Clearing cyber risk speed bumps
Why insurers may need a new approach
In theory, cyber insurance should be a product that sells itself, given the increasing frequency and severity of high-profile hacker attacks against major organizations as well as the growing number of individuals coping with online identity theft. Indeed, with the stage seemingly set for dramatically higher demand, and in a property and casualty market starved for organic growth, you might expect sales of cyber policies to be soaring exponentially.
March 22, 2017
A blog post by Sam Friedman, Insurance Research leader, Deloitte Services LP
Growth projections are bullish, with some predicting US sales to double or even triple over the next few years.1 Yet such optimistic prognostications could turn out to be irrational exuberance, considering the speedbumps keeping most insurers from stepping on the accelerator and prompting many buyers to hit the brakes.
While more players are entering the field and premiums written are on the rise, cyber insurance remains a relatively small niche market, its growth hindered by a variety of obstacles confronting both sellers and buyers. Despite all the publicity over the past few years about the threat cyber intrusions pose, the line only generates between $1.5 billion and $3 billion in annual US premiums, according to varying estimates by regulators and rating agencies—representing only a tiny fraction of the $505.8 billion US carriers wrote in total for all lines in 2015.2
There certainly appears to be plenty of room for growth, considering that just 29 percent of US businesses had bought cyber insurance as of October 2016.3 And while bigger companies are more likely to purchase the coverage, the majority of large organizations are still going bare. A September 2015 study found only 40 percent of Fortune 500 companies had cyber coverage, while those that did often indicated they were underinsured, having purchased limits that didn’t cover the full extent of their exposure.4
To identify the choke points that are preventing faster, more profitable expansion, as well as offer recommendations on how these hurdles might be overcome, we spoke with insurers and brokers for our recently released Deloitte University Press report, Demystifying cyber insurance coverage: Clearing obstacles in a problematic but promising growth market, which I co-authored with Advisory principal Adam R. Thomas of Deloitte’s Cyber Risk Services practice.
What seems to be the problem?
The dearth of data to help underwrite and price cyber risks was cited by those we interviewed as the biggest challenge facing insurers. Hard data is in short supply for a variety of reasons. One is that insurers have not been selling cyber insurance long enough or on a big enough scale to generate their own critical mass of data. There is also no comprehensive, centralized source of information about cyber events for insurers to tap into, as there are on natural catastrophes and workers’ compensation loss experience. In addition, a large percentage of cyber breaches aren’t even acknowledged to outsiders, as the Insurance Information Institute notes that “many, if not most, attacks go unreported and undetected.”
We believe this lack of historical information to fuel predictive models may be producing a “vicious circle” of data-related issues hindering the growth of stand-alone cyber coverage in the high-end commercial market (see accompanying graphic).
The vicious circle of cyber insurance
Exacerbating these data challenges is the fact that cyber risk is continually evolving as threat actors keep coming up with new ways to compromise targets, which limits the value of historical experience and undermines the exposure’s predictability. At the same time, the increasing sensor-driven online monitoring and management of equipment, buildings, vehicles, and even people via the expanding Internet of Things is creating new entry points for would-be hackers to exploit and for insurers to cover.
Meanwhile, cyber insurers are often concerned about biting off more risk than they can chew, let alone swallow, if they are overwhelmed by a sudden aggregation of losses. They fear a systemic event that cascades across the country or around the world following an attack against a website host, cloud provider, or email server.
What’s making buyers hesitate?
There are factors on the buyer’s side slowing the market’s growth as well. Perhaps the biggest issue is that consumers often don’t appreciate the cyber risks they face, nor are they typically aware of the insurance options at their disposal, according to carriers and brokers we interviewed. In this case, ignorance is definitely not bliss, as a survey by PartnerRe and Advisen found that 42 percent of brokers cited clients “not understanding exposures” as by far the biggest obstacle keeping them from selling more cyber insurance.5
Another big problem is that while stand-alone cyber coverage is being marketed, it doesn’t necessarily cover all potential exposures. Cyber risks are dispersed over a wide range of policies—including general liability, property, professional liability, and business interruption, among other standard lines. This complicates efforts by brokers and their clients to assess coverage needs, match policies with exposures, and compare alternative purchase options.
Another major complaint is that cyber policies are still a work in progress, lacking standardization. A study by the SANS Institute and Advisen, Ltd. found that only 19 percent of brokers and 30 percent of underwriters said there is a common language of cyber risk.6 This makes it difficult to compare products pitched by competing insurers, and leaves buyers worried about gaps in coverage arising as a result—particularly if a dispute over the meaning of policy terms ends up in court, where little case law exists on cyber coverage disputes.
Cyber risks are dispersed over a wide range of policies—including general liability, property, professional liability, and business interruption, among other standard lines. This complicates efforts by brokers and their clients to assess coverage needs, match policies with exposures, and compare alternative purchase options.
– Sam Friedman
What growth strategies should insurers consider?
So, what can the industry do to facilitate faster (and more profitable) expansion of the cyber insurance market under these conditions? Our report included a number of recommendations, suggesting that insurers:
- Focus on an applicant’s cyber risk management capabilities to counteract the lack of aggregated historical loss data in underwriting and pricing coverage.
- Become a policyholder’s source of cyber risk management expertise as well as their risk-transfer vehicle, facilitating holistic loss control and recovery programs.
- Narrow the scope of their underwriting to select industries, types of attacks, and/or specific technologies to develop greater expertise and more targeted data bases.
- Work proactively to raise risk awareness and the cybersecurity IQ of intermediaries and buyers alike.
- Limit the potential for a catastrophic aggregation of loss by taking slices of multi-insurer programs where possible and controlling exposure by purchasing more high-level reinsurance.
- Collaborate via neutral third parties, such as trade associations, to standardize cyber risk terminology.
Insurers need to move quickly to resolve these issues, if only because buyers are likely to seek alternative risk-transfer options if the industry cannot crack the code sooner rather than later. It may not be long before we see the creation of cyber risk retention groups, policyholder-owned cyber captives, or even cyber bonds securitizing digital exposures.
These are all very real possibilities if cyber insurance coverage continues to be perceived by many buyers as insufficient, uncertain, overly complicated, and/or too costly for the value offered.
Interested in learning more about the challenges and opportunities relating to cyber insurance? Read our full report in Deloitte University Press.
Demystifying cyber insurance coverage
Visit Deloitte University Press to download the full report
1 Robert P. Hartwig, "Cyber Risk: Threat and Opportunity," Insurance Information Institute October 2015
2 Robert P. Hartwig, “2015 Year End Results,” Insurance Information Institute, May 16, 2016
3 CIAB Cyber Insurance Market Watch, CIAB Survey of October 2016, The Council of Insurance Agents and Broker
4 CIAB Cyber Insurance Market Watch, CIAB Survey of September, 2015, The Council of Insurance Agents and Brokers
5 “Cyber Liability Insurance Market Trends: Survey,” PartnerRe in collaboration with Advisen survey, August 2015
6 SANS Institute and Advisen Ltd., “Bridging the Insurance/InfoSecGap: The SANS 2016 Cyber Insurance Study,” Barbara Filkins, June, 2016
QuickLook is a weekly blog from the Deloitte Center for Financial Services about technology, innovation, growth, regulation, and other challenges facing the industry. The opinions expressed in QuickLook are those of the authors and do not necessarily reflect the views of Deloitte.
Do not delete! This box/component contains css that is needed on this page. This message will not be visible when page is activated.