Efforts continue to gather data and standards on which to base cyber underwriting decisions. On March 11, 2016, the Insurance Services Office, Inc. (ISO) issued a voluntary cyber insurance data call to collect detailed premium and loss information from insurers.
The ISO data call joins other recent initiatives to create common standards to evaluate cyber risks. For example, the National Association of Insurance Commissioners recently required insurers writing theft or cybersecurity insurance to report claims, premiums and other details. The Department of Homeland Security has a Cyber Incident Data and Analysis Working Group which seeks to gather pertinent information. And in January 2016, Risk Management Solutions, Inc. (RMS) and AIR Worldwide (a unit of Verisk Analytics, as is ISO), with support from a number of insurers and reinsurers, released common data elements and practices for maintaining cyber risk data (see A Common Standard for Evaluating Cyber Risk (Feb. 23, 2016).)
The ISO call is intended to address three “areas of concern” in the cyber insurance market: lack of aggregated data for pricing, silos of data across different industry sectors and rate filings based on actuarial judgment. The data call contains 268 fields relating to a wide scope of information including policy types, SICs, deductibles, limits, losses and defense costs and other coverage and loss characteristics.
What remains to be seen is whether the nature of cyber risks – rapidly evolving, difficult to quantify and potential exposure to exponentially scalable damages – lends itself to the same data collection techniques that the industry has used for decades to evaluate other risks. It is also an open question whether limits on the number of personnel with the requisite expertise to meaningfully evaluate cyber risks – currently commanding premium compensation in private sector technical fields – will restrict the capabilities of rating agencies and other data aggregators to stay within striking distance of the next major cyber peril.