As insurance brokers in cyber liability, one of the most common questions we hear is, “How much limit should I buy?” Often, the quick follow-up question is “What do my peers buy?” While this may seem like a sensible way to choose limits, as there is comfort in keeping up with your peers, it’s actually not the best way for a client to determine their ideal limit.
Simply put, if you’re asking that very question—”What do my peers buy?”—we think you’re asking the wrong one. In this article, we’ll explain why and answer what we think is the right question.
Choosing the Right Policy Limit
Cyber security is a fundamental part of doing business in the digital era. Cyber-crime-related damages are expected to cost around $6 trillion annually starting in 2021 according to Cybersecurity Ventures. No one can predict a breach, but the right models should be able to quantify the likelihood of a cyber attack and the potential severity of the damage.
The ideal limit you should purchase depends on a myriad of factors, including the specific cyber risks you face—from data breaches, to network outages, or software impairments—to the security tools you use to lessen your risk, and ultimately your own appetite for risk.
Quantifying your cyber risks will reveal that your business has unique needs which may vary widely from your peers. A risk quantification exercise can reveal the acute ways in which your organization may be vulnerable and show how insurance can help lessen the impact of a cyber event.
A proper cyber risk quantification exercise will be entirely customized to your organization. In the context of a custom result, comparing the amount of insurance purchased against a peer company starts to look rather silly.
For example, a peer may buy $20 million of cyber insurance, against their custom risk quantification of a $40 million maximum loss. But if your custom analysis results in a maximum loss of $15 million, buying up to $20 million of cyber insurance would look foolish.
Instead of asking, “What are my peers buying?” You might ask, “What percentage of risk do my peers insure against?”
Finding a Trustworthy, Professional Partner
As with any modeling exercise, the quality and quantity of data will ultimately ensure the accuracy of the modeled results. And while it may pain me to say it, the reality is that any one insurance broker simply does not collect a broad enough set of data to model a potential cyber loss.
Fortunately, there are independent companies dedicated to just this very problem.
CyberCube, a cyber risk analytics company Woodruff Sawyer partners with, provides this very type of cyber risk modeling. By combining firmographic, security, and insurance data, CyberCube models risk to quantify the implications of cyber risk exposure.
Using firmographic information on your company—such as industry, revenues, and personally identifiable record counts—combined with exclusive data sources on active threats and threat actors, as well as network and vulnerability scan data, CyberCube calculates a number of risk variables specific to your company. CyberCube then runs this information through two models: the Threat model and the Financial model.
The Threat model identifies the specific types of cyberattacks that your organization is most vulnerable to benchmarked against industry peers. Have open ports on your network known to be vulnerable to ransomware? Your exposure to ransomware will likely be higher than your peers.
The true cyber risk quantification comes from the Financial model, which illuminates the severity of your potential financial losses under several different scenarios; a data breach, a network outage, or a software impairment.
CyberCube applies a Monte Carlo simulation to estimate the loss severity under different scenarios, generating an estimation of how much any specific event may cost. The model is run 50,000 times, and the results are plotted along a risk curve, providing a visual representation of your company’s customized cyber risk from a financial perspective.
The importance of a modeled approach, in contrast to a simple estimate used in many data breach calculators, is that you can make an informed decision about how much risk your company faces. Deciding how much risk you face when looking at a cost-per-record number is very black and white, but understanding that only 5% of data breach events may cost you more than $15,000,000 helps you make a truly informed decision.
The beauty of taking this approach to your customized risk is that most loss scenarios a company would face in a given year can be accounted for on the loss curve. Want to insure against 90% of your projected potential data breach losses? You can find that on the loss curve to know the proper cyber insurance limit to purchase. Think the most severe losses could never happen to your company? Simply decide to purchase insurance at a lower percentage of the estimated loss.
Alternative Cyber Analytics Models
Cyber analytics have come a really long way over the past few years. While it’s true that using new tools can provide more insights into your overall cyber risk, there are some older models that can still provide useful data for decisions on cyber insurance.
Using data breach calculators, you can model individual scenarios to determine potential losses. These calculators are often a simple math equation based on the number of records exposed, the type of record exposed, and some average values of specific loss types such as consumer notification costs or credit monitoring costs.
These can be useful in modeling out a single, specific scenario that you’d like to make sure is covered by your insurance. The specific scenario can often get quite granular.
Likewise, business interruption worksheets can give you an estimate of the organization’s potential losses suffered during a network outage. A business interruption model can identify insurable losses, such as lost profits and continuing operating expenses, which may be suffered during an outage of varying lengths.
As with a data breach calculator, the specific scenarios modeled can be quite specific. A model may display multiple length outages, or sometimes outages at various manufacturing plants individually to show the effect of a cyber incident at one location or network over another.
Of course, by using a highly specific scenario and only modeling it once, you lose the potential insights into the variance of the loss that a monte carlo simulation can provide.
Buying the Right Limit with Cyber Analytics
While it might be tempting to follow what cyber insurance limits similar companies are purchasing, your best course of action should be to first consider your own customized risk quantification. After all, there is no one-size-fits-all solution to cyber risk.
No company will ever be fully prepared for a cyber attack, but quantifying your risk using the right analytics tools can put you one step ahead of the competition. A thorough analysis helps you ensure that you are taking a comprehensive approach to risk transfer. More importantly, it makes you certain that your coverage limits are sufficient.