Over the past few years, cyber insurance markets have been growing at between 25-50 percent CAGR each year. According to The Betterley Report 2015, annual policy premiums are approaching $2.75 billion. The ecosystem of insurance underwriters, intermediaries/brokers, analysts/management consultants and compilers of insurance market information is evolving rapidly, trying to make the most of this rising tide. As large insurance underwriters try to grapple with cyber insurance, newcomers aim to disrupt this ecosystem. And the battle has just begun.
Opportunities galore: Risk metrics / analytics
Enterprise risk management is a pressing issue at the C and board levels. Risks of business disruption rank the highest on charts. While natural catastrophes and political issues can cause disruption, these are relatively better understood than cyber risk. According to Allianz 2016 Risk Barometer, cyber incidents are considered the No. 1 emerging risk for the long-term future.
(Source: Allianz 2016 survey of top business perils; 800 risk managers from 40 countries).
With the growth of intruders and malicious actors, corporate risk managers are being pushed to adopt a better risk posture. Purchasing insurance often is the first step. When you have many eager buyers, a willing seller often emerges quickly to oblige such enthusiasm.
According to AIG, insurance underwriters collected $1.6 billion in premium income in 2015. Allianz projects premium income to grow to $20 billion by 2025. The average take-up rate for cyber insurance is 24 percent across U.S. businesses. (Source: Council of Insurance Agents & Brokers survey of 75 brokers, September 2015).
Only ~40 percent of Fortune 500 companies have procured insurance against cyber incidents, and those with insurance typically purchase limits that do not cover the full extent of their cyber exposure. There are more than 18,000 mid-market companies with revenues from $250 million upwards in professional services, retail and manufacturing verticals that will need insurance coverage.
It is evident that the forces of “market pull” are driving rapid growth in insurance markets, even when entrants are relatively unsophisticated. Some water-cooler conversations around cybersecurity insurance include statements like “nobody knows anything — but wow — it’s already a billion-dollar market” and “this is the best thing for our industry since fire.”
Enterprise customers are eager to buy coverage, but struggle with understanding their risk factors. According to a NetDiligence 2015 Cyber Claims Study, 48 percent confessed to a lack of understanding of complexity of risks, preventing them to be better prepared against such risks.
And as much as 46 percent did not have concrete assessment of costs of risks involved. The key questions enterprises struggle with are: (a) What is at risk for our enterprise — is it business continuity? Will we be DDOS’ed? Or experience intellectual property theft? Do we hold consumer/financial/patient data?; (b) What is the probability of an event occurring?; and (c) What are the estimated damages?
Like most nascent arenas, development of a common taxonomy and risk assessment framework is much needed. The U.S. government’s NIST framework is a starting point, but more needs to be done. Within such a framework, various tools, technologies and practices can be optimized to measure and assess cyber risk. The first wave of innovation is to offer risk metrics and aspire to become the “FICO Score” provider. Startups that have leaped in to address risk metrics include Security Scorecard, BitSight and Cyence. Governance Risk and Compliance (GRC) Vendors have pivoted into the space and offer vendor risk-management tools. The gold rush has just begun.
Opportunity: Insurance purchasing engine
Despite strong demand, the challenge for insurers is how to craft their offerings and how much to offer. Forecasting loss ratios and product profitability in such a nascent market is a challenge, not to mention allocating appropriate risk capital for long-tail cyber catastrophe events. Actuarial tables based on 100 years of historic data can be used to build premiums models, and predict earthquake and flood risk. But do the likes of AIG and Allianz have such data for cyber risk? Not quite.
Symantec has leaped into this space and aims to be a formidable player. “We track 800K security events every second” says Roxane Divol, SVP/GM, Trust Services Website Security, and Executive Sponsor for Cyber–Insurance, Symantec. The company has hired actuaries who are blending historical and real-time data and creating new products for the cyber insurance community to address this specific challenge.
The timing, scale and nature of cyber risk is uncertain and dynamic. How will this impact premiums as risks fall or evolve over time? And in many cases, we don’t even know what’s going on — take a look at the patterns of incidences for 2016. “Miscellaneous Errors” and “Everything Else” are almost 30 percent of the incidents.
(The dynamic nature of threats over time. Source: Verizon DBIR 2016)
At the macro level, how do insurance providers estimate their “probable maximum loss” (PML) in cyber incidents? And when several parties get impacted, how is first-party/third-party liability assessed? If I unknowingly forward a malicious file to another party, am I at risk? The timing of claims can also be a pain point for the insured. As one expert bemoaned, we know there is fire when we see smoke. What about cyber issues? Intrusions go can undetected for 300 days or more.
So how does an enterprise risk officer apply this logic to selecting the right coverage, negotiating premium amounts and exclusions? What claims can be denied? How does a nation-state attack (North Korea/Sony) come into play? According to a Hanover Research Cyber Insurance Survey (November 2014), more than 50 percent of insurance underwriters do not have dedicated people for cyber insurance.
Even the intermediaries/brokers struggle. In a cyber insurance market watch survey, the Council of Insurance Agents & Brokers found that 71 percent of brokers believed there was little to no clarity about what is covered. Which means the brokers are more or less operating in the dark.
The Council further reports, “Much rests with the individual broker’s ability to grasp exposures and coverage nuances and be able to intelligently discuss these with individual clients whose interest levels vary greatly. The two major points of contention are lack of a standard terminology and difficulty in spotting exclusions.”
If we assume our CGL (Commercial General Liability) or D & O (Directors and Officers) policy coverage is sufficient, we may be in for a rude shock. When DSW, a shoe retailer, got hacked, AIG attempted to deny coverage and argued the loss was excluded. The court disagreed and DSW was entitled to coverage, but not without a legal battle.
In summary, enterprise America will soon need a simpler way to identify the nuances of: (a) what does my policy cover, its relevance to my business-risk and exclusions; (b) which underwriter is the most sophisticated; and (c) and how can I identify ways to reduce premium costs? Over time, an online insurance marketplace may evolve.
Opportunity: Emphasize the importance of tools and technologies
Underwriters do not put much value on usage of security products/tools. A Hanover Cyber Insurance survey from November 2014 shows an interesting pattern — the most important information is risk management philosophy, closely followed by nature of data stored.
The “Updated Network Security/Firewall” seems somewhat laughable and, unfortunately, “Encryption” has very little importance. This needs to change.
As insurance companies become better informed about the importance of various security technologies, the criteria for underwriting could become more relevant. Silicon Valley can create not one but many disruptors in the cyber insurance space. Yet Silicon Valley should know that technology alone cannot solve all problems. People, practices and policies matter.
It may be a while before we realize that Utopian dream of security working silently, automagically to protect us despite our follies, foibles and idiosyncrasies. When that happens, we will not need cyber insurance. For now, this $20 billion market is waiting to be disrupted by some 19-year-old wunderkind.