Bermuda: a future market leader in cyber?

The fact that cyber attacks represent a real and growing threat to the global economy, and to individual companies and people, is news to nobody. The search for the person who has never been the victim of an attempted cyber attack such as a phishing scam or a ransomware attack would be a long, and probably fruitless one.

However, the idea that insurance coverage is available for such attacks is rather less mainstream. The market is certainly growing, and is set to become an important line of business for many re/insurers in the future. For now, however, the market is still finding its feet—and taking rather longer to get going than some people had hoped and anticipated.

Cyber represents a huge area of potential growth for Bermuda’s re/insurers, according to Bermuda:Re+ILS readers (Figure 1).

Nearly threequarters of the respondents to the survey were unequivocal in their optimism for the potential of cyber insurance for Bermuda’s re/insurance. The majority of the remainder agreed it is a potential growth sector, but expressed some caution on the basis that the industry’s development to date has not quite lived up to expectations.

One respondent cited the significant levels of capital that re/insurers need to operate in this line, due to its inherent systemic risk. That might explain why progress has been more gradual than had been hoped.

Some might argue that re/insurers can be forgiven for easing themselves into the cyber market, given the lack of historical claims data for this business line and the resulting challenge of pricing it properly. But respondents clearly felt that, as those challenges are overcome, Bermuda stands to emerge as a significant player in what is set to be a very active area of the insurance market.

One respondent said: “Bermuda will excel in cyber”, citing the Island’s regulatory responsiveness and the agility and innovative spirit of its companies as factors that give it a significant advantage in this business.

“Established US and European players may struggle with the speed of change required to respond to market needs,” the respondent added.

The opportunity for the insurance sector is almost exactly the same as for the re/insurance sector, according to the survey respondents (Figure 2). Again, nearly threequarters of respondents feel cyber represents a massive opportunity, and are not at all concerned about the rate of growth so far. A slightly higher, but similar proportion of respondents cited growth to date as a small area for concern, but still expressed optimism that there was potential for significant growth in the future.

“It is the number one concern for CEOs,” noted one respondent.

“Expertise is key,” added another. “Cyber requires costly resources and networks of service providers.” Getting that infrastructure in place could never happen overnight, and also explains why growth may have been slower than some allowed themselves to expect.

However, there is no doubt that Bermuda:Re+ILS readers as a whole expect big things for the cyber industry in Bermuda in coming years.

Why the growth?

Assuming the cyber market is growing, the question is ‘why?’.

The majority of respondents were clear on this one too. High profile and costly attacks on big business are driving the growth of the cyber market, according to 64 percent of the respondents to the survey (Figure 3).

There is no doubt that high profile cyber breaches do much to raise the profile of the problem, and encourage people to think about coverage to protect themselves from this problem.

While attacks on big business tend to generate the most attention, that is only because of the name recognition such firms have. Every attack on a large US blue chip company, or international bank, exposes the vulnerability of businesses of all sizes, and in all sectors, to this problem. If a company as large and well known as that can be a victim, the thinking goes, then anyone can.

Large companies have large budgets with which to protect themselves, but that has not stopped cyber criminals from breaching those defences. And while large companies are bigger targets, due to the sizes of their balance sheets, smaller companies are relatively easy targets for sophisticated cyber attacks. Every high profile cyber attack is essentially a billboard advertising the need for cyber coverage, that is sure to be noticed by everyone who sees it.

However, this is not the only factor driving growth in this sector, according to respondents. More than 20 percent cited regulation as a driver. This suggests firms are buying coverage because they have to—or at least because they have to demonstrate they are taking the threat seriously. The purchase of cyber coverage is certainly one way to convey that message.

As always when it comes to cause and effect, the truth is probably a combination of factors that interplay with each other—with those two factors being among the most significant.

“It is a mixture of coverage expansion, cost and limit availability, coupled with more acceptance from chief information security officers on the need and benefits of cyber,” said one respondent.

Awareness

If everyone has heard about these high profile attacks, and everyone is terrified of becoming the next victim, why hasn’t everyone got a cyber insurance policy? What is holding this market back?

It’s paradox time. Despite the majority of respondents suggesting high profile cases have raised the profile of cyber attacks, and broadly advertised the need for coverage against such attacks, nearly half of the respondents said there was a lack of awareness about the threats and the available coverage (Figure 4).

This is not an outright contradiction. People may well be aware of the threat of a cyber attack, but less aware of the availability of insurance protection against those attacks. Human nature also dictates that while people may understand the nature of a threat, they may still doubt they will become a victim of that threat.

More than a third of respondents cited a lack of standardisation in the market that made policy selection confusing. There may be some overlap here between people lacking awareness of the available coverage, and people who know there is coverage available but are confused about which policy to choose.

Confusion often leads to inaction and paralysis. It is possible that many people have thought about taking out cyber coverage, before spending many hours surveying their options, growing increasingly frustrated, and ultimately putting the whole thing to the back of their minds and hoping for the best.

It is not a great risk management strategy, and is likely to prove a costly one in the long term. But it does have the advantage of being considerably cheaper in the short term. And as any behavioural scientist will tell you, humans tend to overweight short-term priorities, at the expense of long-term ones.

Interestingly, the issues of price—and breadth of coverage—do not seem to be significant factors, according to respondents. However, even when they are priced fairly, sometimes people just do not have the budget to make a certain investment. “Budgets are strained,” noted one respondent. “It is hard for buyers to justify new spending when existing spending is ballooning.”

When it comes to cyber expertise, some companies have it, and some companies don’t, according to the respondents to the survey (Figure 5). It is not about whether a company is based in Bermuda, or based in London, or where it has offices. It is about the company itself: its culture, its strategy, the amount of investment it has made in this particular line and the human resources that particular re/insurer has at its disposal at any one time.

Some did see a pattern based on national lines. To the extent that a pattern emerged, more than three times as many people felt Bermuda lagged behind other countries, as thought it was leading the way.

This might be somewhat surprising, given the high level of optimism expressed in earlier questions about Bermuda’s prospects for leading the industry. But it could be that Bermuda is taking its time to develop the expertise that will eventually propel it to its market leading position.

One respondent argued Bermuda prefers to follow than lead when it comes to new business lines. “Bermuda prefers to stick to the historic conventional wisdom of writing liability lines,” the respondent said.

It may be that larger financial centres such as London and New York are better placed to lead the way, and that Bermuda can take the baton once the market reaches a certain level of maturity, and still emerge as a market leader.

Others argue that cyber is still a niche market, which is being pushed forward in Bermuda, but by only a small number of companies.

“Bermuda companies that are engaging with cyber are taking it seriously,” explained one respondent. “But this business is not for everyone.”