Cyber risk may be the fastest-growing segment of the insurance market. It may also present the most dynamic risk out there, raising some significant challenges for many risk managers, insurers, and IT personnel attempting to build better defenses against cyber threats. Yet, in part because of its rapid growth, cyber has also become a space open to innovative products and cutting-edge expertise. Still in its infancy, underwriting for cyber risks has changed dramatically in scope and context from some of the earliest policy products of just a decade ago.
The shifting landscape for cyber insurance—along with a rational fear of the unknown—may be suppressing many potential insurance solutions. Through coordinated educational and operational efforts on the part of insurers and policyholders, both parties likely face an opportunity to better address this 21st-century risk, possibly transforming a black swan into a golden goose.
Many of the early solutions focused more on regulated loss mitigation post–data breach as opposed to proactive risk management, dealing mainly with legal costs and record recovery, with niche policy wording often available for financial and e-commerce entities. The excess and surplus (E&S) markets were typically best suited to underwrite this emerging risk area, and today, approximately 80 percent of written premium comes from the E&S market.1
Deluge of data
Advances in technology have drastically changed the way both large and small companies now operate, bringing new exposures and vulnerabilities for the cyber insurance market to address. Data, in the form of financials, intellectual property, and even personally identifiable information (PII) and personal health information (PHI), has become portable in multiple formats. Millions of records can be stored on a single USB flash drive or transferred from a laptop over a Wi-Fi connection to cloud-hosted storage in just a few moments. Increases in processing allow businesses to collect, store, and analyze more data points than ever before. But with constant innovation and advancements in web-facilitated business tools often come increased vulnerabilities for internal negligence and external hacking.
Unfortunately, while even small businesses have moved to electronic file management, payment processing, and operations, the insurance space on the whole has not adapted nearly as fast to meet the needs of these small and medium-sized enterprises (SME). Much of cyber risk underwriting and solutions is still a case of the haves versus the have-nots. A majority of coverage continues to be limited to the largest commercial businesses with deeper pockets. They’re also the companies that can more likely recover from a major cyber breach or security event. Can the same be said for SMEs?
Recent high-profile hacking of global brands—including Target, T.J. Maxx, Sony, LinkedIn, and Yahoo—has pushed cybersecurity to the forefront of operational risks. Arguably, the largest driver has been the impact to the general public victimized by such breach events. Some consumers may have received credit-monitoring notifications concerning the breaches, mandated by many jurisdictions in the event of a breach. Cyber risk concepts and potential cost implications are affecting industries and companies of all sizes.
The Poneman Institute estimates that the costs of an average breach consist of 59 percent direct costs (notification, fines, credit monitoring) and 41 percent indirect (brand damage and lost customers).2
Recent headlines have shown that not just large corporations are at risk.3 More SMEs are being attacked by hackers through spear phishing, ransomware, and denial-of-service attacks. Forward-thinking businesses are finding they cannot take an “it won’t happen to me” approach any longer.
Can it be scaled?
A major hurdle currently standing between the mainstream commercial market and many insurers is product scalability. Because most of the purchasers are complex corporations, gathering information and forms can be an exhaustive process often involving human resources, procurement, IT, and corporate risk management departments. For many SMEs, hunting down data can be much more difficult, and chances are high that the language and terminology may be foreign to them. In most cases, many of those in the insurance industry employ a strategy that involves educating consumers to explain to them what information is important, why it’s important, and how to locate this data—no small task. It’s essentially a change in culture within the SME space regarding how companies approach their operations relating to data storage, computational hardware and software, knowledge of third-party vendors, and a clearer understanding of their customers.
Price volatility is another challenge to the cyber insurance market. Marsh noted that premiums increased 32 percent in the first half of 2015, likely due to high-profile cyber breach events covered in the media.4 Premium fluctuations of this magnitude can be a very difficult pill to swallow, particularly for many SMEs that operate under tighter margins. Introducing more products and insurers into the market could lead to price maturation sooner than later. But as noted above, the dynamics of cyber risk appear to change almost weekly. If 2014 was the year of internal negligence breaches and 2015 was the year of the retail breach, 2016 is proving to be the year of ransomware. So what lies ahead in the years to come?
Is cyber risk, which changes regularly in size and scope, too dynamic for traditional insurance products and the marketplace to tackle? Or is now the perfect time—with an estimated $676 billion in policyholder surplus5 and relatively low interest rates—for those in the industry to get up to speed, rethink product approaches, and usher in solutions suitable to mitigate this 21st-century risk?
This is the first of a two-part series exploring cyber risk for small and medium and business enterprises (SMEs) and the related challenges for the cyber insurance market. The discussion continues next month. Our second article, "Cyber insurance: Scaling the new frontier," will focus on key data elements and sharing information within the industry to quickly enhance product and service capabilities.
1. Robert Sargent “Bringing Cyber Risk Underwriting to the Mainstream” (CPCU Annual Meeting, Sept. 19, 2016).
2. "IBM: Data Breaches Now Cost $4 Million on Average" (Fortune, June 15, 2016).
3. "The Evolving Cyber Risks to Small Businesses and Their Data" (Advisen, Sept. 2016).
4. "Cyber Insurance Premiums Rocket after High Profile Attacks," (Reuters, Oct. 12, 2015).
5. "The Property/Casualty Landscape: Profitability, Growth - Disruption?" (III.org, Sept. 26, 2016).