Converting cyber risks into insurance opportunities
Dutch Insurance Outlook 2017
Everyone in the insurance industry is impacted by cyber. On the one hand there is the opportunity of connected technologies combining with analytics and artificial intelligence to make business more efficient and to develop new markets. On the other hand there is the growing risk of losing market share to fintech start-ups as well as the risk of cyber abuse, which ranges from fraud and theft to regulatory fines. Customers also deal with the same two sides of the technology coin, providing an opportunity for insurers to offer cyber insurance—enabling customers to transfer that risk. In this article, we discuss the opportunities, and the steps insurers can take to develop cyber risk transfer capabilities.
Embracing risk and opportunity
Cyber developments can appear somewhat overwhelming for insurance companies. On the one hand there’s an increasing need for digitalisation in order to cope with shrinking volumes, increasing competition, a need to enhance their own cyber risk management and the need to comply with new regulations like the GDPR (European privacy legislation which comes into effect in May 2018). On the other hand, they need to develop the capabilities needed to safely underwrite cyber risk, implicit or explicit in their products. Dealing with these challenges is best met by forging these two sides (of risk and opportunity) into a double-edged sword, through collaborations both outside and inside the company.
These two sides need to address two types of insurance risk that currently prevail in the cyber insurance market. On the one hand there, is the relation with customers and the opportunity of gaining (or risk losing) the product’s reputation, the company brand, and the industry image. On the other hand, shareholders, capital markets, regulators, and supervisors demand that insurers are in control of their cyber risk—cyber risk can quickly accumulate due to large-scale abuse of common cyber vulnerabilities or large claims from cascading effects in third-party risks.
Current developments in the cyber insurance market
As argued in an earlier report by Deloitte, cyber risk transfer will be unavoidable for the insurance industry, yet it comes with a distinct list of significant challenges1. Investing in the insurer’s understanding of cyber risk and developing the capability for its safe transfer is imperative. Digital innovation and the associated cyber risk will however keep changing more rapidly than traditional types of risk. Thus, seizing this opportunity requires a nimble organisation, able to adapt to a marketplace that is changing more drastically than perhaps ever before.
Other insurers face the same challenges. This becomes apparent when looking at cyber insurance market developments. Cyber insurance is profitable, with an average 47 percent direct loss ratio in 20162. But even though profitability is decent, and long-term prospects are still looking good, markets have not developed as rapidly as some have predicted3.The main reason for this is the misalignment between customer awareness and need, versus product quality and price. This in turn leads to limited availability of claims data, and the claims data that is available rapidly gets outdated with changing risk factors. Subsequent concerns about accumulation and reputation risk then translate into market frictions, slowing down market growth.
As cyber insurance products can be profitable, it is no surprise that some Dutch insurers are developing, or are considering the development of, cyber insurance products following the success of foreign insurers. And the timing is right in the wake of incidents like Mirai, the DNC-hack, WannaCry, and Not-Petya that impacted many companies. With so many national bodies, ranging from MKB Nederland and its member organisations to the Dutch Ministry of Economic affairs and parliament, giving cyber risk a lot of attention, and the GDPR requirements on cyber security, cyber awareness is quickly increasing.
Developing cyber insurance products
Cyber insurance products haven’t fully matured yet and in most value chains there’s a mismatch between customer awareness, customer need, how the product is offered, and what the product actually provides. The SANS Institute and Advisen reported that only 19 percent of brokers and 30 percent of underwriters said there is a common language of cyber risk4. An often cited reason for potential customers not to buy cyber insurance is that they perceive it as too expensive with too many exclusions, restrictions, and uninsurable risk.
In order to get out of this reputational conundrum, it is key to first develop cyber insurance products on a small scale in close collaboration with customers, intermediaries, and cyber security experts. Duty of care protocols and risk selection mechanisms need to be developed jointly. Principles around offering standalone versus integrated cyber security coverage to various market segments need to be worked out, leading to optimal clarity for customers in alignment with their actual needs. Initially, existing market channels will need to be carefully developed, and eventually the full range, from corporates to high-net-worth individuals, could be developed.
