Conditions seem ripe for cyber insurance sales to take off given recent high-profile breaches and as more individuals fall victim to identity theft.
In fact, a recent international survey found the threat of cyberattacks is the biggest fear for businesses. Also, identity theft has become easier and more profitable for fraudsters. According to the Javelin 2016 Identity Fraud Study, fraudsters stole the identities of 13.1 million victims in 2015 and used them to spend $15 billion in fraudulent expenditures.
So, why have insurers generally remained cautious about writing cyber coverage, and why are potential buyer still hesitant to add the coverage to their insurance portfolios?
Obstacles and potential solutions
Cyber insurance remains a work in progress when it comes to assessing the risks carriers face and providing a clear and comprehensive set of products and services to attract more buyers, according to the new Deloitte report, "Demystifying cyber insurance coverage: Clearing obstacles in a problematic but promising growth market."
The Deloitte Center for Financial Services reviewed secondary research and spoke with a variety of insurance industry players to find out what steps the industry can take to help prospective buyers to understand their cyber risks and the role insurance could play in protecting consumers.
Deloitte's research revealed a number of challenges carriers face when undertaking the sale of cyber insurance. Here are seven obstacles and potential solutions that could lead to significant growth in the cyber insurance marketplace:
The insurance industry faces a reporting bias that is hard to translate into policies. (Photo: Shutterstock)
1. Lack of sufficient cyber data to enable accurate underwriting.
Most companies aren’t required by law to disclose breaches outside of those related to consumer data, so many hacks go unreported. As a result the insurance industry faces a rampant reporting bias that is hard to translate into policies.
Solution: To overcome this, insurers can implement risk-informed models as opposed to definitive predictive models and break down data silos across the industry to better pool underwriting resources.
Insurers are wary of being overwhelmed by a large-scale cyber loss event. (Photo: Shutterstock)
2. Catastrophic accumulation of cyber exposures.
Some insurers may fear being overwhelmed by a sudden aggregation of losses, in which a third-party service that works with a wide swath of businesses gets hacked and leads to service failures for all of its users. This sort of systemic event could spell chaos for the insurance industry.
Solution: Insurers should consider implementing more rigorous underwriting policies to start minimizing aggregation risk.
Cyber exposures continuously shift and grow. (Photo: Shutterstock)
3. Continuous evolution of risks that undermine exposures' predictability.
As underlying exposures continuously shift, insurers adapt to one type of attack only to face a new threat technique. This makes risk management an ongoing predicament. Operationally, innovations in business — like IoT and autonomous vehicles — also pose new cyber-attack possibilities that need to be assessed and insured.
Solution: The key to getting past this could lie in becoming a client’s full-service cyber risk manager as well as their chief risk-transfer vehicle.
Many insurers have tunnel vision when it comes to writing cyber policies. (Photo: Shutterstock)
4. A narrow view of what constitutes cyber risk that limits the appeal of cyber insurance products.
Many insurers have tunnel vision when it comes to writing cyber policies, focusing primarily on marketing cyber products for personally identifiable data hacks and ignoring the many other cyber risks that company's face. This coverage is rapidly becoming commoditized and price-sensitive, limiting long-term insurer growth and profit potential.
Solution: To counteract this, insurers can differentiate products while raising risk awareness among buyers.
Cyber coverage is currently often written via customized policies, resulting in a lack of standarized policy terminology. (Photo: iStock)
5. Lack of standardization in defining and underwriting cyber risks.
Cyber coverage is often written via customized policies, resulting in different terminology from carrier to carrier. Concern over potential coverage gaps seems to be a major reason why many businesses that want and need cyber insurance are passing for now.
Solution: Insurers can overcome this by working together to create a standardized policy language.
Many consuners aren't even aware of the cyber risks they face. (Photo: Shutterstock)
6. Buyers often don't understand cyber risks or their insurance options.
Many consumers — and not just unsophisticated buyers running small businesses — often aren’t even aware of the cyber risks confronting them, let alone the insurance coverage options available.
Solution: The insurance industry should be more proactive in creating better-educated consumers and thereby encourage more businesses to implement risk-management programs and buy coverage. One way to accomplish this is by enhancing direct outreach efforts via marketing and advertising.
Cyber insurers can help support agents and brokers by providing risk awareness and loss control materials. These may include tip sheets, websites and podcasts, as well as referrals to cybersecurity specialists.
Cyber coverage disputes haven't yet make their way through the court system. (Photo: Shutterstock)
7. The legal and regulatory landscapes remain in flux.
Cyber coverage case law isn't yet clear. Because cyber coverage disputes haven't made their way through the court system, buyers fear having to litigate a disputed claim due to differences over which policy applies or whether policy language indicates coverage.
In addition, state regulations are often redundant or conflicting, resulting in potential exposures and coverage gaps.
Solution: ISO noted that standardization in terminology could help avoid the potential for coverage disputes along with the lengthy and costly litigation that might result. In the long run, standardization should lower the chances for potential coverage disputes that raise claims management costs for insurers, undermine consumer confidence in the certainty of their coverage and hinder efforts to increase sales.