Cyber insurance: Why is the market still largely untapped?

03/12/2015 09:09

Cyber-insurance policies have been around for almost two decades, evolving from the very first third-party policy written by AIG’s Steve Haase in 1997, to a more customized and robust first-party market today. However, the market is still largely untapped. According to ABI Research, the global cyber-insurance market will hit $10 billion by 2020, up four-fold compared to 2014. What factors have blocked the development of the cyber insurance market so far? A number of reasons can be derived from both the supply and demand side.

Insurers: Vague pricing and a changing regulatory environment

One major concern insurers face is the absence of actuarial data for cyber-risk assessment. Actuarial analysis is an essential task insurance companies perform to determine premiums and evaluate the amount of claims to pay out. When it comes to cyberattacks, victims tend not to share relevant information in order to protect their reputation and to avoid further attacks. As a result, there is not enough reliable actuarial data on which to base premiums and coverage.

Another concern stems from the evaluation of actual damage. A cyber incident’s costs may include both tangible and intangible losses to a firm. Intangible losses – such as reputational damage, business disruption and lost business – all have to be quantified to pay just compensation, but it is very difficult for underwriters and businesses to evaluate their monetary value. Some of the damage might take months to emerge, and, as situations vary from company to company, it is difficult – if not impossible – to create a standard evaluation process.

Meanwhile, due to the growing number of cyberattacks, cyber-insurance premiums are rising quickly. According to a report released by Marsh Global Analytics, “the increased loss activity prompted pricing challenges for some insureds, particularly retailers, where renewal rates rose on average 5 percent and as much as 10 percent for some clients.” On the bright side, price hikes indicate an increasing awareness among insureds. But on the other side, high pricing could turn potential customers away, especially high-risk companies with steeper adoption costs.

In addition, insurers are subject to regulation by multiple agencies (including the SEC, FINRA, NFA, and FTC), requiring insurers to spend resources to navigate the regulatory landscape and stay up to date.

Insureds: Lack of awareness and the challenge of risk management

Reasons why the cyber-insurance industry has been slow to develop can also be found in the demand side of the market. First, both insured and uninsured firms still do not have a good understanding of their own cyber risks. Executives often underestimate the threat of a cyberattack, or assume these risks are already covered by regular liability insurance. The problem is particularly severe among small and medium-sized businesses (SMBs). Today, only 2 percent of SMBs have a cyber-insurance policy. Compared to large companies, SMBs own less information resources and are less able to detect cyber risks.

Second, it is challenging to align appropriate insurance coverage with risk exposure. Suppose a company has been influenced by a growing number of cyberattacks in its industry and finally decides to take out a cyber-insurance policy. How would they know what kind of coverage they should get? There are hundreds of policies available, but it can be difficult to identify the most suitable one. Solutions could include an enhancement of professional groups within the company or hiring third-party agencies to tackle the assessment problem. Both options will generate extra operating costs, which might drive down demand.

What does the future look like?

Given today’s threat landscape, it is very likely that the industry will keep developing and ultimately form a mature market. In order to get there, however, we will need to focus on increasing the reliability of actuarial data, developing more accurate risk-assessment and pricing tools, and educating both businesses and individuals about the importance of awareness.