Cyber security insurance – how can insurers quantify the risk?

Cyber insurance is said to be one of the few areas of growth and innovation in the insurance market these days.

It is identified as one of the biggest risks facing the financial system, and the demand for insurance against it is growing. As pressure is being put on organisations to demonstrate that cyber risk is being managed or mitigated, many protection buyers get cover for the first time. As attacks become more malicious and costly, the demand is bound to increase.

Methods to assess this risk are at their infancy and in consequence the management of cyber risk against risk appetite is not an easy job to carry out. We ran a survey among specialist insurance companies to understand how they are getting on with this task, what their growth strategy is, and what investments they are making in this area. The PwC cyber risk management survey was carried out across 14 companies in the London market in Summer 2016.

Is cyber security risk insurable?

Lloyd’s has pioneered the development in this class, but according to our survey the attitude towards cyber seems to have split the market in half. Approximately half of survey respondents already sell cyber policies, or see this as an area of growth. The other half do not actively pursue cyber, often believing this risk to be borderline insurable. The scepticism is due to limited experience of cyber losses standing in the way of confident underwriting.

On the other hand, even in the group that embraces cyber, insurers still trade carefully and tend to limit the amount of cover offered under each policy, despite the fact that there is appetite for more cover. Breach costs are constantly rising and the limited protection available doesn’t even come near to what the cost of a truly damaging cyber attack would be to a large business.

The issue with silent cyber

Lloyd’s and other regulators are questioning (re)insurers on how well they understand their exposure to cyber. While exposure to the so called “affirmative” cyber (arising from selling cyber policies) is to a certain extent possible to control, all insurers and reinsurers, regardless of their views on the insurability of cyber, will have exposure to “silent” cyber.

These losses come as a result of a  cyber-attack, but not under a dedicated cyber policy but rather from other contracts which, while not designed to protect from cyber, do not exclude this type of risk either. For example: an attack on a common billing or payroll system could result in the loss of personal data and in financial loss, which could in consequence lead to a high number of claims under Professional Indemnity policies.

The PwC survey queried companies in the London market about parts of their book that are most exposed to silent cyber and professional liability, property and aviation lines were cited as most likely to be affected.

How do insurers quantify cyber risk?

The main challenge emerging is how to design a market leading but pragmatic approach to managing cyber risk. The issue is not only due to data available being scarce, but also because any models are at risk of quickly becoming obsolete due to the rapid change of the cyber risk landscape as cyber weaponry progresses.

While 85% of respondents claim to have a loss estimation methodology in place, the majority use simplistic exposure and factor based methods which have in the past shown to underestimate the risk (as we have seen with unmodelled events like the Thai Floods). This is contradicted by the fact that 70% of respondents believe their method to be overly conservative.

Insurtech and cyber scenarios

While a flurry of new software and data products has recently entered the market to help with this issue, only 25% of respondents use external tools, and the majority within that group uses technology mainly to supplement assumptions and data applied in simple exposure management based methods – the prevailing view is that the tools available need further development to be suitable to manage insurance portfolios.

The job of understanding accumulations of this risk has in most cases been given to exposure management teams, and while parallels can be seen between early years of catastrophe models and cyber, management of this risk requires some unique consideration and analysis.

It is worth bringing stakeholders together and use extreme scenarios to test the interconnectedness of exposures, as well as seek to understand how policies that are silent to cyber might respond. While those scenarios may be unlikely to occur, firms have been finding them helpful in understanding possible causes of losses and levels of coverage affected.

And as it is the case with natural catastrophes, we are likely to be very surprised (but learn a lot) when the next significant event occurs.



Contact us

Marta Abramska

, PwC United Kingdom

Tel: +44 (0)20 7212 6341

Follow us