Cyber insurance is a potentially huge but still largely untapped opportunity for insurers and reinsurers.
It is estimated that annual gross written premiums will increase from around $2.5 billion today to $7.5 billion by the end of the decade. Accordingly, many insurers and reinsurers are looking to take advantage of what they see as a rare opportunity to secure high margins in an otherwise soft market.
However, wariness of cyber risk is widespread.
Many insurers don't want to cover it at all. Others have set limits below the levels their clients seek, and have imposed restrictive exclusions and conditions — such as state-of-the-art data encryption or 100 percent updated security patch clauses — which are difficult for any business to maintain.
Given the high cost of coverage, the limits imposed, the tight attaching terms and conditions, and the restrictions on claims, many companies question if their cyber insurance policies provide real value.
Insurers are relying on tight policy terms and conditions and conservative pricing strategies to limit their cyber risk exposures. But how sustainable is this approach as clients start to question the value of their policies and concerns widen about the level and concentration of cyber risk exposures?
|The risk-pricing challenge
The biggest challenge for insurers is that cyber isn't like other risks. There is limited publicly available data on the scale and financial impact of attacks and threats are very rapidly changing and proliferating. Moreover, the fact that cybersecurity breaches can remain undetected for several months — even years — creates the possibility of accumulated and compounded future losses.
While underwriters can estimate the cost of system remediation with reasonable certainty, there isn't enough historical data to gauge further losses resulting from brand impairment or to customers, suppliers and other stakeholders. Many insurers also face considerable cyber exposures within their technology, errors and omissions, general liability and other existing business lines. As a result, there are growing concerns about both the concentrations of cyber risk and the ability of less experienced insurers to withstand what could become a rapid sequence of high loss events.
So, how can cyber insurance be a more sustainable venture that offers real protection for clients, while safeguarding insurers and reinsurers against damaging losses? Here are eight ways insurers, reinsurers and brokers could put cyber insurance on a more sustainable footing and take advantage of the opportunities for profitable growth.
(Photo: iStock)
|1. Clarify risk appetite
Despite the absence of robust actuarial data, it may be possible to develop a reasonably clear picture of total maximum loss and match it against risk appetite and tolerances. Key inputs include worst-case scenario analysis, which can help insurers judge which industries to focus on, when to curtail underwriting and where there may be room for further coverage. Moreover, even if an insurer offers no standalone cyber coverage, it should gauge the exposures that exist within its wider property, business interruption, general liability, and errors and omissions coverage.
(Photo: iStock)
|2. Gain broader perspectives
Bringing in people from technology companies and intelligence agencies can lead to more effective threat and client vulnerability assessments. The resulting risk evaluation, screening and pricing process could be a partnership between existing actuaries and underwriters who focus on compensation and other third-party liabilities, and technology experts who concentrate on data and systems. This is similar to the partnership between chief risk officer and chief information officer teams that many companies are developing to combat cyber threats.
(Photo: iStock)
|3. Create tailored, risk-specific conditions
Many insurers currently impose blanket terms and conditions. A more effective approach would be to make coverage conditional on a fuller and more frequent assessment of the policyholder's vulnerabilities and agreement to follow advised steps. This could include an audit of processes, responsibilities and governance within a client's business. Another possible component is exercises that mimic attacks to test both weaknesses and plans for response. As a result, coverage could specify the implementation of appropriate prevention and detection technologies and procedures.
(Photo: iStock)
|4. Share data more effectively
More effective data sharing is the key to greater pricing accuracy. For reputational reasons, many companies are wary of admitting breaches, and insurers have been reluctant to share data because of concerns over loss of competitive advantage. However, data breach notification legislation in the United States — which is now set to be replicated in the European Union — could help increase available data volumes. Some governments and regulators have also launched data sharing initiatives. In addition, data pooling on operational risk, through Oric International, provides a precedent for more industry-wide sharing.
(Photo: iStock)
|5. Develop real-time policy updates
Annual renewals and 18-month product development cycles will need to give way to real-time analysis and rolling policy updates. This dynamic approach could be likened to the updates on security software or the approach taken by credit insurers to dynamically manage limits and exposures.
(Photo: iStock)
|6. Consider hybrid risk transfer
Although the cyber reinsurance market is relatively undeveloped, a better understanding of evolving threats and maximum loss scenarios could encourage more reinsurers to enter the market. Risk transfer structures likely would include traditional excess of loss reinsurance in the lower layers, and the development of capital market structures for peak losses. Possible options might include indemnity or industry loss warranty structures, and/or some form of contingent capital.
(Photo: iStock)
|7. Improve risk facilitation
Considering the complexity and uncertainty surrounding cyber risk, there is a growing need for coordinated risk management solutions that bring together a range of stakeholders, including corporations, insurance/reinsurance companies, capital markets and policymakers. Some form of risk facilitator — possibly brokers — will need to bring together all parties and lead the development of effective solutions, including the cyber insurance standards that many governments are keen to introduce.
(Photo: iStock)
|8. Enhance credibility with in-house safeguards
If an insurer can't protect itself, then why should policyholders trust it to protect them? If the sensitive policyholder information that an insurer holds is compromised, then it likely would lead to a loss of customer trust that would be extremely difficult to restore. The development of effective in-house safeguards is essential in sustaining credibility in the cyber risk market, and trust in the enterprise as a whole.
Evaluating and addressing cyber risk is an enterprise-wide matter — not just one for IT and compliance. Cyber coverage that is viable for both insurers and insureds will require more rigorous and relevant risk evaluation informed by more reliable data and more effective scenario analysis. Partnerships with technology companies, cyber specialist firms and government are a great place to start as potential ways to augment and refine this information.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.