Cyber insurance hasn’t grown as rapidly as might be expected, but what is holding the market back? A study on behalf of Secure Systems Innovation Corporation (SSIC) may provide some answers. The study of the UK cyber risk insurance and broker community reveals startling findings. First and foremost, the insurance industry needs to address non-affirmative cyber in a meaningful way. Second, measurement of cyber risk in financial terms is highly deficient among insurance customers and the insurance industry itself. Finally, a series of catastrophic cyber events or a systemic cyber event will drastically alter the way in which insurers measure the risk profile of each applicant.
Key findings from the study:
‘Silent’ cyber risk is a key market growth inhibitor
More than three-quarters (77 percent) of UK cyber risk insurance brokers and insurers believed that the insurance industry needs to urgently address non-affirmative cyber or ‘silent cyber’ in a deeper, more meaningful way. Silent cyber refers to instances where cyber perils (such as service interruption or data breach) are neither explicitly included, nor explicitly excluded, by an insurance policy’s wording. There was also a recognition that this problem could not be resolved swiftly, according to 22 percent of respondents.
Lack of cyber risk understanding inhibits purchasing
Responses to a separate question on why cyber insurance is not being purchased by more companies as a means of transferring risk indicated that companies ‘not understanding policy coverage’ and ‘cyber policies were still too confusing and did not tie easily to known cyber peril categories,’ were the second and third most heavily-weighted responses respectively. The most significant factor holding back the market from the buyer’s perspective was firms ‘not understanding their own risk exposures,’ according to respondents.
Inadequate customer measurement of cyber risk
Results also reveal that an astonishing 89 percent of respondents know that their customers either have an inadequate method for measuring the cost of a data breach or remain unsure of their customers’ data breach measurement capability. The same percentage (89 percent) said that customers could not adequately measure the potential impact of a cyber extortion (e.g. ransomware) event.
Customer measurement capability across other cyber perils fared little better. 87 percent of insurers and brokers said customers had inadequate or unknown measurement systems for theft of intellectual property. Additionally, 83 percent of respondents felt that customers could not measure the cost of a cyberattack that interrupts service.
Only one in every seven customers (14 percent) has adequate measurement for cyber/physical (property and casualty damage due to cyber incidents) peril events. Only 10 percent of insurers indicated that customers were adequately measuring likely costs associated with a potential data breach.
Cyber perils disconnected from policy clauses
Linked to silent cyber exposure, nearly half (47 percent) of respondents admitted to having no clear connection between core cyber peril events and cyber risk insurance cover elements in their policy wording. Only 8 percent of insurers and brokers felt their policy wording now closely reflected the top five most-understood cyber peril threats.
If insurers do not map key cyber peril events to key cyber risk policy clauses — defining affirmatively what is explicitly covered or excluded —there is a real danger that vital cyber perils will not be covered.
Catastrophic or systemic events set to reshape cyber insurance market
62 percent of respondents agreed that a series of catastrophic cyber events or systemic event (single action that impacts claims on multiple policies within insurers’ portfolios) could drastically alter the way in which insurers measure the risk profile of cyber insurance applicants. A further 35 percent said that catastrophic claims had the potential to reset the market but that this would depend on the size of resulting claims.
Aggregated risk uncertainty hinders cyber insurance book growth
The survey also uncovered strong evidence of a lack of market understanding and pricing of aggregated risk. Six out of every 10 cyber brokers and insurers (60 percent) agreed or strongly agreed with the statement that ‘lack of understanding of aggregated risk within cyber insurance portfolios is hindering market growth.’
Board-level demand is largest purchasing driver
Specific demand for cyber cover from board-level executives is the most heavily weighted driver of new cyber insurance sales. Demands placed on boards by due diligence requirements runs a close second.
These due diligence demands perhaps explain why ‘the board as a whole’ is regarded as the most significant decision-making group for new cyber cover (for 42 percent of all respondents).
Risk remediation versus risk transfer poorly understood
With cyber risk, there are only three practical choices: remediate, transfer, or accept cyber risk. This assumes that each organization has the ability to measure cyber risk and draw a delineation between risk remediation and risk transfer.
Nearly three-quarters (73 percent) of respondents believe that most organizations do not understand the delineation between risk remediation and risk transfer as a mechanism to buy cyber insurance. This implies that most organizations are using intuition to determine the type and limit of their cyber coverage.
Outside-in cyber risk assessments not good enough
Only a tiny minority of brokers and insurers (2.6 percent in this survey) believe that information gleaned from a short questionnaire or Internet-based tool is an effective way to measure an applicant’s risk profile. However, the use of ‘outside-in’ Internet-based tools and short questionnaires continues to dominate. Remarkably, only five percent routinely commission a risk assessment from a third-party cybersecurity vendor to better understand their applicant’s risk profile. This must change if carriers are to manage cyber book risks adequately.
Brokers to carry largest share of market education
More than nine out of every 10 insurers and brokers (94 percent) saw a significant need to educate the buyer during the pre-sales process to expand sales opportunity and avoid misalignment of cyber insurance policy to customer needs, with 65 percent of respondents putting the onus on brokers to educate the market. Only a tenth (11 percent) felt an independent third-party body or regulator (sponsored by the industry) ought to take the lead. A further 11 percent felt underwriters ought to be responsible for this market education work.
About the survey
A total of 78 broker and insurer firms responded to the 13-question online survey circulated to Insurance Post and Insurance Age readers by these titles’ publishing group InfoProDigital during a two-week period from March 9th to 23rd 2018. Respondents included: brokers (54 percent), insurers (41 percent), underwriters (4 percent), and re-insurers (1 percent).