According to insurance author Barry Rabkin, cyber risk is increasing to a level of uninsurable severity. His opinion is posted at https://rabkinsopinions.com/2021/08/23/shift-to-severity.
As society becomes increasingly dependent on web-connected devices, uninsurability becomes more of an issue for insurers, corporations and individuals.
Rabkin has three messages about risk:
- There is an "inexorable" shift to potentially uninsurable severity from a small number of risks.
- While not all of these risks are technology related (terrorism, pandemics and climate change for example) technology is making more cyber risk uninsurable.
- Whether insurable or uninsurable, the risk must be managed.
Frequency and severity are how we measure risk. As society becomes more digitally dependent, the "frequency of severity" is increasing. High frequency/high severity risks are uninsurable.
Risks emerge through interaction with nature, society, technology or a combination of them. The risk of web connected devices is now global.
Large commercial insureds will meet the coverage challenge with a combination of primary insurance, reinsurance and self-insurance. (Rabkin does not address small and medium size organizations; most likely they will face higher premiums and stricter underwriting requirements.) The federal government will take a large role in both "insurance" and cyber security regulation. The market for technology solutions and "white hat" hackers will expand.
There are six criteria for an insurable risk:
- A large number of exposure units.
- Accidental, random and unintended losses.
- Determinable and measurable losses.
- Losses cannot be catastrophic to the risk pool.
- Probability of loss must be calculable.
- Premiums must be economically affordable.
Dr. Robert Hartwig of the University of South Carolina business school testified to Congress that pandemics meet none of these criteria. In Rabkin's opinion, two criteria - determinable/measurable and calculable loss - are not met for cyber, while the accidental and feasible premium tests are not fully met.
As Rabkin concludes, there are two types of cyber devices: those that have been hacked and those you don't realize have been hacked.