Cyber Insurance: From risks to opportunities
Cyber insurance – just hype?
Cyber threats are certainly one of the biggest security risks of the 21st century. In larger companies especially, cyberattacks are seen as one of the most significant threats – not only for customers' data or internal IP but for many ongoing business operations. Not surprisingly, in that business environment demand for cyber coverage has increased.
We are now also seeing more small and medium-sized companies asking for cyber covers, as the need to protect operations not only through IT-security solutions but also through cyber insurance seems to be more than obvious. Increasing digital transformation, the trend towards global connectivity and interconnectedness, the Internet of Things (IoT), the growing number of virtual platforms and business models in nearly all industries, as well as governance requirements through internal risk management or increased governmental and legislative efforts, such as the European General Data Protection Regulation which came into effect in May, will no doubt drive this development further.
And indeed, the cyber insurance market related figures are promising: At the end of 2017, worldwide premium exceeded US$ 3.5 billion, with the US share dominating. However, that US dominance now appears to be declining, as the current development of the European market is showing a very positive trend, with premium values increasing in nearly all European countries. All in all then, cyber or cyber-related insurance solutions are, and will continue to be, much more than just a short hype in a soft market situation.
Covering cyber – what are the key challenges?
The cyber insurance market has been evolving rapidly in recent years, offering various types of insurance coverages. The complexity of cyber as a peril and the evolving nature of the risk leads to challenges in insurance product design, underwriting, risk management and accumulation control.
As in other lines of business, a proper cyber risk assessment is key for cyber insurance as well. Defining the right approach needs to be further developed – ranging from an outside-in view with automated cyber rating tools, for instance, to inside-out assessments, achieved using monitoring tools or quite traditional cyber risk questionnaires and interviews, amongst other things.
A proper risk assessment methodology is one of the most important pillars for pricing the cyber risk. Although pricing models have developed, advanced pricing based on valid historical data and actuarial models has not been sufficiently tested so far. This could leave underwriters feeling that cyber exposure can be reliably assessed and priced, when actually it can't – at least not compared with other lines of business.
Due to the business potential of the growing cyber insurance market, many inexperienced players have entered the market, and competition may force some players to offer cyber insurance without any deeper understanding of the underlying risk, but just following the pressure of the market. Moreover, due to abundant insurance capacity and the soft market, reducing premiums in a situation where policies have not yet been tested and adequate claims data are not available presents a major risk. In addition, cyber wording extensions aimed at maintaining premium levels lead to increased systemic risk.
A risk's complexity, its assessment, and also especially the lack of data and understanding become crucial when we consider the huge accumulation potential of cyber policies, but also of conventional policies that may also cover some cyber exposure. As connectivity and cyber technology are omnipresent, one widespread single event can trigger a multitude of cyber policies. The main exposures for accumulation scenarios could be:
- A large scale data breach event
- The coverage of contingent business interruption
- The outage of external networks such as the internet, telecommunication networks or utility providers
- The outage of other service providers with a high client concentration, such as cloud providers or DNS servers
- Security gaps in widely used standard software products.
The accumulation that would arise from an outage of the internet would be of considerable magnitude for the insurance sector and reinsurers, which is why it's so important to be aware of how these aspects are addressed in wordings and how they are covered. Munich Re doesn't consider the outage of an external network – such as the internet, power or telecommunications, leading to huge financial impacts on clients, depending on the networks – to be an insurable risk. At least not one that could be covered by the private insurance industry on its own, though perhaps in collaboration with governments and cyber pool solutions. Insurance and reinsurance wordings therefore need to contain an exclusion in respect of these risks.
Other challenges to overcome in the future are the harmonisation of risk assessment, as well as of risk selection processes, wordings, definitions and the terminology of coverage elements.
Besides the insurance industry, other stakeholders may also contribute to overcoming existing challenges, as the following online voting results from participants in the OECD Insurance Conference (Paris, 22/23 February 2018) indicate:
Insuring cyber risks: Not if, but how
Besides the required collaboration with stakeholders like IT security service providers, R&D environments, governments, regulators and risk-owners, the insurance industry's contribution will need to be huge to meet the current digitalised business reality. New cyber insurance products and extensions of existing insurance coverages will therefore need to be developed and offered, with a clear tendency towards cyber stand-alone coverage. Customers may range from private individuals to small and medium-sized companies, all the way up to big corporate entities or critical infrastructure.
Given the development that businesses are more and more exposed, every insurance company should be thinking about finding solutions for these new risks – especially considering that some of the existing polices in the traditional lines of business of both cyber insurance providers and market players that decided not to offer cyber insurance may already be exposed to so called "silent cyber", even though this is not specifically stated in the contract.
Silent cyber exposure can occur in various conventional covers, from property to casualty lines of business. Even life insurance may be triggered by a silent cyber event, due to the fact that not only health-related equipment but also implants like heart pacemakers are smart as well as connected, and are therefore vulnerable to cyber threats.
From a risk management and control perspective, it's essential that the insurance industry ensures that potential silent exposures are explicitly addressed and considered. Insurance companies should avoid accepting exposure without proper underwriting, risk assessment pricing and accumulation management. Uncertainty has to be eliminated by formulating clear exclusion language or by introducing clear coverage language in traditional lines of business. Cyber exposure has to be addressed explicitly in stand-alone cyber policies or cyber endorsements.
The role of reinsurance
Collaboration is key – and this applies especially to the partnership with reinsurance. Due to the complexity of the risk and its significant accumulation potential, insurers rely heavily on reinsurance capacity to cope with the risk. For Munich Re, the coverage of cyber risks as a strategic future business model remains a main business focus. In order to justify the high expectations regarding the market growth of cyber covers, Munich Re has built up considerable resources in cyber underwriting and claims. We employ established cyber experts whose expertise can also be made available to the market. Additionally, each business unit has dedicated cyber underwriters and a cyber expert pool for every relevant market.
For the "small and medium-sized businesses" target customer segment, we offer our clients comprehensive services based around the cyber insurance product. Because that is where, in the worst case of a successful cyberattack, a company's very existence is at stake.
Reinsurance solutions should therefore always depend on the primary insurer's own infrastructure, expertise and respective risk appetite. That is why a wide range of services – the so-called Munich Re cyber toolkit – is available upon request throughout the product development process.
As the world's leading primary insurer, excess insurer and reinsurer of cyber risks, Munich Re also offers cyber covers for industrial clients with high coverage limits. Modular cyber solutions for industrial clients range from traditional covers for data security breaches, to cost coverage for ransom payments for cyber extortion, to business interruption cover, including the assumption of forensics costs. Depending on our clients' respective risk profiles, we integrate innovative concepts such as coverage for reputational damage, protection for personal and material damage, and contract penalties or guarantee payments, where triggered by a cyber event.
These various services and topics show that more needs to be done than simple risk transfer: Together with insurers, reinsurance must contribute to protecting small and medium-sized companies from existence-threatening incidents – comprehensively and in line with their individual risk situation. For large corporates, bespoke solutions are very often required for individual needs.