Written by Peter Davy
The cyber insurance market may be growing, but it remains in its infancy. It will take work from both from insurers and businesses if it is to meet the challenges ahead. Peter Davy writes
• Cyber insurance is a growth business, thanks to regulatory pressure and a growing awareness that all companies are potential targets
• The actual penetration of cyber insurance is often overstated, with a higher degree of engagement than purchasing itself, largely due to uncertainty
• Insurers are still trying to get to grips with the risks; so too are buyers, something that will take time to change, as expertise develops
Cyber insurance is a growth business. Consultants at PwC forecast in September that the global market could expand to US$7.5 billion in annual premiums by 2020. Meanwhile, insurer Allianz suggests the figure could be US$20 billion in a decades’ time – ten times that of today.
It is already seeing strong growth, according to Geoff White, underwriting manager for cyber risk at Lloyd’s syndicate Barbican, and chair of the Lloyd’s Market Association’s (LMA) Cyber Business Panel. According to White, the insurer has seen a doubling in the submissions worldwide year-on-year. “In the UK we are seeing much more of an uptick if anything – perhaps five times more than we’ve seen in previous years,” he says.
This growth is being seen across a number of sectors, according to Dr Jürgen Kurth, global chief underwriting officer of AXA Corporate Solutions. “Whereas in the past interest came mostly from financial institutions, technology and telecoms companies, the demand is fast growing among retail but also industrial clients,” he says. “There is a growing awareness among clients that all companies are potential targets, regardless of activity or size.”
There a few reasons for this. Among the driving factors is the high-profile nature of incidents, including the attack on Carphone Warehouse this summer that exposed up to 2.4 million customers’ details, and more recently TalkTalk fell victim for the third time this year; the fact is these incidents do make senior managers sit up and think. As such, there is at last an increased level of understanding of the risks at the executive level, says Alex Petsopoulos, partner, cyber security, at PwC.
“A lot of investment has been going in to try to understand what is quite an intangible risk,” he feels.
Perhaps more significantly, regulatory obligations to report data breaches to watchdogs and customers have contributed considerably to the uptake of cyber policies in the US. Similar treatment is expected from Europe with the introduction of the EU General Data Protection Regulation, probably next year, although the effects will arguably be felt before then, according to Hans Allnutt, head of technology, media and information risk at law firm DAC Beachcroft. “While the European regulators are procrastinating, national legislators, regulators and judiciary are taking things in their own hands,” he explains.
Allnut is seeing existing regulation applied more stringently, with harsher penalties for those that haven’t adopted recommended technical and organisational measures, for example. Penalising travel insurer StaySure for a breach of the Data Protection Act earlier this year, meanwhile, the UK’s Information Commissioner’s Office treated its voluntary notification of the regulator and customers as mitigating factors when considering the size of the fine. “The mood is already changing among the regulators and national law makers,” says Allnutt.
Despite these arguably positive developments, the penetration of cyber insurance is often overstated. Just 12 per cent of companies responding to European survey published by Marsh in June were recorded as having a policy. Once the legion of SMEs is included, the figure for all companies is probably much closer to two per cent in the UK, according to Marsh’s cyber risk practice leader for EMEA, Stephen Wares.
“There is a high degree of engagement, but a low amount of purchasing,” he says.
There are a number of barriers to greater uptake. For one, there is continued uncertainty over the potential risks and what can be covered.
“There is a great unknown on the part of underwriters and the insureds as to what could happen and how it could happen, and that breeds mistrust,” says David Ledger, at loss adjusters ASL.
“Insureds are not confident the policies would respond.” This is largely unfounded, he says, but remains a factor in the reluctance to take cover.
This prevailing uncertainty is only exacerbated by an air of confusion in the market, with a whole range of potential covers lumped in under the term ‘cyber’.
