Cyber Insurance: Black Swan or Golden Goose?
By Zack Schmiesing
Cyber risk may be the fastest-growing segment of the insurance market. It may also present the most dynamic risk out there, raising some significant challenges for many risk managers, insurers, and IT personnel attempting to build better defenses against cyber threats. Yet, in part because of its rapid growth, cyber has also become a space open to innovative products and cutting-edge expertise. Still in its infancy, underwriting for cyber risks has changed dramatically in scope and context from some of the earliest policy products of just a decade ago.
The shifting landscape for cyber insurance—along with a rational fear of the unknown—may be suppressing many potential insurance solutions. Through coordinated educational and operational efforts on the part of insurance carriers and their policyholders, both parties likely face an opportunity to better address this 21st century risk, possibly transforming a black swan into a golden goose. Many of the early solutions focused more on regulated loss mitigation post–data breach as opposed to proactive risk management, dealing mainly with legal costs and record recovery, with niche policy wording often available for financial and e-commerce entities. The excess and surplus (E&S) markets were typically best suited to underwrite this emerging risk area, and today, approximately 80 percent of the written premium comes from the E&S market.i
Deluge of data
Advances in technology have drastically changed the way both large and small companies now operate, bringing new exposures and vulnerabilities for the cyber insurance market to address. Data, in the form of financials, intellectual property, and even personally identifiable information (PII) and personal health information (PHI), has become portable in multiple formats. Millions of records can be stored on a single USB flash drive or transferred from a laptop over a Wi-Fi connection to cloud-hosted storage in just a few moments. Increases in processing allow businesses to collect, store, and analyze more data points than ever before. But with constant innovation and advancements in web-facilitated business tools often come increased vulnerabilities for internal negligence and external hacking.
Unfortunately, while even small businesses have moved to electronic file management, payment processing, and operations, the insurance space on the whole has not adapted nearly as fast to meet the needs of these small and medium-sized enterprises (SME). Much of cyber risk underwriting and solutions is still a case of the haves versus the have-nots. A majority of coverage continues to be limited to the largest commercial businesses with deeper pockets. They’re also the companies that can more likely recover from a major cyber breach or security event. Can the same be said for SMEs?
Recent high-profile hacking of global brands—including Target, TJ Maxx, Sony, LinkedIn, and Yahoo—has pushed cyber security to the forefront of operational risks. Arguably, the largest driver has been the impact to the general public victimized by these breach events. Some consumers may have received credit monitoring notification concerning these breaches, mandated by many jurisdictions in the event of a breach. Cyber risk concepts and potential cost implications are impacting many industries and companies of all sizes. The Poneman Institute estimates that the average breach costs consist of 59 percent direct costs (notification, fines, credit monitoring) and 41 percent indirect (brand damage and lost customers).ii Recent headlines have shown that not just large corporations are at risk.ii . More SMEs are being attacked by hackers through spear phishing, ransomware, and denial-of-service attacks. Forward-thinking businesses are finding they cannot take an “it won’t happen to me” approach any longer.
Can it be scaled?
A major hurdle currently standing between the mainstream commercial market and many insurers is product scalability. Because most of the purchasers are complex corporations, gathering information and forms can be an exhaustive process often involving HR, procurement, IT, and corporate risk management departments. For many SMEs, hunting down data can be much more difficult, and chances are high that the language and terminology may be foreign to them. In most cases, many of those in the insurance industry then employ a strategy that involves educating consumer to explain to them what information is important, why it’s important, and how to locate this data—no small task. It’s essentially a change in culture within the SME space regarding how companies approach their operations relating to data storage, computational hardware and software, knowledge of third-party vendors, and a clearer understanding of their customers.
Price volatility is another challenge to the cyber insurance market. Marsh noted that premiums increased 32 percent in the first half of 2015, likely due to high-profile cyber breach events covered in the media.iv Premium fluctuations of this magnitude can be a very difficult pill to swallow, particularly for many of those SMEs operating under tighter margins. Introducing more products and insurers into the market could lead to price maturation sooner than later. But as noted above, the dynamics of cyber risk appear to change almost weekly. If 2014 was the year of internal negligence breach and 2015 was the year of the retail breach, 2016 is proving to be the year of ransomware. So what lies ahead in the years to come?
Is cyber risk, which reforms regularly in size and scope, too dynamic for traditional insurance products and the marketplace to tackle? Or is now the perfect time—with an estimated $676 billion in policyholder surplusv and relatively low interest rates—for those in the industry to get up to speed, rethink product approaches, and usher in solutions suitable to mitigate this 21st century risk?
Data that divides
An essential element to underwriting any type of risk— whether property, liability, or cyber—is the collection of exposure information to clearly define and segment types of risk. Even so, cyber risk in general represents a new frontier. What information provides the sharpest insights and associated variables that segment operations and helps insurers better understand the likelihood of a breach? In other words, what would be the “COPE” data for a cyber risk? In the case of cyber, the same acronym applies as commonly used in the commercial property space—an acronym that simplifies three key areas of information needed to support underwriting decision making: culture, exposure, and protection.
A common theme among many businesses that have overhauled their cybersecurity practices is culture change. And that transformation very often starts at the top, with C-level executives integrating secure cyber practices within the workforce and bringing cyber risk to the forefront of operational strategies. A resilient culture may be difficult to define, but it’s arguably one of the best measures to help prevent a cyber loss event or mitigate losses from outside attacks. More than half of all cyber attacks in 2013 were the result of employee negligencevi . That number has declined, in part due to other forms of attack but also because of stringent policies and education instituted within many large companies.
Analyzing the exposure of a commercial business introduces challenges not necessarily present in more traditional commercial lines. First and foremost is sourcing the data. Although IT departments usually aren’t involved in the insurance purchasing process, they’re often the first—and possibly only—line of defense when it comes to cybersecurity. And many SMEs outsource much of those services to vendors. Facilities managers may not know information such as mail server host or SSL certificate. Understanding the value of the data and assets that employees collect, store, and analyze is also highly important. “Thinking like a hacker” allows a business to consider data and web-facing assets with a view of what’s most vulnerable, what needs additional protection, and how to prioritize resources to help ensure more secure operations.
The last piece of the puzzle involves data related to types of protection, or security, used by an operation. This information includes security protocols and employee access to records, types of software, freeware, and levels of security within cloud platforms accessed by operations. This data is usually the most difficult to capture and evaluate.
Each of these three categories speaks directly to workforce considerations when devising and launching a cybersecurity strategy. But it’s crucial to remember that purchasing cyber insurance does not equate to practicing cyber risk management. It’s merely part of a larger process. Insurers that are able to gather the most information, evaluate and categorize it appropriately, and devise a product to serve the many unique segments will likely be successful. This means that traditional segmentation, by geography or SIC code, will likely not suffice. We may find that the primary segmentation categories will be e-commerce revenues, cloud-computing vendors, or even a number of web-facing devices.
In addition to the challenges presented in gathering “cyber COPE,” the insurance industry as a whole also currently struggles with sharing and communicating intelligence among peers. This often puts many carriers at a disadvantage from the start. The hacker space is rife with knowledge sharing and communication, exposing vulnerabilities and strategies to attack systems and improve attacks through phishing, malware, and ransomware. At present, the insurance industry lacks a central source of claims and loss-related information to help level-set the ratemaking process, which can have repercussions up through the reinsurance sector largely due to a lack of aggregation knowledge and loss experience.
One potential solution involves regularly disclosing cyber insurance data as part of statistical reporting. The federal government (including the Department of the Treasury, the Department of Homeland Security, the Federal Insurance Office, and the White House Cybersecurity National Action Plan) has called for voluntary sharing of information from breach and security events to help expedite understanding of the current threat and establish resources to address vulnerabilities. The insurance industry has a long and successful history of sharing policy and claims-related data to help improve market conditions and performance in more traditional lines, and it’s likely that this same practice can benefit the cyber risk insurance space.
Cyber risk presents a challenging environment for many insurance carriers to operate in, primarily due to the dynamic risk and hazards, a lack of understanding of the vulnerabilities, and a lack of loss experience to build and standardize coverage and language. An opportunity exists for many insurers to work directly with their policyholders to educate, gather operational data (in the form of cyber COPE), and begin building product solutions that match the risk variations presented in different industries. Sharing data among peers, using third-party data experts, and devising new ways to serve customers can foster a cyber insurance market that helps meet the needs of businesses large and small.
i Robert Sargent – “Bringing Cyber Risk Underwriting to the Mainstream”; CPCU Annual Meeting, 9/19/16