The real hurricane for insurers could be in cyber insurance
Insurers need to take steps now to prepare for the cyber market to harden and pivot their business approach.
After last year’s catastrophic season, which was the costliest ever for the U.S., insurers now hope history won’t repeat itself.
There’s another area of their business, though, where they should be on the lookout for headwinds: the fast-growing cyber insurance market. At present, it’s a lucrative market for insurers, and more are dipping their toes in.
Who can blame them when the level of underinsurance is massive?
Cyber scares
The estimated annual cost to the global economy from cyber crime is $450 billion. Yet the appropriate size of the global market for cyber insurance was just $2.3 billion in 2017.
Investment bank Jefferies forecast that the global market for cyber insurance will grow to $7 billion by 2020. There’s a lot of capital available and it’s not difficult for business enterprises to get coverage at a decent rate.
For their part, businesses are actually making strides and improving their security measures and resilience. My company’s recent security research showed that organizations across all industries are upping their game and now preventing 87 percent of all focused cyber attacks, compared to 70 percent in 2017.
Right now insurers can be akin to revelers at a party with premiums fast-rising. But we think the market is going to harden, and quickly, as cyber losses collide with loose underwriting.
Word to the wise
The biggest issue with cyber is that the status quo doesn’t stick around for too long. While firms are approaching a level of security mastery with ransomware and distributed denial of services (DDoS), new threats can and will emerge. This is heightened by the fact that more businesses are continuing to invest in new technologies to improve the customer experience and create business efficiencies. These technologies are not without security risks.
And insurance underwriters don’t yet properly understand these risks. The constantly changing nature of cyber risk makes it hard to price and model, and annual policies aren’t suited to a constantly evolving risk.
To make matters worse, cyber insurance pricing is currently driven by competition among insurers, rather than rigorous risk assessment. While many insurers are exploring predictive modeling to better price and evaluate the risks, it’s going to take years to hone these models.
We are already seeing a rise in the number of cyber insurance claims. Recent data from AIG showed that its Europe, Middle East and Africa business had as many cyber claims in 2017 as the previous four years combined.
Action items
Insurers need to take steps now to prepare for the cyber market to harden and pivot their business approach. Here’s three things they should consider:
- Stop trying to retrofit existing products for cyber: Insurers need to start from scratch with building an cyber offering. A common launching point is terrorism coverage, which was very popular after 9/11, but that type of risk is related to singular events and as such is very different from cyber risk, which comes with unique considerations.
- Work with clients to shore up lines of defense and controls at different levels: It’s impossible to prevent breaches entirely, but businesses and carriers should take steps together to shore up lines of defense and controls at different levels. Many carriers are teaming with security firms as part of their cyber insurance offerings to help prevent and monitor for cyber threats. These security firms can also assist in the underwriting and pricing process given they may have more access to a potential policyholder’s security processes and vulnerabilities.
- Get back to risk-based pricing: Pricing needs to be driven by the risks, rather than by competition in the market. While true risk-based pricing is challenging, insurers can help themselves by building a historical database, obtaining access to policyholders’ corporate security information (including cyber capabilities and results of security tests), and experimenting with emerging fintech to try to quantify risk and set more accurate, data-driven cyber limits.
So, while we will be closely monitoring the weather patterns this hurricane season, it’s worth considering this statistic from Lloyd’s: a major global cyber-attack has the potential to trigger $53 billion in economic losses. That’s roughly on par with a catastrophic natural disaster such as Hurricane Sandy in 2012. Insurers should prepare for the pivot on cyber now.
Michael Costonis is the global insurance practice lead at Accenture. This contributor can be contacted through the Accenture website.
The opinions here are the writer’s own.
Also by Michael Costonis: