The global demand for cyber insurance presents a huge commercial opportunity for insurers and reinsurers – estimated to be at least US$7.5 billion by the end of the decade – but with that opportunity comes risks that could be potentially devastating, notes a new paper from PricewaterhouseCoopers LLP (PwC).
Insurance 2020 & beyond: Reaping the dividends of cyber resilience – which explores how cyber insurance could be a more sustainable venture that offers real protection for clients, while safeguarding insurers and reinsurers against damaging losses – estimates the largely untapped cyber insurance market could increase from about US$2.5 billion in premium written in 2014 to US$5 billion in annual premiums by 2018 and at least US$7.5 billion by 2020.
“Even in the more penetrated U.S. market, only around a third of companies have some form of cyber coverage,” states the PwC paper, released Tuesday at the Monte Carlo Reinsurance Rendez-vous. “There is also a wide variation in take-up by industry, with only 5% of manufacturing companies in the U.S. holding standalone cyber insurance compared to around 50% in the healthcare, technology and retail sectors,” the paper notes.
PwC expects that “cyber insurance capacity will continue to increase over the next few years, which is likely to put pressure on premium rates and encourage some insurers to relax limits, exclusions and other terms and conditions as they compete for business,” the paper notes.
Going forward, however, “the market will eventually reach the data maturity needed to price more accurately and, hence, reduce the need for a premium cushion,” PwC notes, but adds a caution. “If the industry takes too long, there is a risk that a disruptor could move in and corner the market by aggressively cutting prices or offering much more favourable terms,” the paper adds.
“Many insurers and reinsurers are looking to take advantage of what they see as a rare opportunity to secure high margins in an otherwise soft market,” it states. Others, however, need convincing.
While everyone is making up their minds, though, “many insurers face considerable cyber exposures within their technology, errors and omissions, general liability and other existing business lines.”
Some of the resistance may stem from the fact that “cyber risk isn’t like any other risk insurers and reinsurers have ever had to underwrite,” the paper notes, pointing to limited publicly available data on the scale and financial impact of attacks, and the speed with which the threats are evolving and proliferating.
“While underwriters can estimate the likely cost of systems remediation with reasonable certainty, there simply isn’t enough historical data to gauge further losses resulting from brand impairment or compensation to customers, suppliers and other stakeholders,” PwC explains.
In response, those insurers and reinsurers that have, in fact, entered the market “are charging high prices for cyber insurance relative to other types of liability coverage to cushion some of the uncertainty. They are also seeking to put a ceiling on their potential losses through restrictive limits, exclusions and conditions,” the paper states.
PwC notes that the limited number of insurers offering cyber coverage and the uncertainty around how much to put aside for potential losses means the cost of cyber insurance relative to the limit purchased is typically three times the cost of cover for more established general liability risks. “Given the high cost of coverage, the limits imposed, the tight attaching terms and conditions and the restrictions on whether policyholders can claim, many policyholders are questioning whether their cyber insurance policies are delivering real value. Such misgivings could hold back growth in the short term.”
“There is also a real possibility that overly onerous terms and conditions could invite regulatory action or litigation against insurers,” Paul Delbridge, insurance partner at PwC, says in a press release. “If insurers continue to simply rely on tight blanket policy restrictions and conservative pricing strategies to cushion the uncertainty, they are at serious risk of missing this rare market opportunity to secure high margins in a soft market,” Delbridge argues.
PwC argues that a new approach is needed, including more rigorous and relevant risk evaluation built around more reliable data, more effective scenario analysis, and partnerships with government, technology companies and specialist firms.
“Rather than simply relying on blanket policy restrictions to control exposures, insurers would make coverage conditional on regular risk assessments of the client’s operations and the actions they take in response to the issues identified in these regular reviews. The depth of the assessment would reflect the risks within the client’s industry sector and the coverage limits,” the paper states.
