Half of the market still lacks cyber coverage, but the threat is "clearly and firmly at the top of corporate risk agendas"
Friday, October 25, 2019
By Ted Knutson
If insurance has a place in risk mitigation strategy, then it should naturally extend into cyber risk management. But, to many, cyber insurance remains a puzzlement. A bare majority - 51% - of businesses surveyed for Travelers Companies 2019 Travelers Risk Index had purchased cyber insurance.
That number, however, jumped 12 percentage points in a year, presumably good news for the insurers purveying policies as well as the clients seeking protection.
The sizable uninsured population is “still alarming,” Travelers enterprise cyber lead Tim Francis said when announcing the results of the survey of 1,200 business executives at the end of September.
“One cyber attack can put a company out of business,” he added. “Taking the threat seriously and implementing a risk management program that addresses possible exposures can help a company not only avoid an attack, but also recover from one as quickly as possible.”
The trendline is similar in a global cyber risk perception survey by Marsh, conducted in partnership with Microsoft. The percentage of organizations with cyber insurance rose over a two-year span, to 47% from 34%, and uncertainty over whether available cyber insurance could meet their firms' needs fell to 31%, from 44%.
“Cyber risk is now clearly and firmly at the top of corporate risk agendas,” according to Marsh, with 79% ranking it among their top five risk concerns, yet there was declining confidence in their ability to manage the risk. Eyeing third-party risks stemming from increasingly digitized and interconnected supply chains, survey respondents tended to believe that their own organizations pose less of a cybersecurity threat than do their partners and vendors.
“If you don't have cyber insurance and you have a breach, the costs associated could very well put your company out of business,” said CNA Financial Corp. underwriting director and cyber industry leader Brian Robb. “Cyber insurance is a critical part of cyber risk management.”
Moving to close the insurance gap for small and midsize users of cloud computing networks, CNA recently announced a partnership with OPAQ that couples “OPAQ's market-leading security-as-a-service offering [with] CNA's suite of cyber liability insurance products and risk control resources,” Robb said.
“Still Somewhat Immature”
Despite widespread agreement in executive suites and boardrooms about the magnitude and urgency of cyber threats, insurance remains a work in progress. It is analytically challenging, and there is no single, standard framework for quantifying the risks.
While cyber coverage is becoming more common, “the industry is still somewhat immature compared to other forms of insurance,” Paul Rohmeyer and Jennifer L. Bayuk write in Financial Cybersecurity Risk Management, a publication in the Stevens Institute of Technology Quantitative Finance Series. “There is real concern among potential cyber insurance customers that risk profiles upon which cyber insurance is based are not well-understood.”
The authors, respectively a member of the Stevens business faculty and an adjunct professor, both with considerable corporate IT and Wall Street experience, point to the relative lack of maturity of cyber insurance, the fact that products are constantly evolving, and “uncertainty on effective methods for pricing cyber policies.”
They note that some standard categories of coverage have emerged, with caps on maximum payouts. They say that pricing and modeling shortcomings can be overcome with “towers,” or “buying a variety of coverage types that broadens the scope of coverage while spreading the risk across multiple carriers.”
Combining “well-written service level agreements and the purchase of multiple cyber insurance policies could be effective in providing substantial risk transfer benefits,” Rohmeyer and Bayuk assert.
Better Modeling Capabilities
In yet another assessment of the still-evolving state of cyber insurance, the Institute of International Finance has produced an update to a 2017 report, placing the market size at $2 billion to $4 billion in annual premiums globally. IIA cited estimates of cyber event losses in the financial sector ranging between $38 billion and $100 billion per year, and those for the global economy as a whole (rather than just the financial sector) between $110 billion and $575 billion per year.
“Sub-optimal quality of cyber loss data” has been a challenge to “underwriting, pricing and risk transfer decisions, loss monitoring, and the analysis of concentration and accumulation risks . . .
“Deloitte analysis suggests that insurers are cautious to write cyber risk because of challenges around modeling a moving target, as new threat actors and types of attacks keep emerging,” the institute report said. “However, firms report that modeling capabilities have improved considerably over the last three to four years and are becoming increasingly aligned across the major providers of cyber risk insurance.”
It added that cyber events can trigger multiple insurance claims, such as for business interruption, data-confidentiality breaches, data theft or loss, data recovery, malware, ransomware and extortion.
“Traditionally, physical asset damage related to cyber events was not included in stand-alone policies,” IIF pointed out, “but this is increasingly covered in newer policies, as a result of offerings that were first introduced in 2013 by a Lloyd's syndicate. Stand-alone policies are closing some of the cyber coverage gaps in traditional property and casualty policy coverage.”
Amid the indications of maturity and improvement, IIF stresses in-house fundamentals: “While prevention and post-breach services are helpful additions to cyber risk insurance offerings, they are a complement to, and should not be viewed as a substitute for, policyholders' robust cyber risk management.”
Marsh said cybersecurity spending is expected to reach $124 billion globally next year, compared to $8 billion for insurance to mitigate the problem.
Rather than be seen as primarily a technology issue, cyber risk should be considered “a critical business risk that merits a strategic enterprise risk management approach,” said the Marsh report. Tech and risk transfer should be part of an investment strategy reflecting an organization's unique risk profile and appetite. The common emphasis on cybersecurity spending and technology over other measures “reveals that many organizations have not yet embraced this truth,” said the study.
“The question of who leads cyber risk management is just one area in which there is dissonance between an organization's perceptions and actions,” it added. “Despite the high level of strategic concern organizations say they have for cyber risks, not all internal 'risk governors' give the issue the attention it deserves.”
Only 17% in the survey said they spent more than a few days over the past year focusing on the matter.
Cyber risk assessments for insurance purposes can involve on-site visits by insurers who interview chief information officers to understand the exposures and controls in place, said Travelers cyber risk management vice president Eddie Chang.
Alternative Products and Insuretech
The Institute of International Finance said that an alternative risk transfer market, utilizing cyber risk bonds or insurance-linked securities, “has not covered these risks, but this could be a potential future development. Investor interest in cyber risk is said to be low given limited understanding of the risk and interest in time-limited exposure.”
IIF also listed a number of insuretech innovations “that are helping insurers and their clients more accurately assess their cyber exposures.” Among them: Algorithmically derived security ratings and benchmarks from BitSight and SecurityScorecard; probabilistic cyber models from Risk Management Solutions and AIR Worldwide; modeling and benchmarking tools from CyberCube; technical- and behavior-based loss estimation models on Guidewire's Cyence Risk Analytics platform; and Corax, “a cyber risk modeling and prediction platform that leverages proprietary data on the cyber resilience of several million companies to provide insurers with benchmarking, predictions and probabilistic expected loss estimates.”
“In addition to the services offered to insurers,” IIF said, “various risk services are offered directly to policyholders by insuretech firms. For example, Aida, provided by Socure, is a patented identity verification bot which continuously sources live digital data, using machine learning to create a holistic customer identity model.
“Cyber Risk Global Exchange offers policyholders the ability to develop an inventory of third-party vendors, enabling them to more accurately assess the risks presented through their portfolio of business relationships.”
GARP editor-in-chief Jeffrey Kutler contributed to this article.