Cyber insurance is said to be one of the few areas of growth and innovation in the insurance market these days.
It is identified as one of the biggest risks facing the financial system, and the demand for insurance against it is growing. As pressure is being put on organisations to demonstrate that cyber risk is being managed or mitigated, many protection buyers get cover for the first time. As attacks become more malicious and costly, the demand is bound to increase.
Methods to assess this risk are at their infancy and in consequence the management of cyber risk against risk appetite is not an easy job to carry out.
Is cyber security risk insurable?
Lloyd’s has pioneered the development in this class, however surveys indicate that the attitude towards cyber seems to have split the market in half. Half of the market does not actively pursue cyber, often believing this risk to be borderline insurable. The scepticism is due to limited experience of cyber losses standing in the way of confident underwriting.
On the other hand, even in the group that embraces cyber, insurers still trade carefully and tend to limit the amount of cover offered under each policy, despite the fact that there is appetite for more cover. Breach costs are constantly rising and the limited protection available doesn’t even come near to what the cost of a truly damaging cyber attack would be to a large business.
The issue with silent cyber
Lloyd’s and other regulators are questioning (re)insurers on how well they understand their exposure to cyber. While exposure to the so called “affirmative” cyber (arising from selling cyber policies) is to a certain extent possible to control, all insurers and reinsurers, regardless of their views on the insurability of cyber, will have exposure to “silent” cyber.
These losses come as a result of a cyber-attack, but not under a dedicated cyber policy but rather from other contracts which, while not designed to protect from cyber, do not exclude this type of risk either. For example: an attack on a common billing or payroll system could result in the loss of personal data and in financial loss, which could in consequence lead to a high number of claims under Professional Indemnity policies.
How do insurers quantify cyber risk?
The main challenge emerging is how to design a market leading but pragmatic approach to managing cyber risk. The issue is not only due to data available being scarce, but also because any models are at risk of quickly becoming obsolete due to the rapid change of the cyber risk landscape as cyber weaponry progresses.
Most insurers claim 85% to have a loss estimation methodology in place, the majority use simplistic exposure and factor based methods which have in the past shown to underestimate the risk (as we have seen with unmodelled events like the Thai Floods). There is also the contradictory case that a significant number of insurers believe their method to be overly conservative.
Insurtech and cyber scenarios
While a flurry of new software and data products has recently entered the market to help with this issue, very few insurers use external tools, and the majority within that group uses technology mainly to supplement assumptions and data applied in simple exposure management based methods – the prevailing view is that the tools available need further development to be suitable to manage insurance portfolios.
The job of understanding accumulations of this risk has in most cases been given to exposure management teams, and while parallels can be seen between early years of catastrophe models and cyber, management of this risk requires some unique consideration and analysis.
It is worth bringing stakeholders together and use extreme scenarios to test the interconnectedness of exposures, as well as seek to understand how policies that are silent to cyber might respond. While those scenarios may be unlikely to occur, firms have been finding them helpful in understanding possible causes of losses and levels of coverage affected.
And as it is the case with natural catastrophes, we are likely to be very surprised (but learn a lot) when the next significant event occurs.