No doubt a few eyebrows were raised in the boardrooms of insurance companies and brokers globally following a briefing note released on Nov. 30 by security ratings agency AM Best. Quantifying cyber risk remains a major challenge to the industry but AM Best’s research estimated that the probable maximum loss from a single cyber related event was $31 billion, well in excess of $4.6 billion for a nuclear loss. Although still well within the $101 billion global reinsurance capacity for single event risks, if accurate, how prepared is the industry for such an event and does it present an existential threat?
Unsurprisingly, demand for cyber insurance in the US is booming following the increasing frequency and severity of attacks over the last couple of years. Total premium spend today is estimated to be close to $3 billion and by 2020 could reach $7.5 billion according to PricewaterhouseCoopers. However, insurers have sustained three to four $100 million losses from recent, well-publicized attacks to the retail and healthcare industries.
Although these losses are still much lower than the amount of premium that major insurers are pulling in it has moved the needle in three ways: First, capacity, the amount of insurance available for a single buyer, has contracted and still remains constrained generally at approximately $300 million. Second, rates are rising. Third, and significantly, insurers have started to change the underwriting process. How?
This is happening because technology and insurance are beginning to converge. As with any emerging class of risk, very little if any actuarial data exists. In addition, the market evolved by underwriting to an enterprise’s controls and ability to mitigate. However, a static underwriting process that involves completion of a questionnaire, and perhaps an interview with the CISO, is increasingly insufficient in a domain where threats are constantly changing. Rather than staying divorced from the buyer during the 12-month policy period, insurers have begun to invest in tools that will help provide real-time risk analysis.
Expect also to see in 2016 greater capability to understand vicarious risk to an enterprise’s vendors or the exposure associated with M&A activity. This investment in technology will begin to feed through to the buyer as insurers will more accurately price risk and reward resilient companies with competitive premium, broader coverage, or lower self-insured retentions.
So, adapting the underwriting model means it’s a positive outlook for the growth and sustainability of the cyber insurance market. However, as highlighted by AM Best, the interconnectivity of the digital world means that the wider industry must quickly begin to understand aggregation of risk. What is the impact to every class of insurance from Directors and Officers Liability, (D&O), through to Property and General Liability? As seen by recent moves in the Lloyd’s marketplace, and synonymous with banks during the financial crisis, insurers may be forced to carry more capital, thereby driving up the cost of underwriting. Expect to see less ambiguity and more clarity as to whether cyber risk is covered or not in every class of insurance as regulatory scrutiny increases.
This post marks the final installment of the three-part series stemming from Beeson’s authored chapter in the new book, Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers. Published by Palo Alto Networks and the New York Stock Exchange, Beeson’s chapter, “Investment in Cyber Insurance” offers insights on the value of cyber insurance, how it works, and how the government sees it as an incentive to drive stronger enterprise security. View the other two posts here: