As cybersecurity risk continues to evolve, the insurance market is responding with new solutions designed to fill in gaps and expand coverage. One such innovation is parametric insurance, which is not a new product, but which has never been used in the cyber space. To find out more about how these policies work and the benefits they offer insureds, I spoke with Anibal Moreno, CEO of USQRisk, LLC
Can you describe parametric insurance as a method to cede risk?
Parametric insurance solutions, sometimes called index insurance, are designed to quickly trigger payment to an insured when a predefined event, measured with some clear and objective criteria, occurs. Ideally, objective third-party data sources are used to define trigger(s). To the extent that there is a delta between the parametric loss payment and the actual loss suffered by the insured, we call this “basis risk.”
A successful solution gets money in the hands of the insured much quicker than a traditional indemnity insurance, right when it is needed, and might be aimed to compensate the insured for more of their true economic loss, considering things like downstream impacts, increased costs, reputational effects, contractual liability, and so forth.
Why are we hearing more about parametric insurance now?
“Parametric,” meaning based on a parameter (or measurement), has been around for a long time, especially in the energy, natural catastrophe, weather, and agricultural spaces. In that context, it might look something like this: If rainfall exceeds such-and-such amount, seasonal businesses can be affected; if snowfall is heavy, then snow removal expenses may be triggered. Coverage has even been sought by film producers needing a certain number of hours of sunlight to shoot outdoor scenes.
Today, as the insurance industry looks to increase its relevance, a major innovation is to introduce parametric solutions into other types of coverage. This is sparking interest amongst potential insureds seeking solutions that expand capacity or protection not available in the conventional market.
How might cyber parametric coverage work?
Every parametric solution design involves defining an exposure; defining an event; selecting or creating an index; and valuing the loss against thresholds or values of the index. The solution is always tweaked to fit the client need and budget. “Cyber” touches on such a broad universe of risks and can have knock-on effects for both the insured and the insured’s own customers. Web/technology industries are very accustomed to monitoring and even guaranteeing service uptime and dealing with the upstream and downstream impacts including extra expenses, and this is an area where trigger definition can be quite intuitive.
As we reach beyond business interruption, it becomes less clear how to measure and correlate objective indices to losses such as privacy liability, network security liability, and regulatory exposures. This is necessarily a highly collaborative process among insured, underwriter, and intermediaries. There has been talk of “cyber CAT bonds” in the context of widespread malware/viruses impacting large swaths of the internet, and the ripple effects of major cloud infrastructure providers going temporarily offline.
Critical to creating parametric coverage for cyber-related risks is to have a clear process related to: i) defining the exposure, ii) defining the event, iii) identifying reliable independent data sources, and iv) defining triggers that correlate to liquidity needs following a cyber event, and that is where collaboration is key. The sector is moving rapidly, and improvements in available indices and modeling techniques are welcomed, as will wider awareness about parametric coverage.
How would a client with cyber parametric coverage benefit when faced with a cyber exposure such as ransomware? How does it compare to traditional cyber insurance coverage?
We (USQRisk) are working on designing parametric companion solutions to sit alongside and complement the available and evolving broad insurance product solutions on the market.
In today’s world, intangible assets are more important than tangible assets for many firms. Insurance solutions are increasingly expected to provide cover beyond physical damage and cover any economic interest arising out of an event. In a more CENSOR-ed IoT world where more independent data is collected and quantified than ever before, there’s an opportunity to leverage this data in order to structure parametric solutions.
Some use cases are quite clear. If you can show that six hours of outage affects X number of employees and will going cause a $10 million loss, and pre-agree that in the parametric cover, it can provide great liquidity support and avoid the pain of proving that loss in a post-loss adjustment process. On the underwriting side, the challenge is estimating the likelihood and drivers of that outage and to find a trusted third-party data source to prove it.
Parametric isn’t a substitute for traditional cyber offerings. In the ransomware example, the insurer and possibly the broker are providing or facilitating a wide array of critical response services encompassing security, investigation, and legal to name a few. Parametric, by contrast, is a financial/economically oriented cover and does not provide post-event services that indemnity-based solutions might. As it evolves, parametric cyber could start to play an important role in enterprise risk management.
I want to thank Anibal for his expertise and thoughts on this emerging topic. I have had the good fortune of knowing Anibal now for almost 20 years within the cyber insurance community, and he is truly an industry leader trying to solve complex problems for policyholders. And given the growth of ransomware in both frequency and severity, we can only welcome options that bolster traditional coverage. As the newer parametric cyber products evolve and come to market, we plan to stay in touch with Anibal to monitor their development.