Nearly 90% of the cyber insurers taking part in PwC’s 2017 Global Cyber Insurance Survey are targeting small and medium size enterprises (SMEs). With barely one in ten small businesses in the UK holding cyber cover, the growth potential is clear. Yet capitalising on it is likely to require a big step-up in risk understanding and pricing expertise.
At first glance, cyber insurance would appear to be a relatively profitable business – the combined ratio for the cyber book for the insurers and reinsurers in our survey was typically around 80%. Yet as more companies enter the market and the frequency of events such as 2017’s Wannacry and NotPetya attacks increases, returns are set to be eroded. And, insurers have yet to experience the impact of the really big cyber catastrophe that could be just around the corner, with the losses not only coming from the cyber book, but also exposures in other insurance policies.
Our survey raises question marks over pricing and underlying risk evaluations. Most participants have access to historic data even though this is relatively sparse and a poor guide to the future when both technology and cyber threats are evolving so fast. In particular, insurers often have limited information on clients’ technology dependency and the business interruption costs that could stem from this, even though this is the greatest source of potential claims.
Cyber risk models are helpful to a point, yet they are still at an early stage of maturity and over-reliance would be hazardous. Effective model usage not only demands robust and continually honed assumptions, but also well-developed knowledge of how the model works and what the outputs mean. This is a journey that the Property Cat models have taken 20 years to travel, and they are still developing.
How can insurers gain greater insights into the risks and price with greater confidence? For large corporates, it’s possible to carry out regular and detailed assessments of their technology dependency, the specific threats they face and the potential financial impact. This analysis would also look at how to get the business up and running again as quickly as possible and hence limit the eventual claims.
However, in the SME market this kind of customised cover and advice is simply uneconomic. It is possible to put a ceiling on potential losses through pricing cushions, cover limits and line size restrictions, though this would make the policies less attractive and hold back growth. Moreover, nearly 70% of the participants in our survey are writing all policies as long as they meet underwriting standards, which would suggest that they’re targeting quite aggressive growth.
So, how can insurers strike the right balance between growth and control within the SME market? Expertise is critical. This includes more threat intelligence analysts and specialist modelling teams, who can not only strengthen risk understanding within the insurer, but also risk mitigation and guidance for clients. It also includes lawyers, contract and claims specialists to ensure clear cyber event definitions, to scrutinise terms and to prevent invalid pay-outs – this is especially important in the SME market as many of the policies are likely to include cyber as part of broader coverage, rather than being standalone.
As SME cyber insurance is likely to be highly model-driven and automated, improvements in model understanding and control are especially critical. Confidence in the models and underlying assumptions will take time and therefore initial growth may be curtailed. Yet, by enabling the insurer to price more precisely and offer higher levels of protection, this increased knowledge and experience would generate valuable competitive advantages over the longer term.
Partnership with reinsurers would help direct insurers to gain a better understanding of the risks within the SME segment and their own accumulated exposures. Almost all reinsurance is on a quota share basis and none through excess of loss (XL) contracts, which reflects reinsurers’ uncertainty over cedent exposures and the low confidence in cyber quantification and pricing. Closer collaboration with reinsurers and access to their expertise could therefore not only limit unforeseen losses, but also open the way for more loss-absorbing and less revenue-depleting XL contracts.
SME cyber cover is the new frontier in this young market. Under-insurance in the segment offers significant opportunities for growth. However, in the absence of the bespoke analysis and advice that would be available to larger corporates, insurers face the challenge of shoring up model evaluation and developing the kind of mass market underwriting techniques needed to make this business viable.
Domenico del Re and Cindy Yang are part of a multidisciplinary team of risk modellers, actuaries and cyber risk experts, who are working with insurers and corporations to help them understand their cyber exposures. Their engagements include developing frameworks for managing cyber insurance liabilities and using the experience of PwC's cyber security experts to develop scenarios to quantify potential losses.
Domenico del Re
Director, PwC United Kingdom
Tel: +44 (0) 7718339993
Cindy Yue Yang
Manager, PwC United Kingdom