shutterstock-339750206
ra2studio / Shutterstock
26 January 2017Insurance

Preparing for a 2017 cyber surge

While cyber risk may have once been seen as the bogeyman of re/insurance, the ever-present and very real threat of cyber attacks that has been increasingly exacerbated by a series of high-profile breaches means that this is simply no longer the case.

There is no doubting the potential of this market. The total written premium of the cyber market globally is now estimated at $2.5 billion and it is growing fast. Allianz estimates this will increase to $20 billion by 2025.

Similarly, findings from a CFC Underwriting survey conducted at the 2016 Cyber Symposium in London showed that within the UK cyber market, over 40 percent of survey respondents agreed their cyber book had grown by over 50 percent in the last 12 months.

Multiple sources are in agreement that not only will the demand for cyber insurance increase in 2017, but it is recognised as the fastest growing line in insurance.

“Systemic accumulations on top of inter-reinsured accumulations mean that the theoretical potential for aggregation risk is huge.” Luke Foord-Kelcey, Aon Benfield

This is supported by 2017 Cybersecurity Predictions, a report from Stroz Friedberg, an Aon company, released at the start of the year. It suggests a growth in the intensity and types of cyber attacks in 2017, which Aon expects to see reflected in the take-up of cyber insurance.

“Indeed, sources within the market are estimating premium volumes to as much as triple over the next five years,” says Luke Foord-Kelcey, co-head of the global cyber practice at Aon Benfield.

“That growth will also be driven by greater corporate awareness of the risk and evolving procurement policies but, most notably in Europe, it will be driven by the evolving regulatory framework around data protection.”

Foord-Kelcey suggests that more than 60 insurance markets are currently offering some form of standalone cyber coverage, a number that continues to increase as the “class gains relevance, take-up grows and returns are decent in a generally soft market”.

Inga Beale, the CEO of Lloyd’s, told Intelligent Insurer that Lloyd’s had seen a threefold increase on the cyber business over the past two years, and that she expects more growth driven by a variety of factors.

Beale says: “In 2016 we’ve seen highly publicised cyber attacks on some of the biggest corporate and retail names in the UK and globally. The effect of these breaches is multi-layered—besides business interruption, they can have a long lasting reputational impact and seriously affect the bottom line.”

A justified fear factor

One of the key drivers behind in the growth of insurers’ cyber books, according to the CFC survey, was the ‘fear factor’ of an impending and costly cyber attack.

This fear factor is entirely justified, according to Scott Stransky, assistant vice president and principal scientist at AIR, who cited a number of significant breaches in 2016 and in the previous years.

While people hear about these big breaches all the time, there are so many that don’t make the news, he says.

“AIR has a database of historical breaches, which sits at around 23,000. If you’re on the news maybe you hear about 10 to 20 breaches in the year, but there are thousands,” Stransky says.

He believes this started in 2013 with the breach of US discount retailer Target in 2013, which exposed the debit and credit card accounts of approximately 40 million customers.

Since then there have been many others including the Sony breach in 2014, the Anthem medical data breach in 2015, and the more recent alleged hacking of the Democratic National Committee during the US presidential election.

Stransky says: “You hear about these breaches all the time, and there are so many more breaches that don’t make the news. AIR has a database of historical breaches, which sits at around 23,000. If you’re on the news maybe you hear about 10 to 20 breaches in the year, but there are thousands.”

What is perhaps scarier to the insurance industry, in Stransky’s opinion, are the new types of breaches that are being seen, such as the recent breach of Dyn, an internet performance management company which offers domain registration and other services, in October 2016.

“When Dyn went down in October, it didn’t go down for very long. So because of deductibles and waiting periods it probably didn’t cost the insurance industry very much, but it got people thinking,” he continues.

“They were thinking ‘how many companies in my book actually rely on Dyn to host or run a domain name for their website?’ and the answers the came up with is ‘we don’t know’ and that was a very scary thought.”

Stransky also believes the non-physical business interruption is where the ‘disaster’ is going to happen, using the Dyn breach as an example.

“But with the Dyn breach, or something of that order, multiple companies in your portfolio are at risk of suffering a risk at the same time. And this is really where the aggregation lies; if you have a book of 1,000 companies, do you know how many use Dyn? You probably don’t but we can help you with that,” Stransky continues.

“And once you understand how many use Dyn—40, 60 or 80 companies in a 1,000 company book—if Dyn goes down for a day or two or five, you’re going to suffer claims on multiple companies at once, and that’s really where the disaster is going to happen.”

