Gaps in data and expertise are holding back growth in the cyber insurance market and exposing insurers to sizeable, but as yet largely unquantified, losses. So how can your business develop the modelling, actuarial insight and threat intelligence needed to underwrite cyber risk more confidently, differentiate your insurance offering and protect against damaging losses?
Cyber risk cover has been targeted as a key growth market for UK insurers. Yet given the scale of the risk in an increasingly digitised and interconnected global economy, corporations remain significantly underinsured. And even allowing for this being a relatively new class of insurance, the take-up of cyber cover could have grown a lot quicker by now. Why the shortfall?
A combination of limited actuarial data and constantly morphing risks makes the potential losses difficult to measure. As a result, cyber insurers often have to rely on restrictive limits, exclusions and conditions to control exposures. Some believe that it would take a major data breach or operational breakdown for the cyber insurance market to really take off. Yet our wide-ranging work with corporations indicates that a lot of the executives who are fully aware of the loss potential are reluctant to buy cyber cover because the restrictions limit the level of protection they gain.
Perceptions around cover are changing. A 2016 PwC study found that the percentage of UK companies who believe that they have cyber insurance cover had dropped to 38% from 59% in the previous year1. We believe this is more likely a change in awareness of whether cyber risks are covered within existing insurance programmes than a reduction in the specific cyber insurance spend.
As a cyber insurer, your business would certainly be in a stronger position to increase claims limits, price competitively and attract some of the clients who are currently reluctant to buy cyber cover if you had the specific cyber risk expertise, data on the past financial impact of cyber events and a credible exposure management framework (e.g. realistic disaster scenarios).
Further pressure for a rethink of how cyber-related cover is managed is coming from the PRA, which wants insurers to develop greater expertise in cyber risk and more systematic risk appetites and strategies2. And the PRA’s ‘Dear CEO’ letter goes beyond direct cyber insurers to cover what it describes as “silent” cyber exposures that are “endemic” in policies ranging from directors & officers (D&O) to marine, aviation and transport (MAT). The PRA is especially concerned about whether policy wording and loss estimations are keeping pace with advances in technology.
Putting cyber-related cover on a better controlled platform demands a more systematic and selective approach to defining, quantifying and managing the risks:
1. Become a sector expert
Focus on a few select sectors, ideally ones where you already have a good knowledge of the business dynamics from other parts of your underwriting portfolio. This would enable your business to gain a deeper understanding of the cyber vulnerabilities, apply hard monetary figures to the potential losses and gauge how effectively clients are managing them. This insight would inform risk appetite, selection and pricing, with potentially higher claims limits and better prices for clients with more effective controls. While tightening the focus, it’s clearly important to pick more than one sector to avoid concentration risk.
2. Partner with digital security companies
Partnership would enable your business to gain access to up to date threat intelligence, insights into potential attackers and the level of protection within a potential client business. Your actuarial and underwriting teams could then overlay this analysis on your understanding of the client’s IT dependency, operational risks and most prized and sensitive data assets (‘crown jewels’), along with the potential for secondary business interruption claims from customers and suppliers. You can then develop a clear picture of how the organisation might be disrupted and at what cost.
What this all comes down to is a blend of core actuarial capabilities and specialist threat assessment. While digital security businesses might see openings to move into this high margin area of insurance, actuarial and underwriting expertise are essential elements of risk pricing, selection and loss estimation. Indeed, we see significant opportunities for actuaries to work directly with corporations to quantify their cyber risks and provide a more informed basis for negotiation with insurers.
Looking ahead, the business of providing protection against cyber risk is open to commercial disruption. Technology giants are unlikely to miss the opportunity. They would also be forced by shareholders to move into this space should there business models be threatened by falling consumer confidence.
Cyber threats themselves are also constantly evolving. According to Louise Taggart, a threat intelligence analyst in PwC’s cyber security team: “2017 is likely to see a noticeable rise in cyber attacks targeting critical infrastructure, which would heighten the systemic risks associated with the cyber threat landscape. Cyber criminals are also increasingly spreading their net beyond what have traditionally been seen as ‘high-profile’ sectors – such as defence, energy, pharmaceuticals and financial services – to target new sectors and organisations as they probe for vulnerabilities or weak points to exploit. As such, insurers will need to monitor closely the ongoing appropriateness of the risk relativities across different sectors within their rating models.”
As well as the need to transform analytical and underwriting approaches to compete for risk cover with disruptors, insurers have to find ways to manage the systemic risks opened up by these escalating cyber threats. Investment in modelling and analytics has enabled the industry to insure most natural catastrophes. Actuaries and catastrophe modellers are now developing the skills sets needed to make cyber risk fully insurable. But this will continue to be an epic challenge as the greatest losses insurers face shift from devastating natural disasters to the constantly changing criminal ambitions and technical capabilities of human beings.
Domenico del Re leads a multidisciplinary team of actuaries and cyber risk experts, who are working with insurers and corporations to help them understand their cyber exposures and develop more effective protection.
 PwC media release, 5 October 2016 (http://pwc.blogs.com/press_room/2016/10/cyber-risk-dividing-insurers-as-uk-companies-step-away-from-cyber-cover-pwc-survey.html)
 ‘Dear CEO’ letter (http://www.bankofengland.co.uk/pra/Documents/about/letter141116.pdf) and Cyber insurance underwriting risk – CP39/16, PRA, 14 November 2017 (http://www.bankofengland.co.uk/pra/Pages/publications/cp/20)