Community
Cyber insurance is potentially a huge growth opportunity, but to exploit it profitably firms must identify and quantify cyber risks.
The attitude to cyber insurance is changing. This is partly being driven by the increasing awareness of major security breaches. Cyber insurance is now seen as a core element of mainstream business risk management, with uptake increasing by a staggering 50% in one year*. The shift in perception is driving the market growth, with projections for the global market to triple and reach $7.5 billion by the end of the decade**.
These levels of growth present insurers with massive opportunities. However, cyber insurers are waking up to a tough reality. Accurately quantifying the underlying cyber risk and the impacts of security breaches is exceptionally complex. Insurers must develop better methods of cyber risk modelling to improve accuracy and consistency. The pay-off is that this will enable them to realise the market potential.
Pricing challenges
To price a premium, insurers must accurately quantify the risks to which their clients are exposed. Beyond this, comparisons with conventional risk pricing are scarce. Cyber risk arises in a complex ecosystem of interlinked vulnerabilities, security threats, and potential associated impacts. It is also inherently specific to individual clients, with characteristics including:
These variables have proven difficult to ascertain. Conventional premium generation employs modelling techniques that incorporate data from past events. However, a major challenge confronting the cyber security domain is the scarcity of historical data relating to cyber threats, actual breaches, and resulting impacts. Only recently it became mandatory for breached entities to disclose details of their cyber security breaches. Previously, companies were reluctant to (voluntarily) disclose breaches due to potential reputational damage. And although third-party threat intelligence sources do exist, insurers have been slow to use their expertise.
In addition to analysis of past events, accurate cyber insurance pricing must also account for future events. This is particularly difficult, due to a number of factors, including:
The combined effect of these challenges is that the scope and degrees of liability of cyber insurance policies are difficult to predict.
Compounding the issue, cybersecurity risk is shared between businesses and other enterprises they interact with. Known as risk correlation, it means that a breach of any one component within an interconnected system could potentially compromise the entire network. Historically, risk correlation has been a major factor that makes realistic premium calculation very difficult. But getting it wrong can bring serious implications, both for the individual insurer’s business and the market as a whole.
Insurers’ reactions
In this complex and rapidly developing cyber threat environment, insurers have mitigated their exposure to liabilities by offering bespoke policies at high premiums. This has fragmented the cyber insurance market and hindered realisation of its full potential. Today’s offerings bear hallmarks of highly ‘niche’ products, including non-standardised policies that dramatically vary by geography and industry.
High barriers to entry have left smaller businesses unprotected. But serious vulnerability extends beyond the uninsured, to the insurance companies themselves. Any institution tackling cyber threat challenges, while lacking the necessary expertise, risks direct exposure to multiple and unaccounted risk correlations. The worst-case scenario is a single, major catastrophe - a ‘contagion event’ that affects large numbers of consumers. It is possible that such an event could have consequences similar to the financial crisis of 2008.
Quantifying unknowns with a holistic approach
The combination of obstacles discussed so far have blocked development of truly comprehensive methods for cyber risk modelling. As a result, premium pricing remains inaccurate. This has inhibited greater uptake of cyber insurance as an effective element of risk management.
A dynamic landscape necessitates a dynamic response. This must include real-time security posture monitoring and dynamic risk quantification. To enact positive change, there are clear areas that actuaries and underwriters must address, such as:
As cyber threats continue to expand in the near future, commercial opportunities in the cyber security domain continue to grow. Provision of appropriate, accessible, and affordable cyber security protection products and premiums is critical to this growing market. But it will not happen until the right innovation is widely implemented. Nor can the industry make this positive shift alone. Legislation has a key role to play, promoting policy standardisation and helping prepare for the big move from niche to sustainable mass-market offerings.
References
*Cybersecurity insurance grew 50% in the UK between 2015 and 2016 (source: https://www.infosecurity-magazine.com/news/cyber-insurance-adoption-soared-50/)
**https://www.enisa.europa.eu/publications/cyber-insurance-recent-advances-good-practices-and-challenges/at_download/fullReport
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Eimear Oconnor COO at Form3 Financial Cloud
07 November
Karla Booe Chief Compliance Officer at Zeta Services Inc.
Kyrylo Reitor Chief Marketing Officer at International Fintech Business
06 November
Konstantin Rabin Head of Marketing at Kontomatik
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.