In fact the cyber insurance market covers three broad areas of exposure, according to Nigel Pearson, global head of fidelity at Allianz Global Corporate and Specialty: liabilities and costs around data loss; business interruption caused by cyber incidents, whether internal error or external attack; and incident responses including IT forensic costs and all associated costs.”
Most of the attention – and product development – so far has concentrated on the first, led by an uptick in responses to disclosure regulations in the US. “When you look at all the big claims in the states they are around the loss of personal data,” Pearson stresses.
Paul Bantick, UK leader for technology, media and business service at Beazley, agrees. In September it launched a US$60 million capacity cyber consortium with fellow Lloyd’s syndicates Aspen and Brit focused on data breach cover for non-US businesses. “The word ‘cyber’ is very broad, but I certainly see demand in the short term being in the data breach space.” As a result, this part of the market cyber is increasingly well developed, with well established standalone polices. Elsewhere, however, confusion reigns.
It is not just that insurers are still trying to get to grips with the risks – with Lloyd’s, for example, trying to help develop understanding of the potential impact of attacks to critical infrastructure with its ‘Business Blackout’ study launched in the summer; it also remains unclear how cover for things like physical damage resulting from cyber incidents will be handled by the market. At the moment, the risks can be picked up by dedicated cyber policies, but other policies, such as property covers may offer affirmative cover for some cyber risks, explicitly exclude them, or remain silent.
In attempt to reduce uncertainty, the LMA has asked all syndicates to review existing business lines and explain how each treats cyber risk. A report will follow the November deadline, along with pressure to revise wordings, perhaps by increasing capital requirements for those that persist in being silent regarding cyber risks.
“This is something that’s being addressed,” says White.
It will take time, however. If insurers are to write in cover to existing policies they need to develop their own expertise, says Mark Camillo, head of cyber risk and professional indemnity for EMEA at AIG.
“Ultimately cyber [risk] may end up being inserted into other policies but underwriters will need to have the expertise to understand the risks, as well as how the company is managing their information security and what controls they have in place.”
Back to basics
Grappling with cyber risk is not all down to the insurers. On the one hand, businesses’ own IT departments offer a barrier to greater uptake. In a survey of IT professionals published by software group Wallix in September, almost half thought there was insufficient need to invest in cyber insurance.
“It’s not necessarily surprising given that their focus is on technology rather than insurance,” says Wallix technology communicator Chris Pace.
The wider problem is that cyber risk has been left too much to IT departments and has not received the attention it requires as a strategic risk.
Wares thinks there is a temptation to blame the continued low uptake of policies on insurers not providing the covers that businesses need. In fact, asked in Marsh’s survey what areas they are most concerned about, breach of customer information, where the market is most developed, was the most popular choice (24 per cent). Business interruption – probably the area where cover is most easily available – was next (22 per cent).
The problem is not lack of relevant covers, but the lack of work that has been done in companies to establish exposures: 25 per cent of organisations surveyed did not have cyber risk on their corporate risk registers; 30 per cent placed it outside of the top 10. In the UK, only 18 per cent say they have a complete understanding of their exposure to cyber risks; 29 per cent say they have no or only limited understanding of it, and about half (53 per cent) that they have a basic understanding.
The problem is not so much uncertainty over the cover available, but uncertainty over the cover required.
“Too few companies have gone through the process of establishing what their unique cyber risk profile looks like to be out to make a conscious risk transfer decision,” Wares adds.
Addressing that is tied up with the first step in addressing the risk itself, according to PwC’s Petsopoulos: It all begins by accepting that complete security is impossible.
“You have to accept that you can’t prevent every attack, so it is about having the right controls in place to be able to efficiently detect, contain and respond to incidents in a way that limits the damage,” he says.
“Once you have those measures in place it then becomes a lot easier to understand the real risk, take the right insurance policy, and have confidence that policy will cover you.”
This article was published in the November 2015 issue of CIR Magazine.
Download in PDF format
Click here for more interviews and analysis
Contact the editor