Cyber risk is a lot like the common cold. There is no vaccine or cure because viruses — real and technological — keep mutating.
No one is immune, and once infected, usually the best you can do is take steps to limit the pain and duration of an event, and get back on your feet as quickly as possible.
The difficulty in resisting highly adaptable computer bugs is one of the biggest problems facing insurers looking to write cyber coverage for a wide range of property, liability, and business interruption risks. Demand is likely to rise exponentially over the next few years as more organizations become aware of their exposure, and as our economy is increasingly connected online, providing new entry points for hackers to exploit. The question is whether the insurance industry will be able to fully capitalize on this opportunity as insurers struggle to assess an ever evolving risk.
In my blog last month, I shared the results of a new research paper from the Deloitte Center for Financial Services examining why insurers are having such a hard time cracking the code on cyber risks. We found expansion of this very promising yet problematic growth market hindered by a variety of factors, including the unreliability of the traditional rear-view mirror approach to underwriting and pricing. This month, as promised, we examine steps the industry might consider taking to overcome such obstacles and facilitate faster (and more profitable) expansion of the cyber insurance market.
Step 1: Focus on an applicant's cyber risk management capabilities:
Rather than trying to create a definitive predictive model that could be quickly rendered obsolete in a shifting threat landscape, insurers could underwrite and price policies based on an applicant's risk management maturity in running a secure (prevention), vigilant (detection), and resilient (loss control and recovery) cyber operation. Insurers have a keen advantage here, in that they could draw upon firsthand cybersecurity experience in protecting their own data-rich systems to help them assess the loss-control programs of prospective clients.
Step 2: Target select industries, types of attacks, and/or specific technologies:
Insurers might also offset their data disadvantages somewhat by adopting a segmentation approach. This would narrow the scope of cyber expertise required of underwriters by targeting specific industries or niches within them. Alternatively, insurers could become specialists in a certain type of exposure (such as data breaches versus denial of service attacks) or area of technology (such as IoT versus domain name servers), rather than write generic cyber policies across the risk spectrum, so as to have a better handle on the exposures being assessed.
Step 3: Become a policyholder's source of holistic cyber risk management expertise:
Insurers could differentiate policies beyond their price, terms, and coverage limits to emphasize associated risk management service offerings. This would entail creating holistic programs that span a buyer's cyber risk lifecycle to complement traditional insurance provisions, from loss prevention, to post-event response, to recovery support. Becoming a policyholder's full-service cyber risk manager as well as their chief risk-transfer vehicle could be advantageous for both buyers (by helping prevent potentially crippling and reputation-damaging incidents from happening in the first place) and insurers (by lowering loss frequency and severity, while increasing the likelihood of retention).
There are a number of additional steps insurers could take to bolster the attractiveness and profitability of cyber insurance, as outlined in our full report, "Demystifying cyber insurance coverage," which I co-authored with my colleague, Adam Thomas, a principal in Deloitte's Cyber Risk Services practice.
Whatever cyber insurers do, they should do it quickly, before their role is usurped by alternative risk-transfer vehicles such as risk retention groups, self-insured captives, and/or securitization via cyber bonds. These are all very real, even likely possibilities, especially if cyber insurance coverage continues to be perceived by many buyers as insufficient, uncertain, overly complicated, and/or too costly for the benefits offered.
Sam J. Friedman (samfriedman@deloitte.com) is insurance research leader with Deloitte's Center for Financial Services in New York. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn. These opinions are his own.
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.