January 31, 2019 by Greg Meckbach
Clients shopping for cyber insurance today can choose from among far more carriers than they could a few years ago, because it’s such a profitable line of business.
However, one reason cyber is more profitable than other lines of coverage is that the insurance industry has yet to experience a cataclysmic cyber event — one that triggers major claims payouts from a large numbers of customers, a report recently released by Lloyds suggests.
“In the period 2013 to 2018, the affirmative cyber insurance direct loss ratio across the industry has averaged around 50% – i.e. half of the premium was spent out in paying claims,” researchers wrote in Bashe attack: Global infection by contagious malware, published Jan. 29 by Lloyd’s.
An “affirmative” policy is one that explicitly covers cyber risk, as opposed to non-affirmative, which does not explicitly say it covers cyber but does not exclude cyber either.
The new global infection report was produced by Cyber Risk Management (CyRiM) project, which is led by Nanyang Technological University in Singapore.
Cyber insurance has much higher profit margins than other lines of insurance, CyRiM reported.
“Cyber insurance has attracted many new entrants as a result.”
Contributors to the report – in addition to Lloyd’s and CyRiM – include the Aon Centre for Innovation and Analytics, Mitsui Sumitomo Insurance Group, French reinsurer SCOR, Transatlantic Reinsurance Company and the Centre for Risk Studies at the University of Cambridge.
Worldwide, fewer than 50 carriers offered cyber insurance in 2015, according to the report. This has since tripled to more than 150.
About half the cyber policies sold worldwide have less than US$1 million in coverage, CyRiM reported, adding fewer than 10% of a policies have limits of more than US$10 million.
“For a company to obtain cyber insurance coverage of $100 to $500 million requires the construction of complex towers of coverage involving many different insurance companies each taking small slices.”
While carriers are offering higher limits, those limits my still be less than the coverage your client needs, CyRiM suggested.
“Companies face cyber losses that could potentially amount to many hundreds of millions of dollars.”
The report models the loss from a hypothetical ransomware attack affecting multiple corporate victims.
In the hypothetical scenario, global economic losses are estimated at US$85 billion to US$193 billion. The computer disaster originates from ransomware that gets introduced when employees of different companies open a malicious email, resulting in the encryption of all devices connected to the computer networks at all affected companies.
Those companies must then either pay a ransom or replace devices. The estimated costs include cyber incident response, damage control and mitigation, business interruption, lost revenue and reduced productivity.
When it comes to actual cyber losses worldwide, about half are caused by “data exfiltration,” or breaches of privacy that cause confidential data to fall into the wrong hands, CyRiM reported.
The report cited four other major sources of cyber loss:
“Some commentators see cyber insurance moving from a niche specialised line of insurance to being a standard peril covered in all lines of insurance, as commercial purchasers of insurance need to protect their digital assets in the same way that they once needed to protect their physical assets of production,” CyRiM reported.