Cyber insurance is a potentially huge but still largely untappedopportunity for insurers and reinsurers.

It is estimated that annual gross written premiums will increasefrom around $2.5 billion today to $7.5 billion by the end of thedecade. Accordingly, many insurers and reinsurers are looking totake advantage of what they see as a rare opportunity to securehigh margins in an otherwise soft market.

However, wariness of cyber risk is widespread.

Many insurers don't want to cover it at all. Others have setlimits below the levels their clients seek, and have imposedrestrictive exclusions and conditions — such asstate-of-the-art data encryption or 100 percent updated securitypatch clauses — which are difficult for any business tomaintain.

Given the high cost of coverage, the limits imposed, the tightattaching terms and conditions, and the restrictions on claims,many companies question if their cyber insurance policies providereal value.

Related: Top 7 insurance industry concerns for2017

Insurers are relying on tight policy terms and conditions andconservative pricing strategies to limit their cyber riskexposures. But how sustainable is this approach as clients start toquestion the value of their policies and concerns widen about thelevel and concentration of cyber risk exposures?

The risk-pricing challenge

The biggest challenge for insurers is that cyber isn't likeother risks. There is limited publicly available data on the scaleand financial impact of attacks and threats are very rapidlychanging and proliferating. Moreover, the fact that cybersecuritybreaches can remain undetected for several months — even years— creates the possibility of accumulated and compounded futurelosses.

While underwriters can estimate the cost of system remediationwith reasonable certainty, there isn't enough historical data togauge further losses resulting from brand impairment or tocustomers, suppliers and other stakeholders. Many insurers alsoface considerable cyber exposures within their technology, errorsand omissions, general liability and other existing business lines.As a result, there are growing concerns about both theconcentrations of cyber risk and the ability of less experiencedinsurers to withstand what could become a rapid sequence of highloss events.

Related: Cyber coverage for businesses up 85 percent since2011

So, how can cyber insurance be a more sustainable venture thatoffers real protection for clients, while safeguarding insurers andreinsurers against damaging losses? Here are eight ways insurers,reinsurers and brokers could put cyber insurance on a moresustainable footing and take advantage of the opportunities forprofitable growth.

(Photo: iStock)

1. Clarify risk appetite

Despite the absence of robust actuarial data, it may be possibleto develop a reasonably clear picture of total maximum loss andmatch it against risk appetite and tolerances. Key inputs includeworst-case scenario analysis, which can help insurers judge whichindustries to focus on, when to curtail underwriting and wherethere may be room for further coverage. Moreover, even if aninsurer offers no standalone cyber coverage, it should gauge theexposures that exist within its wider property, businessinterruption, general liability, and errors and omissionscoverage.

(Photo: iStock)

2. Gain broader perspectives

Bringing in people from technology companies and intelligenceagencies can lead to more effective threat and client vulnerabilityassessments. The resulting risk evaluation, screening and pricingprocess could be a partnership between existing actuaries andunderwriters who focus on compensation and other third-partyliabilities, and technology experts who concentrate on data andsystems. This is similar to the partnership between chief riskofficer and chief information officer teams that many companies aredeveloping to combat cyber threats.

(Photo: iStock)

3. Create tailored, risk-specific conditions

Many insurers currently impose blanket terms and conditions. Amore effective approach would be to make coverage conditional on afuller and more frequent assessment of the policyholder'svulnerabilities and agreement to follow advised steps. This couldinclude an audit of processes, responsibilities and governancewithin a client's business. Another possible component is exercisesthat mimic attacks to test both weaknesses and plans for response.As a result, coverage could specify the implementation ofappropriate prevention and detection technologies andprocedures.

Related: Accenture says one-third of corporate cyber attackssucceed

(Photo: iStock)

4. Share data more effectively

More effective data sharing is the key to greater pricingaccuracy. For reputational reasons, many companies are wary ofadmitting breaches, and insurers have been reluctant to share databecause of concerns over loss of competitive advantage. However,data breach notification legislation in the United States — whichis now set to be replicated in the European Union — could helpincrease available data volumes. Some governments and regulatorshave also launched data sharing initiatives. In addition, datapooling on operational risk, through Oric International, provides a precedent for moreindustry-wide sharing.

(Photo: iStock)

5. Develop real-time policy updates

Annual renewals and 18-month product development cycles willneed to give way to real-time analysis and rolling policy updates.This dynamic approach could be likened to the updates on securitysoftware or the approach taken by credit insurers to dynamicallymanage limits and exposures.

(Photo: iStock)

6. Consider hybrid risk transfer

Although the cyber reinsurance market is relatively undeveloped,a better understanding of evolving threats and maximum lossscenarios could encourage more reinsurers to enter the market. Risktransfer structures likely would include traditional excess of lossreinsurance in the lower layers, and the development of capitalmarket structures for peak losses. Possible options might includeindemnity or industry loss warranty structures, and/or some form ofcontingent capital.

(Photo: iStock)

7. Improve risk facilitation

Considering the complexity and uncertainty surrounding cyberrisk, there is a growing need for coordinated risk managementsolutions that bring together a range of stakeholders, includingcorporations, insurance/reinsurance companies, capital markets andpolicymakers. Some form of risk facilitator — possibly brokers— will need to bring together all parties and lead thedevelopment of effective solutions, including the cyber insurancestandards that many governments are keen to introduce.

(Photo: iStock)

8. Enhance credibility with in-house safeguards

If an insurer can't protect itself, then why shouldpolicyholders trust it to protect them? If the sensitivepolicyholder information that an insurer holds is compromised, thenit likely would lead to a loss of customer trust that would beextremely difficult to restore. The development of effectivein-house safeguards is essential in sustaining credibility in thecyber risk market, and trust in the enterprise as a whole.

Evaluating and addressing cyber risk is an enterprise-widematter — not just one for IT and compliance. Cyber coveragethat is viable for both insurers and insureds will require morerigorous and relevant risk evaluation informed by more reliabledata and more effective scenario analysis. Partnerships withtechnology companies, cyber specialist firms and government are agreat place to start as potential ways to augment and refine thisinformation.