing – one day, the biggest worry is identity theft or compromise of personal data. Then, suddenly it seems, everyone is concerned about ransomware bringing their businesses to a standstill.

Now it’s cryptojacking and voice hacking – and all I feel confident saying about the next new risk is that it will be scarier in its own way than everything that has come before.

This is because, unlike most insured risks, these threats are designed. They’re intentional, unconstrained by geography or cost. They’re opportunistic and indiscriminate, exploiting random system flaws and lapses in human judgment.  Cheap to develop and deploy, they adapt quickly to our efforts to defend ourselves.

“The nature of cyberwarfare is that it is asymmetric,” wrote Tarah Wheeler last year in a chillingly titled Foreign Policy article, In Cyber Wars, There Are No Rules.  “Single combatants can find and exploit small holes in the massive defenses of countries and country-sized companies. It won’t be cutting-edge cyberattacks that cause the much-feared cyber-Pearl Harbor in the United States or elsewhere. Instead, it will likely be mundane strikes against industrial control systems, transportation networks, and health care providers — because their infrastructure is out of date, poorly maintained, ill-understood, and often unpatchable.”

This is the world the cyber underwriter inhabits – the rare business case in which a military analogy isn’t hyperbole.

We all need data — you share first

In an asymmetric scenario – where the enemy could as easily be a government operative as a teenager in his parents’ basement – the primary challenge is to have enough data of sufficiently high quality to understand the threat you face. Catastrophe-modeling firm AIR aptly described the problem cyber insurers face in a 2017 paper that still rings true:

“Before a contract is signed, there is a delicate balance between collecting enough appropriate information on the potential insured’s risk profile and requesting too much information about cyber vulnerabilities that the insured is unwilling or unable to divulge…. Unlike property risk, there is still no standard set of exposure data that is collected at the point of underwriting.”

Everyone wants more, better data; no one wants to be the first to share it.

As a result, the AIR paper continues, “cyber underwriting and pricing today tend to be more art than science, relying on many subjective measures to differentiate risk.”

Anonymity is an incentive

To help bridge this data gap, Verisk – parent of both AIR and insurance data and analytics provider ISOyesterday announced the launch of Verisk Cyber Data Exchange.  Participating insurers contribute their data to the exchange, which ISO manages – aggregating, summarizing, and developing business intelligence that it provides to those companies via interactive dashboards.

Anonymity is designed into the exchange, Verisk says, with all data aggregated so it can’t be traced back to a specific insurer.  The hope is that, by creating an incentive for cyber insurers to share data, Verisk can provide insights that will help them quantify this evolving risk for strategic, model calibration, and underwriting purposes.

Intent and ability distinguish cyberrisk from natural perils

Cyberrisk is often compared with natural catastrophe-related threats, but a recent study by global reinsurer Guy Carpenter and analytics firm CyberCube suggests a better analogy is with terrorism.

“Probability is assessed in terms of intent and capability.”

The report – Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study – quotes Andrew Kwon, lead cyber actuary for Zurich: “Extending the lessons learned from property cats to the cyber space is intuitive and logical, but cyber continues to be a unique force unto itself. A hurricane does not evolve to bypass defenses; an earthquake does not optimize itself for maximum damage.”

This passage resonated as I read it because a few hours earlier I’d been reading a FreightWaves article about risks posed to international shipping by digitalization and pondering the fact that the same technology that helps vessels anticipate and avoid adverse weather also subjects them – and the goods they transport – to a panoply of new risks.

The FreightWaves article quotes U.S. Navy Captain John M. Sanford – who now leads the U.S. Maritime Security Department within the National Maritime Intelligence Integration Office – describing how the NotPetya virus inflicted $10 billion of economic damage across the U.S. and Europe and hobbled company after company, including shipping giant Maersk, in 2017.

Sanford said Russian military intelligence was behind the hacker group that spread NotPetya to damage Ukraine’s economy. The virus raced beyond Ukraine to machines around the world, crippling companies and, according to an article in Wired, inflicting nine-figure costs where it struck.

“Maersk wasn’t a target,” Sanford said. “Just a bystander in a conflict between Ukraine and Russia.”

Collateral damage.

The FreightWaves article describes how supply chains, ports, and ships could be disrupted more intentionally through GPS and Electronic Chart Display and Information System (ECDIS) systems onboard ships, or even via a WiFi-connected printer: “Pirates working with hackers could potentially access a ship’s bridge controls remotely, take control of the rudder, and steer it toward a chosen location, avoiding the expense and danger of attacking a vessel on the high seas.”

The Carpenter/CyberCube report identifies parallels in the deployment of “kill chain” methodologies in both conventional and cyber terrorism: “Considering terrorism risk in terms of probability and consequence, probability is assessed in terms of intent and capability.”

As our work and personal lives become increasingly interconnected through e-commerce and smart thermostats and we look forward to self-driving cars and refrigerators that tell us when the milk is turning sour, these considerations might well give us pause.

Hurricanes, earthquakes, fires, and floods might be scary, but at least we never had to worry that they were out to get us.