The world’s 10 largest economies account for half of the US$445 billion that cyber crime costs the global economy every year, and costs – absent preventive measures – are unlikely to wane in light of a new crop of challenging cyber risks, suggests a new report from Allianz Global Corporate & Specialty (AGCS).
“With fewer than 10% of companies currently purchasing cyber-specific policies, AGCS forecasts that cyber insurance premiums will grow globally from US$2 billion per annum today (with business in the United States accounting for approximately 90%) to over US$20 billion over the next decade, a compound annual growth rate of over 20%,” notes a statement from AGCS, Allianz Group’s dedicated carrier for corporate and specialty insurance business.
AGCS expects that increasing awareness of cyber exposures and regulatory change will propel the future rapid growth of cyber insurance.
“More notifications of, and significant fines for, data breaches can be expected in future,” the report states. “Legislation has already become much tougher in the U.S., Hong Kong, Singapore and Australia, while the European Union is looking to agree pan-European data protection rules. Tougher guidelines on a country-by-country basis can be expected,” it notes.
“Consumers are increasingly likely to see compensation for the loss or misuse of their personal data, a view that appears to be shared by regulators and courts,” states the report.
“Growth (of cyber insurance) in the U.S. is already under way as data protection regulations help focus minds, while legislative developments and increasing levels of liability will see growth accelerate in the rest of the world,” Paul Schiavone, AGCS’s regional head of financial lines in North America, says in the company statement.
Calling cyber risk a major and fast-increasing threat to businesses, AGCS reports that it costs the global economy about US$445 billion annually, based on figures from Net Losses: Estimating the Global Cost of Cyber-Crime, a report from McAfee and the Center for Strategic and International Studies.
AGCS’s own figures indicate that with regard to the estimated costs of cyber crime, these range from US$108 billon to US$4 billion for the Top 10 countries. The U.S. tops the list at US$108 billion, followed by China, Japan, Germany, France, the United Kingdom, Brazil, Russia, Italy and India. [click image below to enlarge]
The current and past editions of the Allianz Risk Barometer demonstrate the rise of cyber risk among the top risks for business. In 2013, cyber risk ranked 15th on the list, 8th in 2014 and 5th in 2015. The latest barometer shows the top risks for which businesses are least prepared are cyber risk, cited by 29% of respondents; BI and supply chain, noted by 18%; natural catastrophes, reported by 16%; political/social upheaval, cited by 7%; and terrorism, noted by 6%.
With regard to which cyber risks are the main cause of economic loss, the 2015 barometer notes loss of reputation, at 61%, BI, at 49%, and damages to be paid due to loss of customer data, at 45%.
Increasing interconnectivity and the growing reliance on technology and real-time data at personal and corporate levels creates vulnerabilities, AGCS emphasizes. “Some estimates suggest that a trillion devices could be connected by 2020, while it is also forecast that as many as 50 billion machines could be exchanging data daily,” the company reports.
“With increasing interconnectivity, globalization and the commercialization of cyber crime, there has been an explosion in both frequency and severity of cyber attacks,” suggests AGCS CEO Chris Fischer Hirs. “Cyber insurance is no replacement for robust IT security, but it creates a second line of defence to mitigate cyber incidents,” Fischer Hirs continues, adding that AGCS is seeing increasing demand for these services.
The report offers the caution that interconnectivity of devices and businesses drives new risk exposures. For example, cyber risks are evolving far beyond privacy or reputational issues and business interruption (BI) is a key vulnerability, with catastrophic scenarios being a possibility.
“The prospect of a catastrophic cyber loss is becoming more likely. An attack or incident resulting in a huge data loss or BI – and the subsequent reputational damage – could put a large corporation out of business in future,” the report points out. [click image below to enlarge]
“BI costs could be equal to – or even exceed – direct losses from a data breach,” it states. “Businesses are driven by real-time data. Any interruption of the process chain – even for a minute – could cause a severe business interruption, impacting the balance sheet,” the report adds.
The new generation of cyber risk is more complex than the threat of corporate data breaches and privacy concerns, although these are still an issue. “Future threats will come from intellectual property theft, cyber extortion and the impact of BI following a cyber attack or from operational or technical failure, a risk which is often underestimated,” AGCS notes in the statement.
Schiavone’s prediction is that “within the next five to 10 years, BI will be seen as a key risk and a major element of the cyber insurance landscape.”
AGCS reports that BI cover can be very broad, including business IT computer systems, but also extending to industrial control systems (ICS) used by energy companies or robots used in manufacturing.
The company cautions that a number of ICS “still in use today were designed before cyber security became a priority issue. An attac
k against an ICS could result in physical damage such as fire or explosion, as well as BI.”
Adds the report, “Physical damage resulting form a cyber event is typically excluded under stand-alone cyber insurance. However, physical damage resulting from a cyber attack is not explicitly covered under property insurances, and in many cases, will also be excluded.”
AGCS emphasizes that the scope of cyber insurance must evolve to provide broader and deeper coverage, addressing BI and closing gaps between traditional coverage and cyber policies. “While cyber exclusions in property and casualty policies are likely to become commonplace, stand-alone cyber insurance will continue to evolve as the main source of comprehensive cover, as interest grows among the telecommunications, retail, energy, utilities and transport sectors, as well as from financial institutions,” the statement adds.
“There is lots of capacity in the market, but there is still not enough data to fully understand the risk,” the report suggests. “So pricing volatility will continue and market segmentation will increase.”
The report includes a number of observations and recommendations, including the following:
• monitoring tools, improved processes and greater employee awareness can help companies to be more prepared;
• businesses need to identify key assets at risk and weaknesses, such as the “human factor” or over-reliance on third parties;
• businesses need to create a cyber security culture and adopt a “think-tank” approach to tackling risk;
• companies need to make decisions around which risks to avoid, accept, control and transfer;
• businesses need to implement a crisis response or breach response plan – and test it;
• education, both in terms of businesses’ understanding of exposures and underwriting knowledge, must improve if insurers are to meet growing demand for cyber insurance; and
• the cyber insurance market needs volume and diversification, as well as more segmentation in future, with insurers specializing in certain sectors.