No fear of cyber: AXIS forges ahead

Cyber is still a relatively new risk, which means that it faces high growth potential, but at the same time, the risks are difficult to assess and manage due to a lack of historical data.

It is dividing the industry: while some experts see cyber as a risk too big to underwrite, others believe that it is an unmissable growth opportunity.

AXIS certainly belongs to the latter group. Aided by the recent acquisition of Novae, AXIS is allocating more resources into this class, for example by expanding its product offering in the field to include protection against damage to physical assets and infrastructure when a cyber attack occurs, according to its 2017 annual report.

“Cyber risk is everywhere. It exists not just as a product but as a peril and can cause physical damage events, broader liability events, maritime or aviation events,” says Dan Trueman chief innovation officer and cyber unit head, AXIS Capital.

“We believe the world is changing,” Trueman adds. “With the advent of artificial intelligence through to big data, the use of data to drive behaviour and performance, these meta-narratives are coming together to form a new world.

“This is certainly an area that AXIS sees as strategic. The global market is predicted to grow 35 percent compound over the next five years. We expect to exceed that growth.”

Help centre

AXIS is harnessing its capabilities to embrace cyber risk. Addressing the more than $445 billion cost that companies incur each year due to the threat of cybercrime and cyber attacks, the insurer is creating a Cyber Center of Excellence to provide a broad range of commercial insurance protection and mitigation solutions for tangible and intangible assets, relating to global cyber threats and attacks.

The cyber unit will offer a number of products and services to help companies mitigate the cyber risks associated with their tangible and intangible assets. The services will be provided either by AXIS directly or through a third-party vendor and will include access to risk assessment modelling tools, risk advisory consulting services to help companies prepare for, and respond to, cyber events, as well as access to mentoring, training and education offerings.

“We’ve always believed that cyber insurance as a product, the wording and pricing, is not enough,” Trueman says. “We need to educate both the buyers and the distribution. We need to understand what good compliance and best practice looks like, we need to understand what good monitoring looks like and we need to look at claims and breach responses.”

The written premium for the commercial cyber liability market is estimated to reach $6.2 billion by 2020 with annual take-up rates growing 20 to 30 percent during the next years, according to a report by data analytics provider Verisk.

The worst-case scenario for the cyber insurance market would be the failure of a cloud service provider, Trueman says.

An extreme cyber incident that takes a top cloud provider offline in the US for three to six days would result in economic losses of $15 billion and up to $3 billion in insured losses, according to Lloyd’s research.



Two challenges

AM Best has warned of the dual challenges insurers face when dealing with cyber risk. For one, it brings operational risk to the fore. Insurers are as vulnerable to cyber attacks as the nearest department store and face the problems of their intellectual property or personal information being compromised, as cyber attacks can disrupt businesses and websites.

In addition, for insurers that underwrite cyber insurance, focusing on coverage limits and aggregation risks from industries is essential, AM Best noted. Insurers must deal with cyber policies by carefully establishing risk appetites, controls, and reinsurance, the agency said.

Among the challenges associated with cyber risks are the difficulty of identifying these risks and appropriately implementing the right mechanisms to quantify and mitigate exposures, AM Best explained. Preventive measures such as phishing exercises and penetration testing are good ways to diminish the likelihood of an attack.

At a minimum, companies should have well-defined action plans in place in the event of a cyber breach, the analysts noted. Insurtech and fintech innovations and the growing use of third-party vendors for data analytics add layers of cyber and infrastructure risk, requiring that companies continually expand and enhance their enterprise risk management (ERM).

AXIS believes it is on the right track. “We look at the accumulation, systemic exposure as a serious issue and we spend a huge amount of time and effort on knowledge development,” Trueman says. AXIS is also working with leading tech firms to understand how they are managing potential risks, he adds.

Better modelling

Lloyd’s CEO Inga Beale has caused controversy by saying that the cyber insurance market has not developed as much as it should have in the past 20 years, and that it remains “frustratingly immature”.

Over the past two decades, the cyber insurance market has failed to live up to expectations, she said. “Evidence of the market’s immaturity can be seen in the relatively low take up of cyber insurance. Whereas many businesses have property insurance, only about 20 to 35 percent have specific cyber insurance in the US and Europe.”

Referring to barriers that have blocked the development of the market, Beale highlighted how premiums remain high compared to those in other classes of insurance. In some cases, cyber insurance is up to six times more expensive than property insurance.

On the underwriting side, difficulties in detecting and pricing the risk combined with the potential for large losses is forcing some insurers to tread carefully. Meanwhile, the fast-changing cyber risk landscape puts pressure on underwriters to ensure they have products that cover new threats, Beale said.

Be that as it may, AXIS is working on developing more sophisticated risk assessments and products.

With the help of modelling tools, the company believes it can turn subjective judgements into an objective assessment. Taking into account, for example, the number of transactions a retailer makes per year can help calculate how much insurance cover would be appropriate, Trueman explains. “It starts putting actual numbers to this,” he adds.

A more precise calculation of the potential exposure of clients to cyber also helps insurers understand their accumulation risk, Trueman continues. “We get stronger and better data all the time so we can model that risk against various scenarios systemically across the book,” he says.

AXIS is receiving key inputs for the risk assessment of clients from the University of Oxford, whose cyber risk research AXIS is sponsoring. Additional key inputs come from other third-party know-how suppliers.

AXIS aims to develop a tool that is consistent and accurate, but Trueman knows that the underlying hypothesis created around that tool needs challenging.

“We are willing to challenge it, to make sure that it is constantly tracking to the current environment, not a preferred one,” he says.

While cyber threats are constantly evolving, demand in the market is also shifting.

“For a long time, not least because of data breach laws and legislation, the cyber risk landscape focused a lot around breach and breach response,” Trueman says. “We are now seeing a greater focus on the first-party exposure to cyber events, the business interruption type of events.”

In order to develop the know-how in this area, AXIS is working with forensic accountancy firms and response firms. “The tools help to understand what the single failure points are, what the time and cost sensitivities of those single points of failure could be, in order to look at the exposure potential and to understand how to mitigate such issues,” Trueman explains.

Regulators are watching how insurers are dealing with the cyber risk, asking companies to run so-called “realistic disaster scenarios”.

“We manage our accumulation risk to those disaster scenarios,” Trueman says. “We are looking at where significant events could happen across the portfolio, whether that’s the failure of a significant piece of technology or an event that could impact more than one or two clients,” he explains.

AXIS runs such scenarios on a regular basis, analysing each risk added to its book against the impact it would have on those scenarios.

“The world is putting in place a huge number of controls, factors mitigating some of those exposure issues. That’s not to say that insurers don’t have a responsibility to make sure we manage our accumulation risk,” Trueman notes.