Why is there a lack of capacity in the cyber market? by Jack Elliott-Frey
At the moment, we would agree with AIG CEO Peter Hancock’s recent statement that cyber capacity is still lacking, due to the fact that there is a serious lack of concern across the majority of businesses when it comes to the threat posed by cyber.
As a broker operating across the US, Europe and beyond, we are still seeing regions where businesses are unaware of the costs they could incur should they suffer a breach, and therefore don’t even considered cyber. For businesses that store card details (which have to be PCI compliant) the average cost of a breach is around $70,000. For SMEs that suffer a breach and are subject to PCI regulation, 70% of these close within a year due to the costs they face. In spite of this, the recent UK government report on cyber security showed that less than 10% of UK companies have cyber insurance.
So there is a clear picture being painted here; businesses are unaware of the cyber threat which leads to low demand for cyber insurance, with insurers offering generalised, inadequate policies for the small number of businesses that are requesting them.
As some businesses will be more attractive to cyber criminals, we are starting to see certain classes of business which have a greater need for cyber insurance than others. One is the retail industry, which can be prone to large losses due to the nature of data (PII, credit card) that they hold.
Another is the public sector and healthcare industries, both of which are prone to damaging losses if PHI and payment details are exposed. There is a lack of capacity here as insurers are less inclined to underwrite organisations with large amounts of patient data.
Education is another, as even though the type of data that universities and such hold can be less ‘sensitive’ than say, a hospital, often the security protocols and infrastructure are far less advanced, leading to insurers placing large premiums on relatively small risks.
So what is causing this insufficiency? There are a number of factors. One is a lack of security procedures, as many types of organisations (universities as mentioned above, SMEs) don’t have basic procedures or guidelines to prevent basic breaches occurring. Larger organisations (such as universities) often have IT systems split across departments which makes life even trickier from a security perspective. Without this, many insurers will tend to either decline or write overly large premiums to mitigate against this.
Another reason is the ‘finger in the wind’ factor being followed by many insurers. With only a small number of large breaches recorded so far, many underwriters tend to follow the actions of others. As cyber insurance is still only offered by a small pool of insurers, this means that the capacity being offered is normally limited by this tentative attitude to quoting.
Finally, and this comes up time and time again, is the issue of demand. Many businesses simply don’t understand the risk and therefore won’t seek out appropriate insurance. So for the minority that do, they are finding it hard to achieve detailed cover at a reasonable price.
Around the world there are differences between regions in terms of how much cyber is being written. The US is certainly leading the way in terms of cyber capacity, as it is the most advanced in terms of regulation; and therefore the most advanced in terms of fines and penalties being dealt out.
The UK is catching up, although we have yet to see a major, UK-based company suffer from a high-profile breach, which is often what triggers a rush for insurance as we have seen in the US with Target, Sony, Anthem, JPMorgan and so on.
In Canada the demand is slowly catching up, partly due to the fact that the average size of cyber claim is now four times the size compared to 2010, and partly due to ‘duty to notify’ regulations, which mean businesses have to notify the Privacy Commissioner in light of a breach.
Across Europe, particularly in France and Cyprus, there is little demand, although many brokers expect this to change shortly. So to summarise, it varies greatly!
As we see more breaches I would expect to see a change in the amount of cyber capacity available. As the level of awareness rises, this should in turn create more demand for this type of insurance. As the type of cyber attack changes, we will see more policy crossover, for example D&O policies including some clauses on cyber, and also standalone cyber policies including more aspects such as terrorism as the need arises.
The amount being spent on cyber in Lloyd’s is growing rapidly, from £556m in 2012 to £1.63bn in 2014, so over the next 2-5 years expect to see this number increase, taking the overall capacity (currently around £300m) with it.