UNDERWRITING CYBER RISK: Into the void
Written by David Adams
Cyber insurance is not new, but the approach to underwriting the risk is, and not a moment too soon. The nature of the risk is changing, uncovering new risks as it does so. David Adams takes a look at the evolving market
The need for some form of cyber insurance first became apparent as long ago as the 1980s, when organisations in a number of different industries gradually came to rely on IT infrastructures. Despite this early identification of the need for some kind of cover, the first cyber policy was written only in 1997, with Lloyd’s only been writing such policies since 2001. Even within recent years, discussions around cyber insurance between organisations, brokers and insurers often involved one party admitting that these risks were simply not sufficiently understood.
Since then, the rising cost of data breaches, both in potential liabilities and in terms of resources needed to enable operational recovery, has helped drive development of standalone cyber insurance policies. Standalone policies now offer claims services that incorporate access to expert technical support, incident response and crisis management capabilities, alongside liability and first party covers against the direct effects of security breaches.
The global cyber insurance market was worth about US$2.5 billion in 2015, but research completed by PwC that year suggested it could triple in value by 2020.
As the market grows and matures, the need for more effective underwriting and analysis of the effect on the insurance market of so-called ‘silent’ cyber risks is becoming more apparent – that is, cyber exposures effectively covered by all-risk and other liability insurance products because they are not explicitly excluded.
Silent risks were one of the key items considered in the Prudential Regulation Authority’s November 2016 Consultation Paper (CP39/16) on cyber insurance underwriting risk. The PRA expressed concern that the potential for silent losses is increasing, with casualty, marine, aviation, transport and professional indemnity lines all potentially significantly exposed to these risks. Furthermore, exposure to them within reinsurance contracts is also uncertain.
The PRA is setting out proposals to address these issues, through premia adjustment, more precisely worded exclusions and more tightly defined limits of cover. Insurers will also need to pay close attention to aggregation risks related to cyber – an area not yet adequately addressed by modelling tools or data resources.
On a more positive note, a growing number of organisations that might be said to have the greatest need for these policies have clearly improved their resilience to cyber attack, with greater understanding of cyber risks at board level and increased resources now dedicated to mitigating those risks.
Steve Williams, partner, technology regulation at Moore Stephens says more organisations are seeking more specifically defined cyber insurance cover, with insurers consequently creating more effective policies. Such bespoke tailoring is also taking place at sector level, with specific policies for individual industries. Arthur J Gallagher’s new policy for manufacturers, offering bespoke cover for increased costs of working, contractual penalties and contingent supplier interruption; and most recently, Willis Towers Watson’s CyFly, developed with AIG for the aviation sector are two such examples.
As one might expect, larger companies in more highly regulated sectors are most likely to be buying cyber insurance (although some of the largest mitigate the risk in other ways) but there is still now strong growth in the mid-market range.
James Burns, cyber practice leader at CFC Underwriting and a member of the Cyber Steering Committee at the British Insurance Brokers’ Association, suggests that in future there may also be a greater focus on the needs of smaller organisations seeking cover for cyber crime risks such as fraud and ransomware attacks.
Regardless of who the client might be, the underwriting process for cyber insurance is now much more detailed, according to Tom Draper, technology and cyber practice leader at Arthur J Gallagher. Underwriters can now draw upon a wider variety of resources to inform their work. Draper believes more insurers have moved away from intrusive questionnaires and attempting to gauge the resilience of individual organisations, towards the macro approach of assessing how cyber
risks impact organisations.
One trend Burns believes may have a strong influence on underwriters is the ongoing shift away from an emphasis on third party liabilities, such as compensation claims from a company’s customers, towards first party covers in these policies. He notes that although 2016 was a record year for cyber claims at CFC, very few were related to such liabilities.
Burns suggests that in the future, underwriting of cyber insurance could be focused much more closely on the first party covers; and on the value of an insured’s assets that could be threatened by cyber risks – in the same way that a property insurer’s first question usually concerns the value of a property.
Burns also suggests that further development is needed in the way underwriters benchmark cover limits, taking into account, for example, the amount of data an organisation holds, the extent of its reliance on its IT infrastructure, or levels of exposure to specific risks. For example, a large law firm involved in significant numbers of estates transactions every day is likely to be more vulnerable to transaction fraud than would other types of business.
All of these developments underline the need for underwriters to possess the knowledge and expertise required to write this line of cover effectively. The industry watchdog has not been shy to convey its feelings on the matter, concluding that there is currently insufficient cyber insurance expertise in many firms. To date, as the PRA’s Consultation Paper notes, “growth aspirations in affirmative cyber are seldom accompanied by a commensurate investment in underlying expertise and talent”. Clearly if the market for these covers continues to grow, a failure to address this issue would represent a major lost commercial opportunity.
Draper concurs, while noting that there is a significant maturing process underway in cyber insurance in general – “and in underwriting especially”. His biggest concern is about sustaining levels of expertise. “There needs to be continuing education and training for underwriting in this quite specialised area,” he insists.
What is certain about this market is that it has a great deal of potential for further growth. This, in turn, should serve to drive further advances in underwriting expertise.
Other patterns of development will be influenced by the nature of cyber threats and by other factors, such as regulation – there is a universal expectation that enforcement of the General Data Protection Regulation (GDPR) after May 2018 will mean more organisations have to admit and investigate data breaches.
Burns expects new strains of ransomware to help drive growth at the lower end of the cyber insurance market, with a shift from generic threats of this type to more targeted attacks; and perhaps also an increase in the value of ransoms demanded (because ransomware writers will know that more potential victims have insurance). He fears this will drive higher limits for indemnity on cyber policies, which may in turn lead to ransom inflation, as has happened in the physical world with kidnap and ransom cover. He also wonders if, as the focus of cyber insurance continues to move towards first party covers, this might lead to an increased incidence in cyber insurance fraud.
Finally, Williams fears that the continued spread of the Internet of Things will create more problems for insurers and underwriters in future, related to questions of liability, in, for example, cases of collisions between smart vehicles. “I worry about how you would attribute risks in an incident to a particular policy,” he says. “I haven’t seen many people talking about accountability in that type of environment.”
But of course, he adds, wherever there are emerging risks there are also emerging commercial opportunities for insurers. Putting more resources into improving cyber underwriting is likely to prove a very worthwhile investment.
This article was published in the March 2017 issue of CIR Magazine.
Download in PDF format
Click here for more interviews and analysis
Contact the editor
Follow us on Twitter