This more informed approach, which PwC calls cyber resilience, would enable the “business to reduce uncertain exposures while offering the types of coverage and more attractive premium rates clients want,” the paper adds.
PwC cautions that “cyber insurance could soon become a client expectation and insurers that are unwilling to embrace it risk losing out on other business opportunities if cyber products don’t form part of their offering.”
A more protective approach is necessary in light of the potential losses. An earlier PwC global survey shows that, to date, cyber incidents have been more costly for large organizations. For small organizations (with revenue of less than US$100 million), average financial losses in 2013 were US$0.65 million and US$0.41 million in 2014; US$1 million and US$1.3 million for medium-sized organizations (revenues of US$100 million to US$1 billion); and US$3.9 million and US$5.9 million for large organizations (revenue of more than US$1 billion).
“Insurers could face a rapid succession of severe losses, making it harder to absorb the impact or subsequently rebuild the balance sheet in the same way as following a catastrophic event,” the paper states. [Click image to enlarge]
PwC points to a number of conditions that contribute to uncertainty and risk:
- all businesses operate within an increasingly interconnected and interdependent ecosystem;
- the lack of actuarial date on the financial impact of cyber risk makes it difficult to evaluate or price with any precision; and
- cyber security breaches can remain undetected for several months, even years, which opens up the possibility of accumulated and compounded losses down the line.
“While the scale of the potential losses is on a par with natural catastrophes, incidents are much more frequent. As a result, there are growing concerns about both the concentrations of cyber risk and the ability of less experienced insurers to withstand what could become a fast sequence of high-loss events,” PwC adds.
While many insurers have eagerly embraced the revenue growth opportunities presented by cyber insurance products, the paper notes, “others believe that this is too big a risk for them to take on.”
However, PwC cautions that should a business choose not to underwrite cyber risks explicitly, “the exposure may already be part of existing policies. As cyber coverage moves into the mainstream, there could also be direct or implicit pressure from longstanding clients or brokers to offer it.”
PwC reports that cyber criminals are constantly probing for weaknesses and adapting their tactics. Add to this that the targets are also broadening.
PwC suggests that insurers, reinsurers and brokers can capitalize on the cyber risk opportunity while managing the exposures by doing the following:
- judging what an organization could lose and how much it can afford to lose by developing a much clearer picture of the total maximum loss and matching this against risk appetite and risk tolerances;
- sharpening intelligence by bringing in people from technology companies and intelligence agencies to develop a holistic and effective risk evaluation, screening and pricing process;
- adopting risk-based conditions by making coverage conditional on a fuller and more frequent assessment of the policyholders’ vulnerabilities and agreement to follow advised steps;
- sharing more data between insurance companies, which is key to greater pricing accuracy;
- providing real-time policy updates, with PwC suggesting that annual renewals and 18-month product development cycles will need to give way to real-time analysis and rolling policy updates;
- having hybrid risk transfer, which could encourage more reinsurance companies to enter the market;
- offering risk facilitation given the growing need for co-ordinated risk management solutions that bring together a range of stakeholders, including corporations, insurance/reinsurance companies, capital markets and policymakers; and
- building credibility through effective in-house safeguards, which PwC regards as essential in sustaining credibility in the cyber risk market and trust in the enterprise as a whole.
“Some insurers and reinsurers may still be wary of cyber risk. At the other end of the spectrum, some may be opening themselves up to dangerous exposures,” states the paper. That being the case, PwC suggests “a combination of smart analytics, agility of response and risk transfer innovation would enable you to capitalize on the opportunities without jeopardizing the safety of your business.”
Insurers “need to continue to invest appropriately in their own cyber security – a business which can’t protect itself can’t expect policyholders to trust them to protect and advise them,” Delbridge comments in the press release.
“Sustaining credibility in the cyber risk market is crucial when looking to become a leader in this fast growing market. If this trust is compromised, and with innovative competitors knocking on the door, it would be extremely difficult to restore brand reputation,” he adds.