The next frontier for the insurance industry: cyber risk insurance
By Stefan Lia
Cyber risk is a growing concern for institutions, individuals and the financial markets as an increasing number of high profile incidents have left their mark on the companies impacted. The introduction of regulations such as GDPR have given greater impetus to such concerns. It therefore comes as no surprise that organisations are turning towards insurers to transfer this risk. But are insurers ready to take on this role?
EIOPA recently published a report titled "Understanding Cyber Insurance - A Structured Dialogue with Insurance Companies" tackling this very subject. The report is based on responses of eight insurance and five reinsurance companies based in Europe, to a set of 14 qualitative questions. The sample was selected based on expertise and current exposures in cyber insurance.
The potential of cyber insurance is clear. In fact, the survey showed that there is general consensus that cyber insurance provides an opportunity for insurance companies. All those surveyed reported a substantial increase in the demand for cyber insurance. The reasons provided include new regulation and increased awareness following a number of incidents that made media headlines. Events such as NotPetya, which cost shipping giant Maersk over €200 million, and the Wannacry attacks are key reasons pointed towards having contributed to this increase in demand.
Unsurprisingly, one of the key findings highlighted the fact that there is a clear need for a deeper understanding of cyber risk in order for the European cyber insurance industry to develop further. The European market lags behind the US market where, according to recent studies, 90% of the stand-alone cyber insurance market is located.
Lack of specialised underwriters, historic data and quantitative tools were some of the key obstacles identified in the report that are hindering the development of the offering in Europe. This lack of understanding does not only relate to the underwriting side of the industry but also towards clarifying clients’ own needs.
Cyber insurance can be offered as a standalone product and as an addon coverage to traditional lines of business. To-date, focus has been to offer the service to commercial enterprises. However, the survey has shown that there is also an interest in providing cyber insurance to individuals. This comes on the back of increasing use of technology such as the Internet of Things, which has the potential to expose consumers to various risks. The distribution and packing of such products to retail consumers is something that needs be explored further. This will safeguard insurers from mis-selling issue, given the complexity of the product that might crop up down the life-time of the policy.
From a commercial insurance offering point of view, one of the key concerns highlighted by EIOPA report is the accuracy in quantifying the impact from the insurable events that are covered. For example, it might be difficult to quantify the impact a data breach might have on future revenue, thus increasing the risk of over or under reserving. Another challenge is to identify whether the loss is permanent or temporary as well as determining the precise impact on the brand and reputation of the impacted entity.
The lack of available historic data is another key challenge for the cyber insurance market. In this regard, qualitative models are more frequently used than quantitative models to estimate pricing, risk exposures and risk accumulations. Of course, the lack of data is a relevant obstacle in the context of most quantitative models. On the other hand, IT audits and risk assessment might provide a good enough picture of the governance and IT infrastructure which would be factored in when underwriting such risks.
Product offerings also vary a lot. Certain products are offered to large corporations and are generally individually underwritten. They might offer higher limits and provide more coverage than standard products in the market. This is based on the understanding that large companies typically invest more in their IT security and have an in-house team. On the other hand, smaller organisations often outsource IT facilities and security to a significant degree. This might somewhat mitigate the risks to which an insurer is exposed albeit this lack of understanding was highlighted as a key issue for European insurers.
In terms of regulation for this product, while the majority of respondents did not see any current regulatory obstacles to the growth of the cyber insurance market, all companies see the need of regulation to some extent in the future. Regulation could potentially contribute to appropriate pricing and monitoring of the risks, including aggregation risks. It could also help around regulating sharing of data, such as breach information, whilst creating the legal framework for these exchanges to happen.
Regulation can also contribute towards the introduction of minimum information security and IT standards. From an insurance side, it can look at mitigating conduct and prudential risks of new entrants and introduce adequate capital requirements against underwriting risks. Regulation can help at minimising or avoiding contagion in case of bigger scale events and ensuring both a greater clarity about coverages and adequate estimation of value for money measures in order to ensure a better risk assessment in case of periods of higher losses.
Although no Maltese insurance company participated in the survey, most of the findings are applicable to the local market. Ultimately, the cyber insurance offering is currently in its infancy, but it’s perceived to have a great potential for further development.
As the industry faces several challenges to meet the expected increasing demand and satisfy clients’ needs, further work will also be required from the supervisory side. In fact, EIOPA has included a questionnaire related to cyber risk in the 2018 Insurance Stress Test exercise. As the Stress Test will encompass close to 78% of the total EU-wide market, the conclusions are expected to reflect the overall European cyber insurance market.
Resulting feedback from the Stress Test will need to be analysed in some detail. The outcome could help inform Boards on the strategic direction their companies should take on a product with such a growth potential, yet with risks that may yet need to be fully understood.