The 21st century has disrupted every business model with the introduction of new technologies and the need for digitization. Industry 4.0 has hit insurance with a double whammy:
● Insurance incumbents need to transform their businesses from a business model that has worked for 300 years to an agile and responsive service.
● Insurers need new frameworks to protect their clients from digital risks and remain solvent.
2017 brought havoc to cyberspace with attacks like Wannacry and Petya/NotPetya. It is no wonder that the global focus on cyber risk has jumped 10% in the last year.
Figure 1: The Most Important Business Risks in 2018. Source: Allianz Risk Barometer 2018 (appendix)
Organizations recognize that cyber risk is a major threat to their business. However, very few of them have the maturity to mitigate or combat this risk. PWC’s 6th annual risk report shows that 62% companies are very aware of cyber risk and its potential to harm their businesses, yet only 3% have very high risk maturity, and 6% have high risk maturity, based on PWC’s maturity model.
Figure 2: The discrepancy between expecting cyber risk to affect business and the preparedness to do something about it. Source: PWC, Risk in Review, 6th Annual Study.
The reason probably is that the premium income for cyber insurance has historically been very low and out of sync with the cost of cyberattacks experienced. The estimated global premium for 2017 was only $3 billion. According to Allianz, it is expected that this will rise rapidly to $25 billion by 2025, probably as cyberattacks increase in intensity.
Figure 3: Estimated change in premium income for cyber risk, Source: CB Insights Quarterly Insurtech Briefing Q4 2017 (Jan 2018)
And the pressure is there. Business interruptions hit supply chain management, pharmaceuticals, utilities and large and small businesses across the globe. For example, Wannacry was estimated to have hit over 200,000 companies in 150 countries, according to the Organisation for Economic Co-operation and Development (OECD).
Complicating cyber risk insurance is the fact that there are at least nine other types of vulnerabilities, each with their own consequences. Data breaches, where customer data is accessed, create huge reputational risk, but are increasingly going to carry huge penalties because they contravene personal information acts, such as the GDPR.
Figure 4: The consequences of a third party data breach. Source: OECD
The most extensive hacking event was the attack upon Equifax, where over 140 million personal records of Americans, Canadians, and Britons were stolen. As Equifax is a credit bureau, we are talking about very sensitive information, including credit card and social security numbers.
To add insult to injury, Equifax has just admitted (March 2, 2018) that another 2.4 million records were compromised, although less data was retrieved. Apart from incurring legal costs as well as those to make their environment more secure, Equifax also has to fund a free identity theft service for those whose identities were compromised. The current estimate of the cost to the company (excluding reputational damage) could be as much as $600 million. Less than a quarter of that loss is covered by insurance.
Understanding the Risk
While companies have difficulties understanding the scope of cyber risk, insurers, and especially reinsurers try hard to build insurance models that will adequately protect their customers without wiping out insurance pools in the process.
A study undertaken at the University of St. Gallen examined whether it was even possible to cover cyber risk or whether it was uninsurable. Incredibly enough, this was the first in-depth scientific analysis of how cyber risks should be managed. In this paper, researchers made a distinction between risks of “daily life” and “extreme” or catastrophic risks. The former risks are insurable and manageable, the latter may just be too big to insure, and the authors call for governments to be involved in designing strategies for major attacks.
A consistent framework or standard would help. The difficulty of obtaining and analyzing relevant data is one of the challenges to building a framework. Insurers are reluctant to provide cover that the companies looking for cyber insurance require. This is one of the reasons why the current market is so small.
This gap in the market is slowly filled by companies who provide business intelligence services. Aggregating data for assessing cyber risk and building a risk model is different from traditional data gathering done for insurance risk. Cyber risk modeling needs another approach, because there is no historical data to go on, while traditional insurance can rely on national and geographical statistics, such as mortality rates and hurricane damage dating back to the time they were first recorded.
What the Future Holds
Currently, we have a situation where most of the stakeholders are fumbling in the dark. Many insurers are offering generic cyber policies that differ widely on what they cover, supported by pricing models that may not be aligned with potential claims. On the other side, large and small companies that are seeking cyber insurance sign up for a cover that is inadequate or does not fit their business model. They may only discover the problem when their claim is repudiated, for instance, their firewall or virus protection doesn’t comply with the policy clauses.
Cyber insurance clients will have to beef up their cyber risk strategy (if they have one), and make sure that they are constantly up to date with the latest software, firmware, and hardware fixes, if possible. They must also train up employees to understand cyber risk. There is potential for insurtechs and development houses who can consult small and medium businesses on this; not everyone can afford to hire a CISO.
Insurers will need to develop expertise in cyber insurance, and start gathering their own cyber risk data. With properly organized data collection and analytics, any company can start building a risk model of their own. Customer surveys and an assessment of claims history can be used to identify what customers want to see in their policy. Insurers must also ensure that their own house is in order, as they are a good target for data breaches.
Reinsurers are ahead of everyone else, as they realised very early on that a new form of catastrophe had emerged and that treaties would be needed to cover the insurers (a treaty spreads a potentially catastrophic risk across many reinsurers - each takes a percentage of the risk and their share of the total premium levied on the insurance companies).
What is certain is that the market is underinsured. Lloyds reported that cyber risk is underinsured by over 90%. Contrast this with the 30% cover on the world’s ten largest catastrophes from 1980 to 2016, as reported by Munich Re, and it is clear that the world is at risk.
Figure 5: Gap between potential cyber risk and insurance cover - Source: Lloyds of London: Counting the cost Cyber exposure decoded (p. 48)
Fortunately, with over 60% of companies (see Figure 2) recognizing the threat, we can expect to see this market maturing and better preparing for the expected onslaught. The rapid growth of the IoT (Internet of Things) to about 30 billion connected devices provides 30 billion gateways for hackers to try new and audacious attacks. There is no time for complacency, and insurance companies are probably the laggards.