Cyber insurance has huge potential but the cyber insurance market remains frustratingly immature and is not keeping pace with threats and technology. Whereas many businesses have property insurance, only about 20-35% have specific cyber insurance in the United States and Europe. The existing products do not always cover the losses most important for companies, such as the loss of their intellectual property or the reputational impact which creates a bit of understandable scepticism about the value of the product from the company's perspective. The cost of cyber insurance can also appear to be expensive when compared to other classes of insurance. In some cases cyber insurance is up to six times more expensive than property insurance and three times more expensive than liability insurance, according to some sources.
There are a few barriers blocking the development of the cyber insurance market, including the nature of the risk itself which is difficult to detect and evaluate, making it difficult to price from an underwriting perspective. There is very little actuarial data and limited knowledge on how to price in some of the other impacts from cyber incidents. Even where data is available, the potential for aggregation causes insurers to tread carefully. Unlike natural catastrophes, where billions have been spent on modelling, we don't know how to measure accumulation in cyber risk which has no geographic boundaries. The big events that have occurred, like WannaCry or NotPetya, have resulted in only limited insurance losses meaning these events have not contributed much to addressing this data gap. Lloyd's has done a lot of research into these issues, identifying potential scenarios - not to scare people - but because it is the prudent thing to do. Most recently, Lloyd's examined the impacts of a three-day disruption to a cloud service provider and found that it could impact 12.5 million business and cause USD 19 billion in losses - all from a single event. Insured losses were much less - in the range of USD 3-3.5.billion - demonstrating the huge protection gap. The difficulty in assessing aggregation risk makes it difficult for insurers to take it on. These same challenges also limit reinsurer capacity/appetite to assume these risks.
There is also confusion among clients about what coverage products actually provide. Coverage may be provided in stand-alone policies or as endorsements, or may be found in traditional policies that are covering cyber risk silently. This creates a huge amount of uncertainty for the buyers of cyber insurance and challenges in working through the myriad of potential coverages. Should I buy a stand-alone policy? What will it cover?
Addressing these challenges requires greater investment in R&D to provide insurance underwriters with the knowledge and expertise needed to understand, price and reserve for cyber risk. Underwriters also have to think more about the certainty of protection provided in their policies and how to provide coverage that companies want. There also need to be more done on the mitigation role of insurance - not just financial compensation - which will require working collaboratively, developing partnerships and leveraging the collective knowledge of all the organisations working on cyber security, including governments, regulators and national security agencies. Particular attention needs to be invested in helping small businesses that don't have access to the resources of big firms for understanding the threats that they face and for measuring their exposure.
The onus is not just on insurers to take action. Governments and public bodies such as the OECD can play an important role too, especially around data - providing greater global clarity on definitions of cyber events and identifying trusted third parties to aggregate and anonymise the data necessary for underwriting. The market will only realise this opportunity if it invests for the future and all parties work together to build better cyber resilience.