Cyber insurance is seen as the fastest growing line of business in insurance. According to a recent study by the Geneva Association, the insurance industry’s think tank based in Switzerland, the current size of the market is believed to be in the range of US$ 2.5 billion to US$ 3.5 billion in gross written premiums. Citing industry participants, the Geneva Association predicts that by 2020 premiums may grow to US$ 10 billion and up to US$20 billion by 2025. The USA is still by far the largest market, accounting for roughly 90% of premiums, while Europe accounts for just 4% of business written and 6% in the rest of the world.
Awareness of cyber risk is driven by highly publicised malicious attacks – both on public institutions and blue-chip companies. Increasing government regulation, such as the recent enactment of the General Data Protection Regulation (GDPR), raises the stakes of reputational damage for corporations affected by a loss or breach of confidential data as companies will have to inform both regulators and customers about these incidents.
Again, according to the Geneva Association, estimating the cost of cyber incidents is difficult, as the extent of damages caused is not necessarily reported. However, some studies see the annual global economic cost caused by cyber incidents at around US$ 400 billion, which would be twice the annual average cost due to natural catastrophes. Thus, as of today, also based on the assumptions that premiums are to increase to US$ 20 billion by 2025, the risk remains largely uninsured. The insurance industry itself actively seeks to address the risk, as with less than one per mille in global insurance premiums, cyber is believed to pose one of the largest protection gaps of the industry.
The magnitude and complexity of the risk might be the main reasons why insurers shy away from providing more cover. However, policyholders continue to underestimate its ramifications too. Although board of directors and CEOs frequently state that cyber risk is on top of their agenda or even consider it a threat to their business growth and future digitisation, in particular, cyber policy sales remain low.
Malware as an underestimated threat
At the forefront of the public attention are the malicious attacks from a hacker with criminal intent. However, more frequent and severe risks might be in a first party loss caused by malware in a company’s own IT systems.
According to Peak Re’s research, the largest cost related to cyber incidents is in the company’s business downtime and its consequences. There is the loss of revenues due to business interruption, the cost for replacement and potentially litigation efforts to reclaim those expenses. In addition, there is the exposure of the company to its own customers, such as data leakage, business continuity and possibly a decline in intangible assets, such as a loss in customer confidence.
In fact, Peak Re estimates that the exposure of companies to a first party loss is far greater than to a third-party loss. In addition, the latter is more difficult to prove and the cost to measure such a damage might be prohibitive.
Customers also underestimate the risk they incur due to their increasing connectivity. Companies might be joined to each other through supply chain systems. To assure a seamless exchange of information, participants in a chain typically use common software platforms which make it difficult to avoid malware from spreading. Furthermore, companies store their data in external clouds or with software vendors. While customers retain less control of their own data systems, this interconnectivity also poses accumulation risks to insurers and reinsurers as losses may affect multiple clients across geographic boundaries.
Policyholders’ risk management has to account for cyber exposure. However, as the Geneva Association states in its report on risk mitigation strategies in cyber insurance, it is less the large firms, such as the financial institutions, with their own large IT departments which are most exposed, but rather the smaller SMEs. They frequently lack the expertise as well as the resources to deal with cyber risk effectively, underestimate their vulnerability and have neither teams nor the necessary risk management measures in place to systematically and proactively manage their exposure. In addition, SMEs often outsource their IT and their security functions and are thus less aware of the risks they run. Although they might pose an attractive market segment for cyber insurance, underwriters may find it a “hard sell” as acquisition cost can be prohibitive.
Still, Peak Re is convinced, if customers aim to contain and minimise their cyber risk, they have to elevate it from an IT issue dealt with by technicians to a business issue which requires dedicated attention from top management. As part of a continuous risk management process, companies need to establish continuous IT health checks to detect as early as possible, weaknesses in their system, develop backup plans and business continuity processes.
