Anyone who's ever worked in cyber security (or what used to be called IT security) will know the old adage that a security breach is never impossible, only improbable. It is this fundamental truth that has caused companies to go running for cover in recent years, especially in the wake of high-profile breaches affecting names like Target, Home Depot and Ashley Madison.
For the insurance industry, cyber looks like the next gold rush. Robert Gordon, senior VP, policy development & research at the Property Casualty Insurers Association of America (PCI), said cyber risk is the top issue the association's members are facing.
“The market is innovating so rapidly in this area and it's a great opportunity for insurers to bring a wealth … of protection when a loss happens, [and to encourage] companies to have the right sorts of standards to protect themselves and to mitigate losses,” he said at the annual PCIAA conference in Florida last week.
The numbers are certainly attractive, especially in the US, which is the most developed market for cyber insurance. Gerry Skalka, SVP, casualty underwriting at
Munich Re, said that the current estimate of the size of premiums in the sector is about US$2.75 billion, of which about 90% is in the US. In terms of growth, the industry also estimates that anywhere from US$7.5 billion to US$10 billion is a “reasonable premium” for 2020-2021.
This is backed up by evidence of maturity in the still nascent sector. “Cyber is changing from a risk that people try to prevent to a risk that people try to manage,” said Ben Walter, CEO of
Hiscox. “A cyber breach is not something that you can absolutely 100% prevent and that means it's a risk, so you need to manage it if and when it does happen,” he said.
According to Walter, this acceptance of the risk is a key factor in why the industry is seeing such uptake of products. “If you could prevent it, you might not insure against it,” he said.
But the sector is not without its growing pains. PCI's Gordon said that while cyber is one of the fastest growing areas of insurance, “It's a very difficult line to model and price and it’s very akin to terrorism risk, where there is a lot of independently correlating events and not a lot of loss data.”
Cyber insurance is considered high risk, and the premiums are going up to reflect that. After staying relatively unchanged in 2014, rates for retailers have increased 32% in the first half of 2015, according to data from
Marsh, prompting Tom Reagan, an executive at
Marsh, to comment: "Some companies are struggling to find the money to buy the coverage they want.”
There is also a trend for US insurers in some cases to raise deductibles or limit coverage to US$100 million or more, which has left many large companies exposed, since hacks could lead to losses more than twice that amount. A chilling effect of this scenario is that smaller insurers are refraining from entering the market at all, decreasing competition.
But in an unusual turn of events, regulation could turn into the insurance industry's saving grace.
“Total global losses from cyber crime stood at US$445 billion as of June 2014. With governments becoming increasingly involved in cyber threats, the prospect of compulsory cyber risk insurance could become a reality,” said Jay Patel, an insurance analyst at researcher Timetric. This would transform the market and could create a strong source of future revenues for non-life insurers.
It's a point not missed by PCI's Robert Gordon. “There's interest at every level. The National Association of Insurance Commissioners (NAIC) is working on cyber model legislation and even internationally they're trying to work on potential cyber standards,” he said.
Furthermore there's growing concern about cyber risk in non-cyber insurance lines. “What's the possible impact on your auto insurance following a cyber attack on a large fleet of cars?” he asked.
What's likely is that insurers will start readjusting their models for cyber risk, just like they did with terrorism after 9-11 to better reflect those risks, Gordon said.