Meeting the cyber insurance challenge – head on

In attendance:
Chuck Bralver, director, AkinovA
Paul Jardine, non-executive director, AkinovA
Kristin Toretta Lee, cybersecurity attorney, Baker & Mackenzie
Patrick MacGloin, senior managing director, FTI Consulting
Siobhan O’Brien, Cyber Centre of Excellence lead, Guy Carpenter
Brent Poliquin, head of strategy, AIR Worldwide
Edouard von Herberstein, partner and chief underwriting officer, HSCM Bermuda
Henri Winand, chief executive officer, AkinovA

Cybersecurity is the fastest-evolving threat landscape insurers must deal with, according to a panel of experts assembled by AkinovA, the electronic platform for the transfer and trade of re/insurance risk.

The threat is evolving fast, but the insurance industry has so far struggled to keep up, leaving companies battling to manage their cyber risk. Attacks are increasingly likely to involve state actors as well as individual criminals, the panel noted, which is making cyber attacks more sophisticated and less predictable.

At the same time, the barriers to entry for cybercrime are so low that even teenagers operating out of their bedrooms can wreak havoc on businesses.

The effects of cyber attacks are sufficiently far-reaching as to be both deleterious to a business and tough to quantify for the re/insurance industry, the panel said. Meanwhile, the problem has been brought into even greater focus by the impact of the COVID-19 pandemic.

“What if a cyber attack were to take down the power grid while the world is trying to work remotely?” asked Brent Poliquin, head of strategy at AIR Worldwide. “What does that economic impact look like?”

Certainly, the risk of a major attack with such far-reaching consequences is chilling. Siobhan O’Brien, Cyber Centre of Excellence lead at Guy Carpenter, pointed to the growing concern that a computer virus could cause a large accumulating risk for the industry.

“We wrote a report last year examining what a large, systemic cyber loss could look like,” said O’Brien. “It amounted to roughly $14 to $16 billion, depending on the scenario—at a time when premiums amount to $6.5 to $7 billion globally.”

The cyber challenge is particularly acute for small and medium-sized enterprises (SMEs), noted Kristin Toretta Lee, a cybersecurity attorney at law firm Baker & Mackenzie.

“The end-to-end cost of a major cyber incident can be significant. Addressing the incident can take years and cost millions of dollars,” said Lee.

“Whereas large organisations may have the ability to internalise the costs associated with a major incident, SMEs can be disproportionately impacted.”

Henri Winand, chief executive at AkinovA, referenced Munich Re statistics that show 40 to 50 percent of SMEs go out of business within a year of being hacked.
“The goal for me is to create the capacity to underwrite those risks,” Winand said.

The only way the market will ever achieve a sufficient depth of coverage to provide true resilience will be to entice more capital markets investors, argued Paul Jardine, non-executive director at AkinovA.

Attracting investors
Jardine noted that capital markets investors should be open to considering opportunities to invest in cyber insurance, given they are looking for new sources of returns.
“There’s a natural fit here between delivery at the front end from an insurance company, a risk transfer to the reinsurance markets who are specialists in that B2B transfer, and then on an index or parametric basis to transfer out to capital markets,” said Jardine.

AkinovA’s goal is to serve as a bridge between insurers and capital market investors, who require accurate, dynamic data from a broader range of sources, said Winand. This will enable them identify policies that match their risks, and help them deploy capital more efficiently.

However, more needs to be done before that goal can be fully realised.

Edouard von Herberstein, partner and chief underwriting officer at HSCM Bermuda, called for more detailed and specific information about cyber risks that investors can understand and relate to.

“In the 1990s, when Goldman Sachs, Swiss Re, Aon and others went to investors to put money behind their cat bonds, they had 100 years of data and investors could immediately relate to it,” said Von Herberstein.

“With cyber, we don't have that history. We need a synthetic catalogue of realistic cyber disaster scenarios, some real events but mainly constructed, which investors can relate to and understand.”

Even more urgent is the need for a universally accepted taxonomy.

Chuck Bralver, a director at AkinovA and a founding partner at Oliver Wyman, said cyber coverage remains “bespoke, one-off and somewhat mysterious”.

Bralver continued: “We need to move towards an industry where both the taxonomy and the solutions are standardised, modular and intuitively understood by the participants on both sides.

“Difficulty in agreeing certain exceptions of scope or detail should not preclude a generally accepted core and be managed through amendment wherever possible.”

Patrick MacGloin, senior managing director at FTI Consulting, went even further, dismissing the word cyber itself as a trope with little precise meaning.
“The cyber market is unfettered by any definitional precision,” MacGloin said.

“Making it real gets rid of confusion and gives insurers, their investors and their customers something tangible,” he added.

