Cyber insurance is a potentially huge, but still largely untapped, opportunity for insurers and reinsurers. We estimate that annual gross written premiums are set to increase from around $2.5 billion today to reach $7.5 billion by the end of the decade.
Businesses across all sectors are beginning to recognize the importance of cyber insurance in today's increasingly complex and high-risk digital landscape. In turn, many insurers and reinsurers are looking to take advantage of what they see as a rare opportunity to secure high margins in an otherwise soft market. Yet many others are still wary of cyber risk. How long can they remain on the sidelines? Cyber insurance could soon become a client expectation, and insurers that are unwilling to embrace it risk losing out on other business opportunities.
In the meantime, many insurers face considerable cyber exposures within their technology, errors and omissions, general liability and other existing business lines. The immediate priority is to evaluate and manage these "buried" exposures.
Critical exposures
Part of the challenge is that cyber risk isn't like any other risk that insurers and reinsurers have ever had to underwrite. There is limited publicly available data on the scale and financial impact of attacks. The difficulties created by the minimal data are heightened by the speed with which the threats are evolving and proliferating. While underwriters can estimate the likely cost of systems remediation with reasonable certainty, there simply isn't enough historical data to gauge further losses resulting from brand impairment or compensation to customers, suppliers and other stakeholders.
A UK government report estimates that the insurance industry’s global cyber risk exposure is already in the region of £100 billion ($150 billion), more than a third of the Centre for Strategic and International Studies’ estimate of the annual losses from cyber attacks ($400 billion). And while the scale of the potential losses is on a par with natural catastrophes, incidents are much more frequent. As a result, there are growing concerns about both the concentrations of cyber risk and the ability of less experienced insurers to withstand what could become a fast sequence of high-loss events.
Insurers and reinsurers are charging high prices for cyber insurance relative to other types of liability coverage to cushion some of the uncertainty. They are also seeking to put a ceiling on their potential losses through restrictive limits, exclusions and conditions. However, many clients are starting to question the real value these policies offer, which may restrict market growth.
Insurers and reinsurers need more rigorous and relevant risk evaluation built around more reliable data, more effective scenario analysis and partnerships with government, technology companies and specialist firms. Rather than simply relying on blanket policy restrictions to control exposures, insurers should make coverage conditional on regular risk assessments of the client's operations and the actions they take in response to the issues identified in these regular reviews. The depth of the assessment should reflect the risks within the client's industry sector and the coverage limits.
This more informed approach would enable your business to reduce uncertain exposures while offering the types of coverage and more attractive premium rates clients want. Your clients would, in turn, benefit from more transparent and cost-effective coverage.
Opportunities for Growth
There is no doubt that cyber insurance offers considerable opportunity for revenue growth.
An estimated $2.5 billion in cyber insurance premium was written in 2014. Some 90% of cyber insurance is purchased by U.S. companies, underlining the size of the opportunities for further market expansion worldwide.
In the UK, only 2% of companies have standalone cyber insurance. Even in the more penetrated U.S. market, only around a third of companies have some form of cyber coverage. There is also a wide variation in take-up by industry, with only 5% of manufacturing companies in the U.S. holding standalone cyber insurance, compared with around 50% in the healthcare, technology and retail sectors. As recognition of cyber threats increases, take-up of cyber insurance in under-penetrated industries and countries continues to grow, and companies face demands to disclose whether they have cyber coverage (examples include the U.S. Securities and Exchange Commission's disclosure guidance).
We estimate that the cyber insurance market could grow to $5 billion in annual premiums by 2018 and at least $7.5 billion by 2020.
There is a strong appetite among underwriters for further expansion in cyber insurance writings, reflecting what would appear to be favorable prices in comparison with other areas of a generally soft market -- the cost of cyber insurance relative to the limit purchased is typically three times the cost of cover for more-established general liability risks. Part of the reason for the high prices is the still limited number of insurers offering such coverage, though a much bigger reason is the uncertainty around how much to put aside for potential losses.
Many insurers are also setting limits below the levels sought by their clients (the maximum is $500 million, though most large companies have difficulty securing more than $300 million). Insurers may also impose restrictive exclusions and conditions. Some common conditions, such as state-of-the-art data encryption or 100% updated security patch clauses, are difficult for any business to maintain. Given the high cost of coverage, the limits imposed, the tight attaching terms and conditions and the restrictions on whether policyholders can claim, many policyholders are questioning whether their cyber insurance policies are delivering real value. Such misgivings could hold back growth in the short term. There is also a possibility that overly onerous terms and conditions could invite regulatory action or litigation against insurers.
