Cyber Insurance To Touch $7.5 Billion By 2020

by Sohini Bagchi    Sep 14, 2015

cybersecurity

The massive exposures from cyber risk will eventually need to be dealt with by the insurance and reinsurance market with a hybrid approach, creating reinsurance products that leverage both traditional and capital market or ILS practices, according to PwC. In a new report, PwC states that the cyber insurance market will grow to $5 billion in annual premiums by 2018 and is likely to triple in size to $7.5 billion in annual premiums by 2020.

An increased focus

Cyber insurance could soon become a client expectation and insurers that are unwilling to embrace it risk losing out on other business if cyber products don’t form part of their offering. In the meantime, many insurers face considerable cyber exposures within their technology, errors & omissions, general liability and other existing business lines, says the report.

According to PwC researchers, cyber criminals are constantly probing for weaknesses and adapting their tactics. “While our image of the perpetrators often centers on activists or organized gangs, they could just as easily be employees. The targets are also broadening. A clear example came from the insurance sector itself when a company was hacked for the tracking data they held on cargo shipments.”

All these factors make cybercrime a costly, hard to detect and difficult to combat threat, which costs the global economy more than $400 billion a year and the cost will continue to grow.

cyber

The report also alerts that the insurance industry could face stiff competition from disruptors such as Google if it does not act fast to develop products. Paul Delbridge, insurance partner at PwC, explains, “Given the high costs of coverage, the limits imposed, the tight terms and conditions and the restrictions on whether policyholders can claim, many policyholders are questioning whether their policies are delivering real value. There is also a real possibility that overly onerous terms and conditions could invite regulatory action or litigation against insurers.”

Moreover, as CXOs become increasingly focused on the need for safeguards against the most damaging cyber attacks, insurers will find their clients questioning how much real value is offered in their current policies. If insurers continue to simply rely on tight blanket policy restrictions and conservative pricing strategies to cushion the uncertainty, they are at serious risk of missing this rare market opportunity to secure high margins in a soft market. “If the industry takes too long to innovate, there is a real risk that a disruptor will move in and corner the market with aggressive pricing and more favourable terms,” says Delbridge.

The report addresses not just the opportunity presented by cyber risk, for underwriters with the skills and expertise to address the risk, but also how the market needs to respond in order to ensure the large amounts of capacity are there and how reinsurance capacity will be required to support cyber risk insurers.

According to the report, “Businesses across all sectors are beginning to recognise the importance of cyber insurance in today’s increasingly complex and high risk digital landscape. In turn, many insurers and reinsurers are looking to take advantage of what they see as a rare opportunity to secure high margins in an otherwise soft market. Yet many others are still wary of cyber risk.”

Lack of understanding

According to cyber security experts, for example, when compared to the extent and the intensity of cyber crime, the adoption of cyber insurance in India is abysmally low, one of the primary reasons being a lack of understanding of cyber security laws, policies and its implications among Indian insurance providers. It is also evident from the fact that there are very few pure-play cyber insurance companies in the Indian market.

According to Debasis Nayak, Director at Asian School of Cyber Laws, “Of the very few companies that are now venturing into this space, hardly any of them offer a comprehensive policy. And even among those that offer some kind of covers for cyber breaches, none of them pay attention to the regulatory compliance on data privacy or mention the extent of penalties or contravention for data breaches or extortion.”

Cyber security expert Anand Maliwal also echoed the same sentiment. He observes the high price of the policy as another major roadblock in the adoption of cyber security insurance. “At the same time, too many exclusions and uninsurable risks in the existing covers are also inhibiting organizations from purchasing a policy,” he says.

Currently, some companies are offering cyber insurance covers that include third party liability coverage and costs and expenses to compensate victims against the losses, but again there is a lot of exclusion in the offering. Experts believe the covers do not clarify distribution of unsolicited email, fraudulent acts and failure to maintain standard computer security, and other related issues. For example, internet liability coverage that protects the insured from damages arising from a internet or intranet breach, transmission of email or documents by electronic means or the unintentional transmission of a computer virus, is currently excluded in the existing policies.

