A Common Standard for Evaluating Cyber Risk - Insurers Walk the Walk

Insurers have struggled to find a common baseline to measure cyber risks. Changes in technology, hacking and other data security risks and the shifting legal landscape concerning liability for data breaches have made the terrain particularly uncertain. Because of the unique and changing nature of cyber risks, current risk models used for pricing and measuring risk aggregation do not provide the level of confidence insurers want and need. To date, most insurers have used internally-developed and proprietary models that rely on insureds’ responses to application questions that vary widely, and other data collected and stored in a non-uniform fashion. That variation, added to the continually evolving nature of cyber risks, impairs an insurer’s ability to accurately (a) price the risk for insureds, and (b) gauge the appropriate level of cyber risk in its overall portfolio – potentially limiting capacity. 

On January 19, 2016, two leading modeling firms and the University of Cambridge, with support from a number of insurers and reinsurers, released what is hoped to be the first step in providing a common set of standards to bridge the gap between insureds, whose data security systems and capabilities vary widely, and insurers and other constituents that need a common language to evaluate cyber risks. Risk Management Solutions, Inc. (RMS), AIR Worldwide (a unit of Verisk Analytics) and the University of Cambridge’s Centre for Risk Studies have collaborated to create a standardized framework that will enable insurers to track exposures with a uniform set of data elements and practices for maintaining the data. The Cyber Insurance Exposure Data Schema v1.0 released by RMS can be accessed here.

The goals of the RMS schema are to (a) provide a standardized approach to identifying, quantifying, and reporting cyber exposure; (b) enable the development of models for cyber risk that will be applicable to multiple users; (c) facilitate risk transfer to reinsurers and other risk partners and risk sharing between insurers; and (d) provide a framework for exposure-related dialogues for risk managers, brokers, consultants, and analysts. The schema uses six categories of exposure attributes to structure information: (1) cyber peril codes, (2) geographical jurisdiction, (3) cyber loss coverage categories, (4) business sector, (5) enterprise attributes, and (6) cyber risk attributes.

AIR Worldwide also released data standards to create uniform methods for collection, coding, storage and transfer of data – in the form of a cyber exposure SQL (structure query language) database and preparer’s guide. AIR's data standard and preparer's guide can be accessed here.

The new standards will likely evolve and mature as have other attempts to categorize and standardize assessments of complex risks. But development of the RMS/AIR standards points the way to a common language to assist underwriters, investors, and other constituents in tackling what has to date been an unpredictable and difficult-to-quantify risk.

Molly McGinnis Stine is a partner and John F. Kloecker is Of Counsel in Locke Lord’s Chicago office. They can be reached at mmstine@lockelord.com and jkloecker@lockelord.com.‎