Articles - Fast-growing cyber insurance market creates opportunities

The cyber insurance market is exploding. Inga Beale, the CEO of Lloyds of London, estimates that in the last 4 years the market has boomed from less than $1 billion globally to approximately $2.5 billion today. Almost all coverage is currently sold to US firms but similar demand is increasingly likely to come from around the globe. Allianz estimates that the cyber insurance market in Europe alone could be worth nearly $1 billion by 2018. This is a new market full of opportunity for the brave but with pitfalls for the unwary.

 By Phil Huggins is Vice President of Security Science at Stroz Friedberg
 The heightened corporate interest has been driven, in part, by a similar explosion in cyber breaches. Attacks have increased in frequency, impact, costs and, significantly, captured the imagination of the general public and the media. A Wall Street Journal poll in 2014 identified that, as a result of US data breach notification laws, some 45% of Americans reported they or a household member had been notified their card data was breached. While US notifications have driven the perception of cyber risk, focusing on credit card and healthcare data breaches, there is also growing concern, especially in the utilities and energy sectors, about managing the much more costly risk of cyber business disruption.
 Governments are promoting the cyber insurance market, especially in the US and the UK, as they see the market as a lever to drive much needed cyber security improvements in the private sector. Their expectation is that this will align risk assessments with good practice, while incentivising good risk management, thereby reducing the need for direct government involvement and regulation. The recent launch by the UK Government of the ‘UK cyber security: the role of insurance in managing and mitigating the risk’ report is just the latest manifestation of this strategy.
 There are, however, some worrying pitfalls that need to be considered, as the market develops. Importantly, to avoid such issues, there is a need for joint innovation by insurers and cyber security specialists.
 Most insureds are interdependent on each other for their security but, currently, they are not incentivised to invest if the lack of investment by another firm causes them harm. This leads to a ‘race to the bottom’ as firms invest less in protection compared to their peers.
 Insureds' dependency on outsourced services creates a correlation in cyber risk, as the outsourcers become the common factor across industry sectors and geographies. Similarly, the technology used by insureds is highly homogenous; technology monocultures also exist across industry sectors and geographies, which means a single technology flaw could catastrophically affect swathes of businesses. These make portfolio segmentation problematic.
 It is difficult for insurers to identify the cyber risks borne by the insured. Despite the cyber security industry being awash with data on the growing numbers and types of security breaches and replete with competing security frameworks and standards all purporting to be best practices, there is no reliable quantification of the effectiveness of the differing cyber security measures.
 Without a causal link from implemented cyber security measures to improved risk outcomes, it is difficult to differentiate insureds.
 From a premium perspective, they each get a general market cost, rather than an individual tailored cost. This incentivises no one to improve which, to insurers, is akin to a 'lemon market' for selling cyber risk.
 There is also a moral hazard of sorts in that the purchasers of cyber risk insurance are not closely involved in the day to day cyber risk management which is often performed by IT staff who are incentivised to deliver business benefits over business protection, out of the sight of risk professionals.
 These systemic issues are starting to become clear, as the cyber insurance market develops and the increasing involvement of governments. This challenge was recently highlighted by Stephen Catlin of Catlin Group, who has suggested that government-backed pools, such as those in place for terrorist attacks, may be required to counter the systemic and catastrophic potential of cyber risk. However, there seems to be limited appetite in UK government circles for such an initiative.
 While the systemic issues may require government intervention, there are opportunities for insurers to provide innovative products that reduce frequency and impact, while incentivising behaviours that reduce the potential for harm.
 These opportunities for innovation include:
  1.   Insurers measuring cyber resilience, rather than cyber security of insureds. This would address situational awareness; diversity of capacity; level of integration of functions and actions; internal feedback loops; and the ability to adapt, including the speed of adaptation to changing threats and circumstance. By improving these areas insureds are more likely to weather catastrophic events bruised but not broken, reducing claims.
  3.   Insurers monitoring the external indicators of cyber hygiene and regularly feeding these back to their customers, potentially tying this to a variable level of cover. This would incentivise risk professionals and help IT specialists to focus on measures that could reduce the frequency of claims.
  5.   Insurers acting as aggregators of cyber risk data across their portfolios and using new analytics techniques to develop insights to be shared with the portfolio to reduce uncertainty in insured cyber risk decision making.
  7.   Insurers providing trusted forums for information sharing among their portfolio, to spread the knowledge of adversary activities. Crucially, such measures would enable firms to respond faster, reducing the size of claims.
  9.   Insurers developing capability sharing groups across their portfolios, similar to the NATO model, where an attack on one is treated as an attack on all. This addresses the capability and skills shortage impacting all insureds.
 Cyber insurers need to keep abreast of innovation across the cyber security profession, so that the uncertainty and impact of cyber risk across their portfolios can be managed. In parallel, it will become increasingly important to engage with governments, to ensure cover for catastrophic systemic risks remain feasible. The opportunities in this fast-growing market will be realised by the innovative and the 'calculated' risk takers.

Back to Index

Similar News to this Story

Empowering Chief Risk Officers: expertise and behaviours
In an era defined by rapid change and unforeseen challenges, the role of Chief Risk Officer (CRO) has never been more critical for any business. The
Reaping the rewards of investing in women
Comprehensive school, blue collar parents, redbrick university. Three characteristics that are not always propelling people to the top of our industry
Whats next for motor
Sarah Myerscough and Ageas’ Adam Beckett talk about the rapidly changing motor insurance market. With the looming ban on the sale of petrol and diesel

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS


Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.