Carriers need to merge data to reap cyber insurance benefits says RAND Corporation

Insurers need to combine disparate application and claims data for cyber insurance policies in order to identify the most suitable security measures that could benefit their policyholders and improve organisational resilience, said global non-profit policy think tank RAND Corporation.

Delivering a keynote presentation as part of modelling and risk management firm RMS’s two-day virtual Cyber Summit event last week, Sasha Romanoksy, senior policy researcher at RAND Corporation, explained that insurers are missing a simple trick by not using available data sources to pinpoint cyber security advice that can be fed back to policyholders.

“Carriers, as well as modelling companies, have a wonderful opportunity to take these disparate data sources and to do some relatively simple analysis in order to identify what kinds of security controls work,” he explained.

“What you want is to be able to merge the application data, the questionnaires that relate to the security posture of a company, with the actual claims data and from that, you develop a simple prediction model and identify, based on the information provided, what kinds of security controls work.

“It doesn’t take fancy artificial intelligence or machine learning – it’s basic statistics and you get some very good insights, or at least you start to develop a model that can provide you with very good insights. It’s not fool proof of course, you may still not identify the best controls, but it’s a start and from what I’ve seen unfortunately, it doesn’t seem like a lot of carriers are really taking advantage of this.

“For them, the application data and the claims data exist in separate IT environments, these databases don’t talk at all. It seems like a crazy situation because there’s an opportunity there.”

Using this kind of insight around cyber insurance is a “great situation”, Romanoksy added because it is beneficial for all parties.

He continued: “When carriers have more insight, better insight about the security incidents that their policyholders suffer, they are able to identify the specific kinds of security controls that are best able to reduce these future events. And by doing that kind of analysis, they can better assess and differentiate the risk across their policyholders and provide incentives for firms to adopt these particular kinds of controls in order to reduce the risk.

“This is a great situation. This is great for the firms because it helps the firms identify what kinds of security controls they can invest in, consumers are better off because they suffer lower rates of identity theft, carriers become more profitable and critical infrastructure is very much improved through increased resilience. So, from a policymaker’s perspective, a federal government’s perspective, this is a very strong case for insurance.

“There really is an opportunity for cyber insurance here to match the application data with the claims data to identify those security controls, to identify which kinds of security controls really matter and by how much.”

‘Moral hazard’

There are some potential red flags to be aware of surrounding cyber insurance, however. Firstly, Romanoksy warned that “we don’t want to engage in this moral hazard problem”.

He explained: “We don’t want firms to buy insurance at the cost of not investing in security in the first place. We want both situations to occur, for firms to invest in security and for them to buy the insurance to avoid the catastrophic losses.”

However, Romanoksy added that insurance professionals “shouldn’t be so shocked” if organisations are not investing heavily in cyber security as it may not be a business’s top priority among a potentially long list of other corporate risks, for example issues within its supply chain. “We need to recognise that they may de-prioritise risk,” he said.

Whether cyber insurance policies themselves reference a firm’s security posture should also be considered, Romanoksy said, as this could demonstrate a disconnect between premium prices and the cyber security measures in place.

“It’s true that in looking at cyber insurance policies themselves, a lot of them don’t even include any information about security posture. So, the idea is that if firms are able through their application process to get a good sense of the security posture of firms through these questionnaires, then they can use that information for better assessment of risk, but if it’s the case that most of these policies don’t incorporate that security information, then there’s a very clear disconnect between the premiums and any security controls,” he explained.