Cyber insurance market outlook
Cyber threats have become the risks of the century and if cyber security is one step behind new cyber threats, cyber insurance is two steps behind. Risk managers of large institutions already consider cyber attacks to be a severe risk and therefore have insurance policies to address this. We are now seeing more and more small companies asking for cyber covers, especially after the latest large-scale attacks.
It is difficult to achieve comparability of products in the cyber market, as many players —be they insurance companies or brokers — draft their own wordings with a specific focus on property or casualty components. As cyber technology is omnipresent and the risks can trigger claims under traditional insurance products, some players choose to endorse their traditional property or casualty policies with cyber extensions. Overall, however, new stand‑alone cyber covers are appearing.
The accumulation potential of cyber risks is not fully understood. Firstly, a single cyber event can trigger a multitude of stand-alone cyber policies, due to the fact that contingent business interruption is a common feature of cyber policies, but also because everything is interconnected. The rise of the Internet of Things will increase connectivity and so trigger even more potential losses.
Secondly, traditional insurance products do not explicitly exclude cyber risks, as they have only become an issue in recent years. This is a challenge that needs to be managed. Cyber security for example, is something that requires the attention of top management, as the lack of adequate IT security measures and controls could quickly develop into a D&O claim in the event of a cyber attack.
Munich Re has set up teams of experts to help monitor exposures and their development. One challenge is that unknown accumulation exposure could trigger a huge number of policies at the same time. Main exposures for accumulation scenarios could be:
- The clash among different lines of business
- The coverage of contingent business interruption
- The outage of external networks such as the internet, telecommunication networks or utility providers
- Other service providers with a high client concentration, such as cloud providers or DNS servers
- Security gaps in widely used standard software products
The accumulation that would arise from an outage of the internet would be of significant magnitude for the insurance sector and reinsurers, which is why it is so important to be aware of how these aspects are addressed in wordings and how they are covered.
There is currently abundant insurance capacity in most classes of business. Even capital markets have started to become interested in (re)insurance products, especially pension funds, given the low-interest rate environment. This pushes premium levels down and fosters fierce competition. Premium levels in basically all classes of business keep falling, year after year. Established insurance companies are fighting to keep their shares, while new players are offering additional capacity. Moreover, competition between brokers is also keen. Broker facilities have arisen even in complex classes of business, such as financial institutions’ D&O insurance. All these aspects are leading to increased pressure on insurance companies and their results.
In such a tense situation, what could be better than new opportunities to write business? In terms of figures, the outlook is very promising. At the end of 2016, global premium volume in cyber insurance was thought to be in excess of US$ 4bn, with around 80% coming from the US. The other 20% was split between Europe and Asia, where the product is still catching up. Premium volume in Europe is expected to rise from US$ 300m in 2016 to US$ 900m in 2018 – a growth rate of 200% in two years.
Challenges and opportunities for (re)insurers
As the market is far from saturated, a decrease in premiums in a situation where policies have not yet been tested and claims might increase is risky. Another worrying aspect of this development is that intense competition for premiums unfortunately puts disciplined underwriting at risk. Risks are evolving so quickly that they are being written without being fully understood. Pricing based on reliable actuarial models is basically non-existent, as loss scenarios are constantly evolving, unlike in traditional classes of business where loss curves are based on claims history and experience. In an environment with constantly evolving threats, pricing considerations based on the past make no sense.
As in other classes of business, due to stricter legislation, premium levels are significantly higher in the US than in Europe. This is due to high notification costs, particularly in the case of data breaches. But legislation in Europe is set to change in May 2018, when the EU’s General Data Protection Regulation (GDPR) comes into force. While large corporates – especially the most exposed, such as financial institutions, retail and health companies – are buying larger programmes and sometimes doubling their capacity at renewal, the SME sector is developing more slowly.
Underwriting of cyber risks
As we have already seen, there is a huge range of cyber polices available. Unfortunately, the underlying cyber risk assessments and cyber coverage elements are equally diverse, and even the insurance industry could reduce effort and increase transparency by implementing and using standard risk assessment and coverage elements.
Due to the sensitivity of the information, insureds are often reluctant to share details of their security measures and history of incidents. This is well understood in the insurance market but does not help proper pricing and slows down the learning process for all parties – insureds, insurers and reinsurers alike.
Crucial information for good underwriting — such as independent certifications and risk assessments, business continuity plans, cyber protection measures or top-level management commitment — is not usually available. It must be understood that cyber insurance goes hand in hand with good cyber security and strategy, but cannot replace it.
Cyber threats and cyber covers are both evolving rapidly. On the one hand, we are seeing new threat vectors such as blackmail for bitcoins via ransomware or DDoS attacks. On the other, cyber covers have to consider new coverage aspects such as the GDPR or outsourced services to cloud providers. Complex layering with multiple insurers and reinsurers combined in a single coverage tower and a complex wording do not always allow for appropriate changes during renewals. This adds risks for all parties, including brokers.
Will the increase in risks and the change in EU legislation result in the adequate adaptation of terms and conditions in the context of intense competition within the insurance industry? In a constantly changing environment of increasing technological threats, the insurance industry needs to find adequate solutions for its clients’ risks, without losing sight of disciplined underwriting. Accumulation monitoring and thorough risk analysis must be of the highest priority.. If this is not done in adequately, the long-term sustainability of this line of business might be at risk. An internet outage, just to name one possible example, and the subsequent problems and wide-spread business interruption this could cause, could ruin some companies.