Active CAT Management Reduces Tail Exposure 3-8X vs. CAT Sublimits
Quantifying different approaches to cyber CAT risk management
The traditional approach to insuring catastrophic risk operates from a fixed mindset, relying on portfolio construction and limit management. This approach works for natural catastrophes because little can be done to mitigate a natural CAT event when it occurs, but it isn’t an effective approach to cyber CAT management.
Unlike natural catastrophes, carriers can mitigate cyber CAT risk as it unfolds. Despite that, many cyber insurance carriers still rely on a fixed approach, writing CAT sublimits into policies and transferring CAT risk back to policyholders rather than managing the risk.
In contrast, At-Bay takes a dynamic approach to cyber CAT.
Our Active CAT Management includes risk selection at the time of underwriting and Active Risk Monitoring throughout the policy period to manage portfolio CAT risk. This creates a better insurance product for policyholders and a stronger impact on tail losses compared to CAT sublimits, as demonstrated by the table below:
Read on for an in-depth comparison of cyber CAT sublimits vs. Active CAT Management and details on our modeling methodology and results.
Over the last decade, cyber risk has grown quickly to become the defining commercial risk. In recent years, we have seen multiple widespread cyber events with CAT potential, which have raised concern about cyber CAT risk among primary and reinsurance carriers.
Because cyber is a new risk, the insurance industry lacks a standard for managing cyber CAT. We see a few emerging approaches to managing cyber CAT exposure:
- Limit management: Reduction of overall limits exposed to cyber policies.
- CAT sublimits (and exclusions): Application of coverage limits (or exclusions) on certain events that have CAT potential, such as widespread malware events, prolonged service provider outages, and severe exploits of known vulnerabilities.
- Active CAT Management: Active mitigation of cyber events before they materialize significant loss.
To demonstrate the difference between At-Bay’s Active CAT Management (ACM) vs. CAT sublimits, we modeled three different approaches to cyber CAT management to show their effects on tail losses.
We modeled the impact of the following CAT management approaches to quantify their impact on CAT exposure in At-Bay’s portfolio1:
The gray line models a generic cyber insurance carrier with no CAT risk management. We selected companies at random to create a portfolio mirroring the revenues and sectors represented in At-Bay’s portfolio. It includes a mix of secure and non-secure companies.
The black line models a generic carrier with CAT sublimits. For this data set, we applied a 50% of policy limit as a CAT sublimit to widespread malware events and provider outage events. This was applied on top of the same portfolio composition as the gray line.
The blue line models At-Bay’s Active CAT Management program. We created a portfolio of companies mirroring the revenues and sectors of companies in At-Bay’s portfolio, all of which meet the security requirements to bind an At-Bay policy. We then applied ACM to this portfolio to reflect At-Bay’s current CAT management strategy.
Active CAT Management Vs. CAT Sublimits
The following model demonstrates the aggregate exceedance probability (AEP) curve of gross losses for the three approaches to cyber CAT management detailed above.
At the one-in-250-year mark, cyber CAT sublimits demonstrate a 5-10% reduction of tail losses, while ACM reduces tail losses by 30-40%. Therefore, Active CAT Management is 3-8X more effective at reducing tail losses compared to a 50% CAT sublimit.
A 50% CAT sublimit has limited effectiveness in managing tail losses. While sublimits are an effective tool to drive down severity, they aren’t effective for mitigating cyber CAT risk because it’s driven by frequency rather than severity. The most concerning scenario in many cyber CAT models is a widespread vulnerability that materializes as a high-frequency event with a limited increase in average severity compared to attritional losses.
Active CAT Management demonstrates higher effectiveness in managing the frequency-driven nature of cyber CAT risk. By accurately identifying events with CAT potential and helping policyholders apply patches and solutions as quickly as possible, ACM successfully mitigates cyber CAT as it unfolds.
At-Bay believes preventing loss is preferable to managing claim costs after a loss occurs. The right risk selection is important, but carriers also need an Active CAT Management program that does the following:
- Identifies events with CAT potential and quantifies their impact on the portfolio
- Accurately identifies which policyholders and assets are vulnerable
- Helps policyholders with risk mitigation
Active CAT Management has a significantly stronger impact on tail loss compared to CAT sublimits or no CAT management. For that reason, carriers who actively manage cyber CAT risk are able to provide a superior insurance product to policyholders and better protect their balance sheets from CAT exposure.
1. Modeling was done with At-Bay portfolio data. At-Bay’s portfolio contains mainly small to medium-sized businesses, and our modeling result is based on At-Bay’s policy structure. If a policy limit is lower than ours, a 50% CAT sublimit could have a larger impact.