Cyber is the hardest actuarial modelling problem in insurance today, and the reason is not technical. It is that almost every assumption underwriting the traditional toolkit — stable threat environment, independent losses, credible history, fixed wording — is now wrong at the same time.
Losses arise from ransomware, data breaches, cloud outages, third-party service failures, business interruption, regulatory fines, litigation, social engineering, supply-chain compromise and AI-enabled attacks. The cutting edge has moved well beyond frequency-severity. Expert judgement, synthetic event databases, stress scenarios, dependency modelling, systemic accumulation, vulnerability functions, network contagion and wording analysis are now all part of the toolkit.
Why cyber breaks the standard assumptions
Most actuarial pricing and reserving depends on credible historical data. Cyber breaks this on five fronts at once. The threat environment changes in months — attack techniques, defensive controls, legal obligations, ransom behaviour and geopolitical risk all shift. Losses are highly dependent — a cloud outage, software vulnerability or managed-service-provider breach can hit many insureds simultaneously. Data is incomplete — many cyber incidents are not disclosed publicly, and internal insurer data is too sparse for tail risk. Policy wording is evolving — coverage, exclusions, sublimits, waiting periods, war exclusions and systemic cyber clauses materially change insured loss. Mitigation matters — MFA, backups, patching, training, endpoint detection and incident response all alter frequency and severity in ways traditional underwriting questionnaires struggle to capture.
What the research is doing about it
The CAS 2025 research paper on cyber risk focuses on quantification, stress scenarios, mitigation and insurance, combining historical data with expert judgement and a synthetic cyber event database — the CAS describes it as a forward-looking methodology rather than a backward-looking fit. Carannante and co-authors review the mathematics — dynamic stochastic models, vulnerability functions, interdependence — and the broader message is the one to internalise: cyber is not captured by a single static model. It needs a coordinated set of complementary models.
Scenarios do the work data cannot
Cyber stress scenarios matter because tail risk is rarely visible in insurer data. Useful scenarios include:
- major cloud-provider outage;
- widely exploited software vulnerability;
- ransomware event affecting a sector;
- payment system compromise;
- data breach at a major service provider;
- AI-assisted phishing or social engineering surge;
- operational technology attack on infrastructure;
- geopolitical cyber conflict with disputed war-exclusion implications.
Each scenario should specify exposed insureds, attack path, duration, mitigation, policy response, legal cost, business interruption, restoration cost, notification cost, reputational impact and reinsurance response. Less specific scenarios are theatre, not analysis. The IAIS work on cyber-risk underwriting is a useful prompt for the supervisory questions a scenario should also answer.
Pricing variables that actually predict
Cyber pricing needs more than revenue and industry class. Rating variables can include security posture, controls maturity, endpoint coverage, backup frequency, privileged access management, third-party dependency, cloud architecture, data sensitivity, incident history and sector exposure. The discipline is balancing predictive value against data reliability and customer disclosure — and tying every variable that changes the premium materially to an underwriting control that can be verified and monitored over the policy period.
Reserving where development paths fork
Cyber reserving is structurally difficult because claims develop through forensic costs, business interruption, legal notification, class actions, regulatory investigations and third-party liability — and the development pattern varies strongly by incident type and jurisdiction. Silent cyber exposure in non-cyber policies can also create unexpected accumulation that does not show up in cyber-class reserving at all. A defensible reserving process separates event cohorts, incident types, first-party and third-party components, large losses, coverage disputes and latent litigation. Machine learning helps with claims classification; actuarial judgement remains critical on the case-estimate side. Where AI is used in the workflow, we apply the controls on our How we use AI page.
Accumulation looks more like cat than casualty
Cyber can accumulate across insureds in ways that look closer to catastrophe risk than ordinary casualty risk. The dependency dimensions that matter are common vendors, cloud providers, software platforms, payment systems and geographic / legal jurisdictions. Reinsurance structures must be tested against systemic cyber scenarios, not just attritional loss experience. Insurers that price cyber on the attritional book and reinsure as if it were liability risk discover the gap at the worst possible time.
The governance checklist
A cyber actuarial framework that survives a review documents: exposure definitions; policy wording and exclusions; key underwriting controls; data sources and limitations; historical loss analysis; expert judgement inputs; scenario design; accumulation methodology; reinsurance treatment; model validation; monitoring triggers; and the cadence for refreshing cyber threat intelligence. Without all twelve, cyber pricing and capital land somewhere between too optimistic and too conservative — sometimes on the same portfolio in the same quarter.
If you are building a defensible cyber actuarial framework — pricing, reserving, accumulation and governance in one place — our Risk Management practice covers the modelling and the controls.