MacGloin noted that the Financial Stability Board had attempted to compile a definitive cyber taxonomy in a two-year study called “The Cyber Lexicon”, but said the effort had proved divisive, and failed to catch on.

“We not only lack plain language, but we struggle to agree on what terms we have,” said MacGloin.

“This makes it very difficult for insureds to make good decisions about their cyber cover. There is an asymmetry of information, which yields a market for lemons. I think there needs to be a return to common sense.”

Winand said providers should focus on the biggest cyber challenges facing businesses, rather than trying to do everything at once, but noted that the whole value-chain needs better availability of information.

“At the moment the information asymmetry between the buyer and the seller is so large that you cannot get to a price that makes sense for both parties,” Winand said.

The many faces of cyber risk
O’Brien emphasised the importance of understanding what cyber risks companies are trying to solve, which will vary depending on the business they are in.

“For clients who are data-heavy, that will mean breaches and data privacy, but if they are manufacturing widgets, data breaches are a lower priority than systems going down,” she said.

This calls for a more granular approach. “We should stop using the word ‘cyber’ and start talking about the risks they want to mitigate,” she added.

Risk managers should think about cyber risk in terms of the business’s core operations and functions that need to be resilient to cyber events, Lee added. Cyber risk can be more dynamic than some other risks, she warned, especially where attacks originate from foreign nation states.

“While it is indisputable that an asset inventory is a key element of cyber risk management, risk managers must also think more holistically about the core functions of the business, and their resilience in the face of a major cyber attack,” said Lee.

The onus is very much on insurers to guide their customers through the process, and to do everything they can to support clients by being clear about what their policies do and do not cover, and by paying claims swiftly when they are covered.

“The thing that kills businesses is liquidity crunch, so clarity over coverage and speed of payment is absolutely crucial,” said Jardine.

“We basically offer a promise to pay. Unfortunately, as we’re finding in the current situation, and as we found with some cyber policies, when it comes to that time when you need to make your client good, because it’s the difference between life and death, we are failing.”

O’Brien warned that insurers should be particularly careful with the management of their claims-handling service, which is an insurer’s shop window.

“Very often those services are outsourced, so if they get it wrong, you can lose your reputation,” she said.

Meanwhile, there have been a growing number of disputes arising related to cyber claims, which increases the cost of doing business for insurers.

“Regulators are continuing to increase the costs on organisations subject to major cyber incidents through complex investigations which may lead to fines and penalties,” said Lee.

Companies can do more to protect themselves and mitigate the risk of being attacked in the first place. Lee called for more work to be done to help businesses prevent cyber attacks taking place, as well as creating products to help them manage the impact when they have been attacked.

“We need to continue our collective efforts to promote prevention and collective, highly efficient detection and response capabilities to address major incidents,” she said.

Poliquin however highlighted the challenge businesses face when having to allocate limited resources between risk mitigation and risk transfer efforts. Risk managers need more guidance to help them make the right decisions when allocating resources between these two efforts.

The hunt for yield
Clearly there are challenges when it comes to creating a truly scalable capacity to underwrite what matters to business and organisations. What’s needed is more than cost-avoidance policies which cover only basic forensic and public relations costs.

Businesses want operationally meaningful non-physical business interruption cover, and straightforward policies that cover operational processes, covering their hyper-connected and always-on devices and IT infrastructure.

The experts all agreed that the way forward involves simpler, and preferably standardised, wordings in contracts, with clearer payment triggers. This will make cyber work for cover buyers, capacity providers and brokers.

Parametric products with clear triggers, created from new, real-time data, empower brokers to advise buyers about how to close their basis risk. The right dataset and indices enable capacity providers to underwrite the risk. Reinsurers can then model their accumulation risks, not across cyber as a catch-all bucket, as is often the case today, but across refined, less-correlated categories, said Winand.

Modelling techniques that quantify frequency and severity of events are developing at pace, fed by vast amounts of 24/7/365 data. This leads to a better understanding of the insured’s security stance and threat environment, and helps businesses quantify cyber-related operational risks.

Cyber risks propagate and expose different assets and sectors to different risks in a much more fluid way than most other lines of business. Since they also permeate most of the global P&C insured landscape, and some of the life insurance sector, the universe of impacted assets is huge.

This offers capacity providers and capital markets new opportunities to hunt for yield, create new diversified portfolios and deploy capacity in a meaningful way.

Winand said: “It is difficult to discuss an important threat such as cyber without painting a gloomy picture.”

AkinovA is convinced that the insurance industry will combine a more granular approach to cyber risk transfer. It will involve insureds’ operational and intangible assets being covered with clearer, more parametric, more standard policies, referring to dynamic datasets with the right models.

“New capacity can support the re/insurance industry’s need for capital markets access through a regulated marketplace,” concluded Winand.
“The potential disaster of a truly devastating cyber pandemic can be averted.”