While property and casualty (P&C) insurers are at risk of cyberattacks themselves, they are also in the unique position of providing other companies insurance coverage for attacks.
However, not all cyber coverage takes the form of cyber insurance, some cyber coverage is “silently” embedded in commercial property and liability policies because of ambiguous wording or because it is not excluded from those policies.
According to a recent report by rating agency Moody’s, accurate assessment and management of cyber exposure is a top priority for P&C insurers, especially since commercial property policy limits are often multiples of limits provided for cyber-only coverage. Moody’s continues to view cyber insurance as a highrisk product, but insurers have generally taken a measured approach with the support of Reinsurance.
Here is why Cyber insurance offers property and casualty insurers’ growth opportunity:
Small but profitable insurers
Cyber insurance, although still a small market, has grown quickly in the past four years. It is a highly profitable business for those insurers that continue to invest in underwriting, modelling and analytics. Growth prospects for cyber insurance are promising given the changing nature of the risk, the pervasiveness of technology, the value of insurance as a risk management tool, and expanding regulation, all of which are driving demand for coverage.
There has been an increasing claim, of data breaches, denial-of-service attacks and the financial demands of ransomware attacks which have increased the demand for cyber insurance in a number of industries. However, a lot of these attacks have not been reported publicly. According to a nonprofit organization, Identity Theft Resource Center (ITRC), the number of breaches in 2018 reported publicly declined by 23 percent to 1,244, the total number of personal records exposed by cybersecurity breaches rose by 126 percent to 446.5 million, with the Marriott International breach in 2018 having the largest number of records exposed.
Moody’s says that cyberattack remediation can be costly, resulting in business interruption and reputational damage, and can lead to litigation by shareholders and other injured parties. Also, costs remain overwhelmingly concentrated in advanced economies. In its 2019 Cost of Cybercrime Study, the Ponemon Institute, sponsored by Accenture Security, said that for US companies participating in its research, the average cost of cybercrime was about $27 million in 2018 – the highest total average cost of the 11 countries in the study. This is up 29 percent from $21 million in 2017.
Currently, the largest institutions with the most formalized governance structures are the dominant buyers of cyber insurance protection. They have also increased the limits of protection they purchase, with program limits of $25-$100 million, compared to $10-$15 million which was the norm a few years ago. Firms can purchase as much as $750 million in limits, with insurance brokers continuing to build higher-limit cyber insurance programs.
Assessing aggregate insured cyber exposure is complicated
According to P&C insurers provide cyber insurance coverage to other companies for cyberattacks while also risking such attacks themselves. following the 2017 NotPetya malware attack against Ukraine that caused severe damage to corporations across the globe and involved dozens of insurers and reinsurers, accurately assessing and managing cyber exposure is a top priority for P&C companies.
A number of complex claim and coverage issues in the past several years have led to significant uncertainty in the marketplace for both insureds and insurers, such as whether cyber insurance responds to physical damage claims for property, including business interruption and contingent business interruption losses. Commercial property exposure limits are often multiples of limits for cyber-only coverage, which dramatically raises the stakes for losses and risk aggregation and highlights the challenge for assessments.
In addition, the potential for exposure accumulations from the same loss affecting multiple insured clients as businesses move to cloud computing and the longer-term threats posed by quantum computing all complicate exposure management.
Underwriting and risk management projects begin to address silent cyber Exposures
Moody’s revealed that Insurers, particularly those that handle both large national and multinational accounts are shifting cyber risk to standalone policies or implementing cyber sub-limits or exclusions in traditional policies. Insurers and reinsurers are also using deterministic scenarios and working with third-party vendors to model cyber risk. They are also assessing and quantifying their true cyber exposure, including silent cyber. Insurers’ actions include creating an inventory of traditional policies with embedded cyber exposure, modifying policy terms and conditions, and allocating premiums to policies that contain cyber risk.
Although the market is evolving, insurers that write large national and multinational property accounts are shifting cyber risk to standalone policies or implementing cyber sub-limits, or both. Insurers and reinsurers are also working with third-party vendor modelling firms to help dimension the risk. Insurers continue to run deterministic scenarios and take underwriting actions, and use reinsurance to manage gross exposure.