Cyber Sustainability
We believe there are eight ways insurers, reinsurers and brokers could put cyber insurance on a more sustainable footing and take advantage of the opportunities for profitable growth:
1. Judging what you could lose and how much you can afford to lose
Pricing will continue to be as much of an art as a science in the absence of robust actuarial data. But it may be possible to develop a much clearer picture of your total maximum loss and match this against your risk appetite and risk tolerances. This could be especially useful in helping your business judge what industries to focus on, when to curtail underwriting and where there may be room for further coverage.
Key inputs include worst-case scenario analysis for your particular portfolio. If your clients include a lot of U.S. power companies, for example, what losses could result from a major attack on the U.S. grid? A recent report based around a "plausible but extreme" scenario in which a sophisticated group of hackers were able to compromise the U.S. electrical grid estimated that insurance companies would face claims ranging from $21 billion to $71 billion, depending on the size and scope of the attack. What proportion of these claims would your business be liable for? What steps could you take now to mitigate the losses in areas ranging from reducing risk concentrations in your portfolio to working with clients to improve safeguards and crisis planning?
2. Sharpen intelligence
To develop more effective threat and client vulnerability assessments, it will be important to bring in people from technology companies and intelligence agencies. The resulting risk evaluation, screening and pricing process would be a partnership between your existing actuaries and underwriters, focusing on the compensation and other third-party liabilities, and technology experts who would concentrate on the data and systems area. This is akin to the partnership between CRO and CIO teams that are being developed to combat cyber threats within many businesses.
3. Risk-based conditions
Many insurers now impose blanket terms and conditions. A more effective approach would be to make coverage conditional on a fuller and more frequent assessment of the policyholder's vulnerabilities and agreement to follow advised steps. This could include an audit of processes, responsibilities and governance within your client's business. It could also include threat intelligence assessments, which would draw on the evaluations of threats to industries or particular enterprises, provided by government agencies and other credible sources. It could also include exercises that mimic attacks to test weaknesses and plans for response. As a condition of coverage, you could then specify the implementation of appropriate prevention and detection technologies and procedures.
Your business would benefit from a better understanding and control of the risks you choose to accept, hence lowering exposures, and the ability to offer keener pricing. Clients would in turn be able to secure more effective and cost-efficient insurance protection. These assessments could also help to cement a closer relationship with clients and provide the foundation for fee-based advisory services.
4. Share more data
More effective data sharing is the key to greater pricing accuracy. Client companies have been wary of admitting breaches for reputation reasons, while insurers have been reluctant to share data because of concerns over loss of competitive advantage. However, data breach notification legislation in the U.S., which is now set to be replicated in the EU, could help increase available data volumes. Some governments and regulators have also launched data sharing initiatives (e.g., MAS in Singapore or the UK's Cyber Security Information Sharing Partnership). Data pooling on operational risk, through ORIC, provides a precedent for more industry-wide sharing.
5. Real-time policy update
Annual renewals and 18-month product development cycles will need to give way to real-time analysis and rolling policy updates. This dynamic approach could be likened to the updates on security software or the approach taken by credit insurers to dynamically manage limits and exposures.
6. Hybrid risk transfer
While the cyber reinsurance market is less developed than its direct counterpart, a better understanding of the evolving threat and maximum loss scenarios could encourage more reinsurance companies to enter the market. Risk transfer structures are likely to include traditional excess of loss reinsurance in the lower layers, with capital market structures being developed for peak losses. Possible options might include indemnity or industry loss warranty structures or some form of contingent capital. Such capital market structures could prove appealing to investors looking for diversification and yield. Fund managers and investment banks can bring in expertise from reinsurers or technology companies to develop appropriate evaluation techniques.
7. Risk facilitation
Given the ever more complex and uncertain loss drivers surrounding cyber risk, there is a growing need for coordinated risk management solutions that bring together a range of stakeholders, including corporations, insurance/reinsurance companies, capital markets and policymakers. Some form of risk facilitator, possibly the broker, will be needed to bring the parties together and lead the development of effective solutions, including the standards for cyber insurance that many governments are keen to introduce.
8. Build credibility through effective in-house safeguards
The development of effective in-house safeguards is essential in sustaining credibility in the cyber risk market, and trust in the enterprise as a whole. If your business can't protect itself, why should policyholders trust you to protect them?
Banks have invested hundreds of millions of dollars in cyber security, bringing in people from intelligence agencies and even ex-hackers to advise on safeguards. Insurers also need to continue to invest appropriately in their own cyber security given the volume of sensitive policyholder information they hold, which, if compromised, would lead to a loss of trust that would be extremely difficult to restore. The sensitive data held by cyber insurers that hackers might well want to gain access to includes information on clients' cyber risks and defenses.
The starting point is for boards to take the lead in evaluating and tackling cyber risk within their own business, rather than simply seeing this as a matter for IT or compliance.
See the full report here.