As cyber insurance rates have begun to stabilize, insurance carriers are seeking more diversification to fuel their underwriting and growth strategies, according to panelists at this year’s PLUS Cyber Symposium in New York City.

“They’re seeking diversification in the standard ways we know of — writing across multiple industries, size segments and geography — but also more nuanced diversification by really looking at what technology dependencies are large exposures for their portfolios,” said Crystal Boch, U.S. head of cyber analytics at Aon Re. “So more carriers are investing in different scanning capabilities and different tools that really identify those technology aggregation points across the portfolio.”

She pointed to August 2024 research from Parametrix and Aon on diversifying cloud outage risk as one example. The research paper, titled Diversifying Cloud Risk, showed how losses arising from cloud outage events can be diversified within large reinsurance portfolios.

“You can see from that if you spread your portfolio across geography, it greatly reduces your portfolio’s reliance on any one cloud region, which is really, really huge for mitigating that risk,” she said. “So I think carriers are able to find diversification, but there is still some work to do there in increasing the pie to allow for more diversification.”

Some of this work involves the small and medium-sized enterprise space, she added.

“[It’s about] getting those SMEs and micros to buy insurance — getting, I would say, mostly SMEs and micro, but even some medium and large insureds in different regions to buy cyber insurance,” she said. “So increasing that pie will also help with the diversification.”

She said that although work remains, more progress has been made in the SME space in the past few years.

“The models were created initially focusing on the larger insurance since that’s where the larger take-up rate was on cyber,” she said. “As more SMEs are purchasing cyber, I think it shines light on better handling and grasping that SME systemic loss as well.”

This means that as SMEs learn from cyber events and gain a better handle on their risk, how they model risk is changing. Sometimes, it’s changing even more rapidly than in the larger enterprise space, Boch said.

“I think for the better and that we’re getting more nuanced around the SME modeling,” she said.

Beyond the SME space, cyber risk modeling has evolved in insurance overall. Boch noted that vendor models have not only matured but have also gained credibility with traditional reinsurers, insurers, and investors in the insurance-linked securities market.

“The models have converged in a number of ways in terms of the magnitudes of loss, but more importantly, around which perils are driving the tail,” she said. “I think most of the models and deterministic scenarios now all agree that malware ransomware is really the largest tail driver with cloud being number two.”

Speaking the Same Risk Language

This convergence has been instrumental in unifying risk language across the industry, allowing for more effective communication between carriers and external model providers.

Jonathan Hatzor, CEO of Parametrix Insurance, said that there has been a marked shift in the past couple of years, with carriers adjusting their reinsurance structures—from quota share arrangements to excess of loss programs—to better handle systemic cyber risks.

“There is a lot of pressure on having models that speak the same language,” he said. “So carriers have to use the same language in order to adjust to the external models.”

Mark Camillo, U.S. and Canada head of network security and privacy at CyberAcuView, said that CyberAcuView has worked to be a driving force behind bridging the policy language gap.

“I think from a policy language perspective, there were certain things that were starting to kick off about the war language around critical infrastructure, particularly with Lloyds,” he said. “And so, we felt that at CyberAcuView, we should figure out a way to bridge the U.S. and U.K. gap at the time and create language that could be used…more broadly by the market.”

Complicating things further was the introduction of widespread event coverage, in which carriers tried to segment their attritional versus systemic losses via supplements, he said.

“If that would’ve happened with 50 different insurers creating 50 different endorsements, that could have been very chaotic trying to explain that to policyholders,” he said. “The idea was let’s create some master language that, again, insurers could modify based on individual risk appetite.”

Hatzor said that while there is always a gap in the sophistication of external models compared to the capability of carriers, this gap has narrowed in the past few years.

“Now, there is more similarity, and I understand the risk more in a way that we can use those external models,” he said. “That, we think, is helping the market a lot.”

Data Collection, Accumulation Risk Still a Challenge

Despite this progress, challenges remain in cyber risk modeling. One of these challenges is around data collection.

“What I think we’re finding from the data collection is it is taking a lot longer than what initially we expected for insurers to have a really good view of what that ultimate loss looks like,” Camillo said. “I think when you have an event, there’s a lot of panic, there’s a lot of fire drills. Trying to estimate some of the initial loss, the estimates that come out are fairly high numbers.”

He said that it’s not until a year after the loss event in some cases that the losses begin to materialize.

“You have some idea, but really, they’re going to go through the process of filing the business interruption claim, all the waiting hours, deductibles that go into that decision, some of the liabilities that tail…even a year, year and a half later, those numbers are being pushed up,” he said. “But again, I think that’s something that over time, we will get better at as we have more of a catalog of events.”

Hatzor said that while having good models is important, understanding accumulation in portfolios is just as crucial.

“Maybe even more important, I would say,” he said.

However, he added that some service providers and many underwriters don’t contemplate accumulation risk enough.

“CrowdStrike, for example,” he said. “CrowdStrike is a service provider and not a mission critical service provider. If they go down, they’re not really going to impact anyone and don’t really have the capabilities as a service system to be a highway for a cyber attack because of the way that the system has been designed. But the event that occurred was a bit of a surprise, I would say, because their ability to shut down clients’ endpoints was very surprising.”

He said this example demonstrates that before even tackling cyber risk modeling, a better understanding of accumulation risk is the first piece of the puzzle.

“I would say that the models are very useful right now, especially around the traditional loss, relatively accurate, I would say, and very stable around systemic,” he said. “Still, we have a big way to go, but understanding the accumulation, mapping the accumulation, and using technologies in order to do it is very, very important.”

Although the cyber insurance industry has yet to grapple with “the big one” in terms of an accumulation event, said Pascal Millaire, CEO of CyberCube, it’s important to take the mini catastrophe events that have occurred into consideration when understanding accumulation risk and improving cyber risk models.

“We’ve seen a lot of mini cat events, and you start delving into those mini cat events and asking the counterfactuals, ‘Well, could this happen again? Yes. Could this be a zero day rather than a known vulnerability? Yes. Could there be a malicious actor behind this? Yes. Could this apply to a different piece of software with broader market share? Yes,'” he said. “I do think that certainly those kind of questions have helped advance the state-of-the-art model. So we’ve looked back, there have been a lot of investments, the models have proven useful. As always, there are more areas for improvement.”

That said, it’s important to recognize how much cyber risk models have evolved as the industry continues to push forward, he said.

“I guess if I went back five years ago, what you probably would’ve heard — and you may have explicitly heard on a stage like this — is cyber data and modeling is in its infancy,” he said. “I just don’t think that’s true anymore. If you look at the billions of dollars of claims, the tens of thousands of claims that have gone out there, the hundreds of millions of dollars at this point spent on data technology capabilities, training initiatives, vendor and third party models, the reality is we have a way to go, but we have a robust set of infrastructure at our disposal.”