Of course, a cyber insurance product and its options cannot be developed independently from its pricing. In part, the price will be dictated by the market, especially while regulators still have to get up to speed, but data and models are, of course, still required. Although it is not easy to get the exact the data the actuaries would like to see, there a treasure trove of data and models to get them started. Apart from unpaid sources, including academic publications, quite a number of companies offer data and models to get started.
A recent report by Lloyd’s states that accumulation risk may exceed that of hurricanes5, yet it is still extremely hard to estimate the likelihood of such an event. For the time being, this can be dealt with by accepting high capital charges through Solvency II, taking on re-insurance, setting up a cyber risk pool, and writing terrorism-type exclusions. It makes sense for the insurance industry to align on risk sharing as well as on standards for products, cybersecurity concepts, and training of intermediaries, thereby jointly diminishing the limiting factors.
Managing the market spirals
Until cyber insurance becomes a commodity, there are two spirals that need to be balanced by the market, and both spirals are apparent in the market today. One spiral is where lack of need and reputation strongly limit demand, thus limiting data availability and therefore the improvement of products. The other spiral is where insurers strive for market share limit selection criteria, offer coverage that is too broad at prices that are too low, so that in the event of a mass claims, solvency and reputations may be lost, feeding the first spiral.
Healthy market development requires balancing these spirals through cyber risk understanding and collaboration. First of all, collaboration is needed within the insurance community (including insurers, brokers, intermediaries, and regulators) to share language, knowledge, quality standards, heavy-tail cyber risks, and even (aggregated) data. This will help limit reputation risk and accumulation risk. Collaboration outside the traditional community is just as important. Working with cybersecurity, analytics, and standards firms6 will enable the development of products that fit with customers’ needs in protecting them from cyber harm, as well as development of cyber insurance models that are less data-intensive.
Collaboration inside an insurance firm is also important. Experience can be shared and leveraged between product and market development, digitisation, and the firm’s own cybersecurity functions. More importantly, such internal cross-pollination will broaden the innovation community and form the basis for the nimble organisation, improving the chances of identifying, and swiftly implementing, the solutions that will help the organisation navigate into the future.
What steps should insurers consider taking
Development of cyber risk transfer capabilities takes time. It requires integrating the various perspectives of markets, business, technology, innovation, and cyber security and this requires organisational and cultural change. Moreover, it will take time for the organisational culture to become more connected and nimble in dealing with the increasing rate of cyber risk changes. This may put some insurers off, but there is no avoiding cyber risk. In fact, it is the perfect opportunity to prepare the company for the digital future and it contributes to achieving sustainable growth. The best time to start is now.
Suggested steps include:
• Think of digitisation as an opportunity to improve and learn for the company as a whole, fostering collaboration on innovation and becoming more nimble in dealing with change.
• Enhance own cyber risk management capabilities to stay ahead of evolving threats, comply with new regulations and use its knowledge and insight for product development.
• Deepen client engagement through joint development of cyber risk transfer products that fit the increasingly digital world and that differentiate themselves through ancillary services.
• Collaborate with other insurers on market quality and risk sharing, for the benefit of all customers, through sustainable cyber risk products.
• Collaborate with cyber security firms, standards organisations, and regulators to help identify and set market standards.
• Develop cyber insurance products on a small scale, in close collaboration with customers, intermediaries, and cyber security experts.
Cyber Value at Risk in The Netherlands 2017
In September 2017 we launched our latest Cyber Value at Risk report. This year we have expanded the report’s scope to consider the specific implications of this approach for Small and Medium Enterprises (SMEs) and thus the wider impact on society as a whole. In addition, we continue to provide a comprehensive quantitative overview of the economic consequences of cyber risk for Dutch organizations, and information to help them make better decisions. Download the report on the right, or go to www.deloitte.nl/cybervalue for more information.