Quiz Entry - updated: 2026.07.14
What are the classic insurance-industry criteria for whether a risk is "insurable" at all?
Seven criteria — large number of similar events, definite & random loss, large loss, affordable premium, quantifiable loss, no catastrophic cumulation.
The standard list:
| # | Criterion | Why it matters |
|---|---|---|
| 1 | Large number of similar events | Law of large numbers makes pricing predictable |
| 2 | Definite loss (where, when, why) | Court-defensible — claim can be adjudicated |
| 3 | Random loss (trigger not controllable by insured) | No moral hazard — you can't profit by causing it |
| 4 | Large enough loss | Economy of scale — small losses are cheaper to absorb than to insure |
| 5 | Affordable premium | Requires low enough event frequency |
| 6 | Quantifiable loss | Must convert to CHF for court / settlement |
| 7 | Strongly limited catastrophic-loss correlation | Events must be independent; correlated cascades break the model |
Why cyber strains every one of these:
- #1 — limited historical data, especially for novel attacks.
- #3 — many incidents trace to insured's own negligence (no patching, weak passwords).
- #5 — premiums have skyrocketed in 2022-2024 as loss frequency climbed.
- #7 — cyber is correlated: a single supply-chain attack (NotPetya, SolarWinds, MOVEit) hits thousands of insureds simultaneously, breaking the diversification model.
Tip: This is why specialised cyber-insurance underwriting is so hands-on — the underwriter assesses your controls (MFA, EDR, backups), not just your industry, because that's how they try to satisfy criteria #3 and #5.