Insurers may need to change their underwriting and pricingapproach to meet bullish forecasts for sales of cyber coverage, considering thespeedbumps keeping many carriers from stepping on the acceleratorand prompting the majority of potential buyers to hit thebrakes.

In theory, cyber insurance should be a product that sellsitself, given the increasing frequency and severity of high-profilehacker attacks against major organizations as well as the growingnumber of individuals coping with online identity theft. Yet inpractice many insurers are struggling to get a handle on thispromising but problematic market, while the majority of buyers arehesitating to add the coverage to their riskmanagement portfolio.

Cyber remains a relatively small niche market

Why is that? With the stage seemingly set for dramaticallyhigher demand, and in a property and casualty market starved fororganic growth, you might expect sales of cyber policies to besoaring exponentially. In reality, while growth projections arebullish — with some predicting U.S. sales to double or even tripleover the next few years — cyber insurance remains a relativelysmall niche market. The line generates somewhere between $1.5billion and $3 billion in annual U.S. premiums, according tovarying estimates by regulators and rating agencies — representingonly a tiny fraction of the more than $500 billion U.S. carrierswrite annually for all lines.

There certainly appears to be plenty of room for growth,considering that just 29 percent of US businesses had bought cyberinsurance as of October 2016, according to a "Market Watch" surveyconducted by the Council of Insurance Agentsand Brokers (CIAB). Even big organizations with potentiallyhuge cyber exposures are going bare in many cases, or at best areunderinsured.

To identify the choke points that are preventing faster, moreprofitable expansion, as well as offer recommendations on how thesehurdles might be overcome, the Deloitte Center for FinancialServices spoke with insurers and brokers for a Deloitte UniversityPress research report, "Demystifying cyber insurance coverage," whichI co-authored with Advisory Principal Adam R. Thomas of Deloitte'sCyber Risk Services practice.

What seems to be the problem?

The dearth of data to help underwrite and price cyber risks wascited by those we interviewed as the biggest challenge facinginsurers. Hard data is in short supply for a variety of reasons.One is that insurers have not been selling cyber insurance longenough or on a big enough scale to generate their own critical massof data.

There is also no comprehensive, centralized source ofinformation about cyber events for insurers to tap into, as thereare for natural catastrophes and workers' compensation lossexperience, for example. In addition, a large percentage of cyberincidents aren't even acknowledged to outsiders, as many if notmost go unreported — particularly those that have nothing to dowith a breach of personally identifiable information, such asransomware and denial of service attacks.

Related: 7 challenges insurers face in the cyber insurancemarket

We believe this lack of historical information to fuelpredictive models may be producing a "vicious circle" ofdata-related issues hindering the growth of stand-alone cybercoverage in the high-end commercial market (see graphic on nextpage). It goes like this: The lack of sufficient, relevantdata undermines insurer confidence in underwriting and pricing.That prompts many to offer relatively low limits for fairlyrestricted coverage. That discourages buyers from taking out apolicy, which limits insurer experience with the exposure. Thatlimits data availability and starts the circle all over again.

Source: Deloitte Center for FinancialServices.

Exacerbating these data challenges is the fact that cyber risk is continually evolving as threatactors keep coming up with new ways to compromise targets, whichlimits the value of historical experience and hinderspredictability. At the same time, the increasing sensor-driven,online monitoring and management of equipment, buildings, vehicles,and even people via the expanding Internet of Things is creatingnew entry points for would be hackers to exploit and for insurersto cover.

Meanwhile, cyber insurers are often concerned about biting offmore risk than they can chew, let alone swallow, if they areoverwhelmed by a sudden aggregation of losses. They fear a systemicevent that cascades across the country or around the worldfollowing an attack against a website host, cloud provider, oremail server, triggering claims by a large percentage of theirpolicyholders simultaneously.

What's making buyers hesitate?

There are factors on the buyer's side slowing the market'sgrowth as well. Perhaps the biggest issue is that consumers often don't appreciate the cyber risksthey face, nor are they typically aware of the insuranceoptions at their disposal, according to carriers and brokers weinterviewed. In this case, ignorance is definitely not bliss, as asurvey by PartnerRe and Advisen found that 42 percent of brokerscited clients "not understanding exposures" as by far the biggestobstacle keeping them from selling more cyber insurance.

Another big problem is that while stand-alone cyber coverage isbeing marketed, it doesn't necessarily cover all potentialexposures, creating a branding challenge. Indeed, cyber risks maybe dispersed over a wide range of policies — including generalliability, property, professional liability, and businessinterruption, among other standard lines. This complicates effortsby brokers and their clients to assess coverage needs, matchpolicies with exposures, and compare alternative purchaseoptions.

Another major complaint is that cyber policies are still a work in progress,lacking standardization. A study by the SANS Institute andAdvisen found that only 19 percent of brokers and 30 percent ofunderwriters said there is a common language of cyber risk. Thismakes it difficult to compare products pitched by competinginsurers, and leaves buyers worried about gaps in coverage arisingas a result — particularly if a dispute over the meaning of policyterms ends up in court, where little case law exists on cybercoverage disputes.

Insurers need to move quickly

Insurers need to move quickly to resolve these issues, if onlybecause buyers are likely to seek alternative risk-transfer optionsif the industry cannot crack the code sooner rather than later. Itmay not be long before we see the creation of cyber risk retentiongroups, policyholder-owned cyber captives, or even cyber bondssecuritizing digital exposures. These are all very realpossibilities if cyber insurance coverage continues to be perceivedby many buyers as insufficient, uncertain, overly complicated,and/or too costly for the value offered.

In my next blog, I'll examine steps the industry might considertaking to facilitate faster (and more profitable) expansion of thecyber insurance market. If you can't wait until then, read our fullreport in Deloitte University Press.

Sam J. Friedman ([email protected])is the insurance research leader at Deloitte's Center for FinancialServices in New York. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn. These opinions are his own.