istock-184643728_joesboy / Joesboy
12 July 2018News

Cyber: still small for its age

Cyber attacks increased in frequency and severity in 2017 with the WannaCry and NotPetya ransomware attacks and the Equifax data breach affecting millions of people and businesses. The NotPetya attack in particular highlights the growing business interruption exposure associated with cyber risks.

In addition, Yahoo! tripled its 2013 data breach estimates in October 2017 to include all three billion of its accounts, potentially making this the most extensive cyber breach on record.

These events highlight the vital need for cyber insurance, but the market is bifurcated. Some national accounts and Fortune 500 companies are partnering with insurers and brokers as a way to counter cyber risks. Financial institutions and healthcare companies are acutely aware of their cyber exposures and are increasing coverage.

Average policy limits are rising, with some of the largest companies’ coverage towers above the $500 million mark, but the take-up rate for small to medium-sized enterprises (SMEs) remains in the low teens, presenting an area where insurers would like to see growth.

In 2017, cyber packaged policies in force increased 28 percent, some of which was due to the addition of affirmative cyber coverage to packaged policies. This increase is significant, but does very little to close the protection gap. Interest from SMEs does seem to be gaining traction gradually, and capacity from insurers is ample.

Despite the inherent challenges in managing aggregations and pricing, AM Best believes the cyber insurance market presents a positive opportunity for insurers. Demand is expected to grow due
to the accelerating adoption of technology and the increasing awareness of cyber risks.

Given the abundant supply of capital and the cautious growth strategies of insurers, we expect the P/C industry’s overall cyber risk exposure to be lower than its exposure to more mature risks. However, this not does not preclude the possibility of individual insurers becoming outliers to systemic cyber events due to unexpected loss creep from silent cyber events. Cyber risk still has many unknowns and will continue to evolve rapidly.

As insurers expand their cyber offerings, they will need to be prudent in establishing underwriting standards and limits, and exercise appropriate risk management and mitigation measures to remain aligned with the relevant company’s risk tolerances and appetites. The extent to which an insurer grows its cyber business should correlate to a company’s ability to aggregate, monitor, and manage its exposure in various scenarios. Data quality is a key factor when insurers provide information to regulators, other stakeholders, and their AM Best analytical team.

Plenty of room for growth

Cybersecurity insurance experienced significant growth in 2017. Total cyber direct premiums written grew almost 32 percent, and policies in force, 24 percent. Overall, cyber insurance take-up remains low, as SMEs remain complacent about these risks, under two assumptions: that hackers target only bigger businesses or that they already have coverage under another policy when they might not.

Pricing is another factor, as more business owners see the cost benefits and also realise their vulnerabilities due to their interconnectivity with vendors, suppliers, and customers. A data breach is only one factor in cyber risk, however—many SMEs may be underestimating business interruption risks, and the impact on smaller enterprises of business interruption could be much greater, as they may not be as resilient or diverse as national account clients.

The Council of Insurance Agents & Brokers’ (CIAB) Fall 2017 Cyber Survey placed the cyber insurance take-up rate at just 31 percent. AM Best viewed the 2016 increase in standalone policies as positive, noting not only the expected cost and expense reductions in litigating disputed claims, but also the more specific and defined policy language focused on the prevalent types of attacks.

In recent years, companies have added cyber endorsements to their commercial package policy (CPP) and business owner’s policy (BOP) offerings, with standardised forms more widely available. This led packaged cyber policies to increase from 1.9 million in 2016 to 2.5 million in 2017, with a little over half of these policies featuring occurrence coverage triggers.

Some of the growth can be attributed to companies reclassifying policies for financial reporting purposes, and companies adding affirmative cyber coverage to policies, so the actual increase in policies may be overstated.

In contrast, standalone policies declined 32 percent, with most of these likely being businesses migrating to less expensive packaged policies. We should also note here that the US National Association of Insurance Commissioners (NAIC) cyber supplement is relatively new and insurers may be using their own interpretations. We believe that the quality of reporting will improve as insurers get more clarity over time.

The total number of cyber claims increased in 2017 to 9,017, from 5,955. The number of claims from packaged policies constituted 56.3 percent of the total, and those from standalone policies, 43.7 percent. According to 2017 supplement data, the average closed claim with payment, including defence and cost containment (DCC), was $188,525 for standalone policies, with 28.4 percent of closed claims resulting in a payment.

Pricing: art rather than science

The cyber insurance market has an interesting dynamic: insurers appear willing and able to offer capacity but are reluctant for cyber to constitute a significant portion of their portfolio. National account buyers with a sophisticated view of risk management needs are driving demand, but insurers seem more interested in tapping into the SME market, to increase their exposure. Smaller businesses have fewer claims, which is driving more competitive pricing for the SME market.

A lack of historical experience and tested cyber exposure models continue to add to the uncertainty of underwriting cyber. Pricing sophistication varies significantly by insurer. Many insurers use simplistic pricing based on expected losses, while a few insurers have invested in sophisticated algorithms that incorporate, among other factors, asset value, industry type, and even security controls and practices.

According to PwC’s Global Cyber Insurance Survey, setting parameters for potential maximum loss and staying abreast of new systemic threats are the two largest challenges to measuring cyber accumulation. PwC also reported that contingent business interruption (CBI) is particularly challenging to underwrite, even as demand from insureds for this coverage has grown after last year’s cyber attacks. Although a black swan cyber event with a widespread accumulation of large losses could threaten insurers’ solvency at some time in the future, cyber exposure relative to surplus is still limited—for now.

Although a systemic event remains the top threat for cyber insurers, underpricing from new market entrants should also remain a concern. Companies can reduce their pricing and reserving risks by offering claims-made policies for third-party claims, and we have seen a shift over the past few years away from occurrence policies for standalone coverage.

The majority of packaged policies still have occurrence claims triggers, but these policies tend to have limited coverage. Insurers are also diminishing their exposure to first-party claims, by incorporating a statute of limitations in policies.

Reinsurance remains another option for insurers to lower cyber exposure, with treaty reinsurance for cyber being much more widely available than facultative. Capacity for treaty, specifically quota shares, is plentiful; however, most agreements include a loss ratio or event cap. Facultative reinsurance agreements may be an expensive and less preferred option.

The path forward

A lot of cyber risk is still embedded, but standalone cyber premium will continue to grow, as companies add exclusions to other policies and coverage for cyber policies broadens. Growth areas such as business interruption and CBI are also subject to greater exposures to systemic risk that need to be carefully managed.

Pricing tends to be driven by supply and demand dynamics and judgment, and although insurers follow systematic questionnaires and checklists, we expect pricing methodologies to evolve as insurers develop more experience. Companies continue to improve their underwriting processes, to be able to write cyber policies in real time.

Although insurers are gathering data for their pricing models, technology and exposures change continuously, which means that these models will never be as precise as those used for property. Market forces will continue to be the predominant factor for pricing, with models playing more of a supplementary role.

This article is an excerpt from an AM Best special report “Cyber Insurance Market Sees Steady Growth but Still Awaiting a Real Growth Spurt.”

More on this story

16 April 2018   A new AM Best special report claims that insurers soon will need to consider the potential termination of the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA) at year-end 2020, and prepare their risk management practices.
2 November 2017   Identifying future moves in the market for a place such as Bermuda is always an interesting process. Bermuda:Re+ILS eyes the current trends.

More on this story

16 April 2018   A new AM Best special report claims that insurers soon will need to consider the potential termination of the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA) at year-end 2020, and prepare their risk management practices.
2 November 2017   Identifying future moves in the market for a place such as Bermuda is always an interesting process. Bermuda:Re+ILS eyes the current trends.