A few insurers have already taken a lead to introduce specific policies that addresses cyber liability risks and covers first party losses such as computer theft, extortion and business interruption. But these customized policies are few and far between.

A collaborative approach

Globally however, the cyber insurance market has begun to mature and is expected to accelerate in the coming months. A survey done by Ponemon Institute reveals 31% companies worldwide are already insured against data breaches and a growing number of companies (40%) are exploring policies in the next one year. Larry Ponemon, chairman and founder of the Ponemon Institute states that this shows businesses and government are ranking cyber-security risks as greater than natural disasters and other major business risks and looking at cyber insurance as a mean to prevent high liability.

Many economies are practicing a collaborative approach of cyber insurance practice and encouraging its adoption. The US Homeland Security officials for example, has identified cybersecurity and insurance as a critical issue for businesses and the public sector, and is providing help to secure cyber networks from attacks. The government of US is also hosting cybersecurity insurance workshop by collaborating with government agencies and regulators, private industry, academics, IT security professionals, and the insurance industry discussing the various possibilities and limitations.

Nayak states, “Only with pressure from government and regulatory bodies, insurance companies will pay greater attention to restructure their cyber insurance offerings.”

On the brighter side…

Nonetheless, the cyber insurance market in India is expected to see a steady rise by the end of the decade, believes Nayak that because, online businesses and activities are increasing phenomenally in the country and there is a obviously a growing interest in adoption of cyber insurance among corporate. After all, cyber security is a global phenomenon that transcends geographies.

In india, experts are already seeing a 30-35% increase in demand for these products with some insurance players venturing into this space with their covers. They are already receiving a lot of queries from the IT, banking and financial companies in India. In the coming months, they expect a lot more queries to come from sectors such as e-commerce, hospitality, educational institutions and retail firms. Currently, Nasscom is collaborating with the Indian government, looking into the matter more seriously in the coming months.

“With companies placing cyber-security risks as high as other major insurable business risks suggests that the realization has increased and as the market matures and threats continue to advance, demand for cyber-security insurance will further go up prompting insurance players to bring in more specific and customized cover for businesses,” says Maliwal.

PwC recommends that a hybrid approach is taken, between the traditional and alternative reinsurance markets, leveraging the best of the traditional reinsurance product where it is most suited and making use of the capital markets and ILS structures where they can play an important role.

“Risk transfer structures are likely to include traditional excess of loss reinsurance in the lower layers, with capital market structures being developed for peak losses,” PwC explains. As most investors and ILS managers won’t have the experience in cyber risk necessary to understand and underwrite it, it will be vital that relationships are built with traditional insurance or reinsurance players, as well as with technology and cyber security providers.

PwC explains; “Fund managers and investment banks can bring in expertise from reinsurers and/or technology companies to develop appropriate evaluation techniques.”

One of the potential ways is through partnership with cyber security firms. These firms understand their products, their clients and the penetration or hack-rate, meaning that if they choose to buy protection the data may be available to enable a capital market solution to be developed.

PwC highlights the need for a risk facilitator to emerge:

Given the ever more complex and uncertain loss drivers surrounding cyber risk, there is a growing need for coordinated risk management solutions that bring together a range of stakeholders, including corporations, insurance/reinsurance companies, capital markets and policymakers.

Some form of risk facilitator, possibly the broker, will be needed to bring the parties together and lead the development of effective solutions, including the standards for cyber insurance that many governments are keen to introduce.

The facilitator may come from the technology side, enabling the insurance, reinsurance and capital markets or ILS players to better understand the risks, the exposure, the potential magnitude of losses, making creation of these hybrid risk transfer structures more feasible in the future.

An interesting prospect for both the traditional re/insurance and ILS markets and one where cooperation, rather than competition, may be seen as vital as the cyber insurance market develops, believe experts.