Insurers may need to change their underwriting and pricing approach to meet bullish forecasts for sales of cyber coverage, considering the speedbumps keeping many carriers from stepping on the accelerator and prompting the majority of potential buyers to hit the brakes.
In theory, cyber insurance should be a product that sells itself, given the increasing frequency and severity of high-profile hacker attacks against major organizations as well as the growing number of individuals coping with online identity theft. Yet in practice many insurers are struggling to get a handle on this promising but problematic market, while the majority of buyers are hesitating to add the coverage to their risk management portfolio.
Cyber remains a relatively small niche market
Why is that? With the stage seemingly set for dramatically higher demand, and in a property and casualty market starved for organic growth, you might expect sales of cyber policies to be soaring exponentially. In reality, while growth projections are bullish — with some predicting U.S. sales to double or even triple over the next few years — cyber insurance remains a relatively small niche market. The line generates somewhere between $1.5 billion and $3 billion in annual U.S. premiums, according to varying estimates by regulators and rating agencies — representing only a tiny fraction of the more than $500 billion U.S. carriers write annually for all lines.
There certainly appears to be plenty of room for growth, considering that just 29 percent of US businesses had bought cyber insurance as of October 2016, according to a “Market Watch” survey conducted by the Council of Insurance Agents and Brokers (CIAB). Even big organizations with potentially huge cyber exposures are going bare in many cases, or at best are underinsured.
To identify the choke points that are preventing faster, more profitable expansion, as well as offer recommendations on how these hurdles might be overcome, the Deloitte Center for Financial Services spoke with insurers and brokers for a Deloitte University Press research report, “Demystifying cyber insurance coverage,” which I co-authored with Advisory Principal Adam R. Thomas of Deloitte’s Cyber Risk Services practice.
What seems to be the problem?
The dearth of data to help underwrite and price cyber risks was cited by those we interviewed as the biggest challenge facing insurers. Hard data is in short supply for a variety of reasons. One is that insurers have not been selling cyber insurance long enough or on a big enough scale to generate their own critical mass of data.
There is also no comprehensive, centralized source of information about cyber events for insurers to tap into, as there are for natural catastrophes and workers’ compensation loss experience, for example. In addition, a large percentage of cyber incidents aren’t even acknowledged to outsiders, as many if not most go unreported — particularly those that have nothing to do with a breach of personally identifiable information, such as ransomware and denial of service attacks.
We believe this lack of historical information to fuel predictive models may be producing a “vicious circle” of data-related issues hindering the growth of stand-alone cyber coverage in the high-end commercial market (see graphic on next page). It goes like this: The lack of sufficient, relevant data undermines insurer confidence in underwriting and pricing. That prompts many to offer relatively low limits for fairly restricted coverage. That discourages buyers from taking out a policy, which limits insurer experience with the exposure. That limits data availability and starts the circle all over again.
Exacerbating these data challenges is the fact that cyber risk is continually evolving as threat actors keep coming up with new ways to compromise targets, which limits the value of historical experience and hinders predictability. At the same time, the increasing sensor-driven, online monitoring and management of equipment, buildings, vehicles, and even people via the expanding Internet of Things is creating new entry points for would be hackers to exploit and for insurers to cover.
Meanwhile, cyber insurers are often concerned about biting off more risk than they can chew, let alone swallow, if they are overwhelmed by a sudden aggregation of losses. They fear a systemic event that cascades across the country or around the world following an attack against a website host, cloud provider, or email server, triggering claims by a large percentage of their policyholders simultaneously.
What’s making buyers hesitate?
There are factors on the buyer’s side slowing the market’s growth as well. Perhaps the biggest issue is that consumers often don’t appreciate the cyber risks they face, nor are they typically aware of the insurance options at their disposal, according to carriers and brokers we interviewed. In this case, ignorance is definitely not bliss, as a survey by PartnerRe and Advisen found that 42 percent of brokers cited clients “not understanding exposures” as by far the biggest obstacle keeping them from selling more cyber insurance.
Another big problem is that while stand-alone cyber coverage is being marketed, it doesn’t necessarily cover all potential exposures, creating a branding challenge. Indeed, cyber risks may be dispersed over a wide range of policies — including general liability, property, professional liability, and business interruption, among other standard lines. This complicates efforts by brokers and their clients to assess coverage needs, match policies with exposures, and compare alternative purchase options.
Another major complaint is that cyber policies are still a work in progress, lacking standardization. A study by the SANS Institute and Advisen found that only 19 percent of brokers and 30 percent of underwriters said there is a common language of cyber risk. This makes it difficult to compare products pitched by competing insurers, and leaves buyers worried about gaps in coverage arising as a result — particularly if a dispute over the meaning of policy terms ends up in court, where little case law exists on cyber coverage disputes.
Insurers need to move quickly
Insurers need to move quickly to resolve these issues, if only because buyers are likely to seek alternative risk-transfer options if the industry cannot crack the code sooner rather than later. It may not be long before we see the creation of cyber risk retention groups, policyholder-owned cyber captives, or even cyber bonds securitizing digital exposures. These are all very real possibilities if cyber insurance coverage continues to be perceived by many buyers as insufficient, uncertain, overly complicated, and/or too costly for the value offered.
In my next blog, I’ll examine steps the industry might consider taking to facilitate faster (and more profitable) expansion of the cyber insurance market. If you can’t wait until then, read our full report in Deloitte University Press.
Sam J. Friedman (firstname.lastname@example.org) is the insurance research leader at Deloitte’s Center for Financial Services in New York. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn. These opinions are his own.