In Boardrooms around the world cyber insurance is an important subject that is gaining in profile and importance.
In this article Daljitt Barn, Cyber Director of PwC, looks at the how the Cyber Insurance Sector has evolved over the past four years and what the next few years may bring.
For purists out there, I acknowledge that what might be termed Cyber Insurance has been around as a specialty line for some years. More recently hacking and data losses, that have been increasing globally have been a real wake up call, highlighting to many the value and importance of the Insurance needed to cover the Cyber risks business faces.
Looking back over the past four years shows that some of the world’s most prestigious organisations have felt the impact of major breaches – incidents that could compromise not only valuable digital property, but also their physical security.
This experience has shaped current cyber insurance market and will drive further evolution.
Below I have reviewed each of the past four years capturing the headline developments and offered my view on how these combine to driver further and far reaching change that will impact on us in the next two years.
2011 – Year of the breach (part 1)
During 2011 a number of high profile organisations were breached by well-known hacktivists. The market impact across the wider IT industry was immense and was indeed the kind of lightning-rod power needed to wake up the insurance market to a product that was well into its groove in the US market.
Organisations (large and small) looked primarily at the fallout from these events and used them to drive security dialogue about the types of cyber threats in an inter-connected digital world. Governments either side of the Atlantic considered strategies to protect their position.
2011 really marked the start of wider awareness on a new relationship between ‘cyber’ risks and IT insurance.
2012 – Year of the broker
Following the experiences of the preceding year and the hacking turbulence, brokers had to step up and start talking to their clients about the insurable risks. Firms created ‘Points of View’, and risk-based services for clients. Some were more agile than others and hit the ground running.
Those that took their time assessing the market and their value propositions, lost early market advantage and enabled smaller (niche) security providers to approach organisations directly to evangelise about cyber risk and gain ground, whilst credentialing them with the inner sanctum of the London cyber underwriting community.
2013 – Year of the insurer (underwriters)
In 2013 two camps seemed to emerge in the sector. The first brought their pre-existing breach products and supporting services to the forefront of UK business, whilst the second grew business from Technology Errors & Emissions policies to formulate products that outlined the residual risks of not having cyber coverage.
As insurers maneuvered for market position and broking airtime, specialist IT forensic providers and legal firms jumped onto the opportunity. By adding their brand and market expertise to an insurers lifecycle e.g. helping assess the cyber risk pre-bind, and then offering forensics and crisis support post-breach, the products (and interest) started to gain momentum.
2014 – Year of the breach (part 2)
Cyber threats continued to grow becoming more prevalent around the globe - public awareness on cyber risk issues grew too fuelled by booming media interest. We saw varying degrees of confidence within organisations on how they were managing cyber risks.
The large and increasingly frequent breaches at retail and financial organisations had two effects in the cyber insurance market. Firstly, those insurers who had suffered losses related to these breaches had started to think again from offering high limits, and some publicly stated they will no longer be offering cyber insurance in the US to retailers. Secondly, the price for premiums was on the rise for certain industry sectors where cover amounts were in excess of £25m.
In fact, premiums started to incur pre-bind risk assessments that went far further than a risk assessment questionnaire supported by a conference call.
2015 – Year of the reinsurer
It is clear that the market has been learning and now more governance is generally being adopted across the cyber insurance market.
Firms want to ensure that cyber insurers understand accumulation and systemic risks to their books whilst also adequately protecting policyholders’ cyber information. Growth of the cyber insurance market needs to be monitored carefully as writing bad risks will impact the insurer and public perception.
To offset the risk to the insurers, reinsurance of the book will become more prevalent (currently almost non-existent at lower limits). Reinsurers are also likely to provide much of the capital needed to increase capacity in the market. In fact, these reinsurers will not just reinsure the risk, but also offer the cover themselves taking advantage of a market where large global corporates are looking for insurance cover in excess of £500m.
2016 – Year of the service provider
As more organisations buy cyber insurance cover, the amount of claims will inevitably increase. Hopefully by 2016 we will start to see some sharing of loss data from the insurers so that better actuarial modelling can be used to refine pricing.
In a growing claims market, a real opportunity will emerge in the loss adjusting world, but at present I fell their knowledge of cyber risks and threats is way behind those of the insurer and broker community. As a result Service providers will look to partner with loss adjusters to offer specialist claims management and forensic claims support. If growth in the next 12-18 months is as predicted by the insurers, then by late 2016 we may start to see some governance in the service provider market akin to the general cyber incident response and CREST initiatives.
Cyber insurance breach response will have to become ratified by some form of governing body to provide a consistent service. This governance will mean standardisation, quality and a consistent approach being adopted by the industry leaving potentially 10-15 providers ‘approved’ in the UK to provide such services across UK and inevitably Europe.
2017 – Year of the regulator
The eagerly awaited EU data protection regulation will be in statute and the breach notification aspect will help drive the cyber insurance uptake.
Regulatory fines may not be insurable, but the fact that organisations have taken steps to fully understand their residual risks and transferred them to the cover, will enhance the ability to demonstrate good corporate management and governance of cyber risk.
New entrants (insurers or MGAs) to the cyber insurance market may well have to evidence substantial rigour in their underwriting models to the insurance regulator. The regulator and Lloyds (to their syndicates) will mandate annual cyber realistic disaster scenario (RDS) modelling.
Regardless of your views on cyber insurance, it is clear to insurers, organisations, governments and service providers alike that it’s here to stay, but it doesn’t mean the need for good risk management can be ignored.
Daljitt Barn is a Cyber Director at PwC, and the UK lead for cyber insurance. He has worked in the cyber insurance market for four years, and is the former chairperson of the Cyber Risk & Insurance Forum (CRIF).
The views, opinions and predictions expressed in this article are those of the author.