A.M. Best Special Report

Cyber-Security Issues and Insurance Companies

There is a difficulty in accurately measuring the risk

OLDWICK, N.J., December 1, 2015—A.M. Best believes that insurance companies are particularly exposed to cyber liability given the nature of  area requiring a holistic approach where a company’s technology, people and processes diligently work in concert to minimize cyber-security risks.

A new Best’s Special Report, titled “A.M. Best’s View on Cyber-Security Issues and Insurance Companies,” states that while A.M. Best still considers natural catastrophe losses to be the primary threat to the financial strength and credit quality of insurers, the increasing frequency and severity of cyber attacks and difficulty in measuring the risk pose a substantial threat to the insurance industry.

Recent breaches at large managed health care organizations have highlighted the fact that an insurance company’s breach can have wide-reaching effects, impacting staggering numbers of individuals and organizations. Industry
research has also warned that a total realistic probable maximum loss for cyber-security risk globally is currently approximately USD 31 billion.

Increasing Awareness

A.M. Best is analyzing cyber-security exposure in an effort to increase awareness of this threat and assess the impact on an organization’s financial strength. Assessments have historically been limited to the technology-based controls an organization has in place, but technology alone is not an adequate predictor of overall cyber-security posture or risk. An assessment of the susceptibility of a company’s cyber-security posture from the perspective of technology, people, processes and preparedness must also be undertaken.

The next step in understanding a company’s overall cyber-security risk is an evaluation of the motivation of threat actors like criminal hackers, state-sponsored groups and rogue employees to direct their efforts at a particular company

The next step in understanding a company’s overall cyber-security risk is an evaluation of the motivation of threat actors like criminal hackers, state-sponsored groups and rogue employees to direct their efforts at a particular company. It is A.M. Best’s opinion that an evaluation of the offensive and defensive forces apparent in the susceptibility and motivation of an organization is essential to understanding an entity’s overall cyber-security risk. A.M. Best views an organization’s ability to
generate detailed and credible assessments of its potential cyber risk as a valuable tool in its overall risk management approach.

The report also summarizes results obtained from various surveys and questionnaires A.M. Best has conducted over the years as part of its interactive rating process, and explores areas where companies can improve their risk profiles. Two main trends have become evident in the surveys. First, most companies tend to be inclined to invest large sums of money to improve security on their IT systems and infrastructure. Secondly, larger companies tend to buy cyber insurance policies to further manage the risk associated with a cyber attack, protecting themselves and ultimately their policyholders.

A.M. Best also is cognizant of the fact that the industry may be contemplating new company formations to exclusively write cyber-security insurance. As cyber-security risk is better understood, and underwriting and risk management functions are enhanced and specific consequence-oriented data and actuarial studies become available, A.M. Best will continue to incorporate its findings into the rating process.

To access a copy of this special report, please visit here.