LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the classic insurance-industry criteria for whether a risk is "insurable" at all?

Seven criteria — large number of similar events, definite & random loss, large loss, affordable premium, quantifiable loss, no catastrophic cumulation.

The standard list:

# Criterion Why it matters
1 Large number of similar events Law of large numbers makes pricing predictable
2 Definite loss (where, when, why) Court-defensible — claim can be adjudicated
3 Random loss (trigger not controllable by insured) No moral hazard — you can't profit by causing it
4 Large enough loss Economy of scale — small losses are cheaper to absorb than to insure
5 Affordable premium Requires low enough event frequency
6 Quantifiable loss Must convert to CHF for court / settlement
7 Strongly limited catastrophic-loss correlation Events must be independent; correlated cascades break the model

Why cyber strains every one of these:

  • #1 — limited historical data, especially for novel attacks.
  • #3 — many incidents trace to insured's own negligence (no patching, weak passwords).
  • #5 — premiums have skyrocketed in 2022-2024 as loss frequency climbed.
  • #7 — cyber is correlated: a single supply-chain attack (NotPetya, SolarWinds, MOVEit) hits thousands of insureds simultaneously, breaking the diversification model.

Tip: This is why specialised cyber-insurance underwriting is so hands-on — the underwriter assesses your controls (MFA, EDR, backups), not just your industry, because that's how they try to satisfy criteria #3 and #5.

From Quiz: ISF / Risk Management | Updated: Jul 14, 2026