Changing threats

Cyber coverage that began principally as data privacy insurance has now extended to various business interruption, physical damage and crime coverages, Foord-Kelcey notes.

The Stroz Friedberg report listed the top threats in 2017 as nation state cyber espionage, a rise in data integrity attacks and an increase in attacks harnessing the internet of things.

As a result, Foord-Kelcey says, we can also expect to see a continued broadening in the scope of cover available from cyber insurance, as insurers “compete for their products to remain relevant and to continue to address the evolving risk landscape”.

He continues: “Being non-physical and supranational in nature, the concern around cyber insurance is that the industry may be vulnerable to a single event giving rise to losses to multiple insureds across multiple territories.

“Systemic accumulations on top of inter-reinsured accumulations mean that the theoretical potential for aggregation risk is huge. In practice, it may be that this ‘single event’ risk is, in fact, very remote, and that is the question with which both insurers and their reinsurers are grappling.”

As cyber cover is still in its early days, the scarcity of data currently available, according to Foord-Kelcey, means there is a heavy reliance on assumptions regarding the severity and frequency of cyber risk, which has created a wide variation in estimates.

He stresses that it is important to ensure insurers are collecting quality data to enable better development of probabilistic modelling, particularly in respect of accumulations.

“While the current small scale of the cyber market means that the losses arising out of even a severe attack remain manageable, the burgeoning take-up of the product, combined with the growing reliance of business on an increasingly interconnected digital world, mean that any aggregation risk is only going to increase,” Foord-Kelcey continues.

“Insurers and reinsurers must consider how they understand and map that interconnectedness and, crucially, they should do so not only as it relates to their cyber book, but also as it relates to incidental cyber covers in the rest of their portfolio—policy language should be sufficiently tight that only losses priced for are covered.”

New legislation

In addition to the evolving threat landscape that has been observed globally, the legislation currently in effect in the US, and similar laws that are coming to the UK and Europe, will likely encourage more companies to get cyber coverage in 2017.

Stransky suggests that while cyber is already seen as a big deal in the US market, the new notification laws coming into effect in Europe will likely produce a similar reaction.

“In the European market and the London Market, the laws are changing, and they’re going start to require notification and very big penalties and fees, if a company does get breached."

In Europe, the introduction of the EU General Data Protection Regulation (GDPR), which comes into force in May 2018, will bring in a regime of compulsory notification of certain breaches to regulators and affected individuals, and hefty fines for infringements, according to Foord-Kelcey.

He says: “With around 80 percent of cyber insurance premiums currently emanating from US-headquartered insureds—where the data protection regulatory burden has hitherto been greater—we would expect the GDPR to herald a similar trend in take-up within the EU (and other developed economies mirroring that development in regulation).”

Beale also recognises the implications the GDPR will have for insurers, suggesting that businesses will “have to be more responsive to any cyber incident than may have been the case in the past”.

She concludes: “Insurance can play a critical role in helping businesses in this environment, not just in terms of cover for any financial losses, but for support regarding meeting regulatory obligations and dealing with potential operational and reputational fall-outs.

“Our research has shown that cyber risk increasingly sits at the most senior level of business, and although the UK and Europe are still lagging behind the US in terms of take up of cyber coverage, the Lloyd’s market has seen a threefold increase on cyber business over the past two years, and we expect it to continue to grow in 2017.”

Already registered?

Login to your account

To request a FREE 2-week trial subscription, please signup.
NOTE - this can take up to 48hrs to be approved.

Two Weeks Free Trial

For multi-user price options, or to check if your company has an existing subscription that we can add you to for FREE, please email Elliot Field at efield@newtonmedia.co.uk or Adrian Tapping at atapping@newtonmedia.co.uk


More on this story

Insurance
10 May 2017   An increasing reliance on technology and the interconnectivity of the IoT is resulting in new risks and aggregations of risk that keep insurance executives awake at night. Matt Webb, global group head of cyber at Hiscox, explains to Intelligent Insurer why understanding cyber aggregation risk is more vital than ever.
Alternative Risk Transfer
25 April 2017   Organisations believe that their cyber assets are more valuable than plant, property and equipment (PP&E) assets despite spending four times more budget on insurance protecting the latter risks, according to the latest Aon/Ponemon report.
Insurance
8 May 2017   If all US businesses had cyber insurance, over $5 billion a year would be lost to the insurance industry from cyber data exfiltration alone, according to catastrophe risk modelling firm RMS.