Cyber insurance could be credit negative for insurers: Fitch

Cyber insurance brings opportunities for business growth and diversification for some insurers, but could be a credit negative for others given the potential to generate larger future losses, according to Fitch Ratings.

In response to the sharp increase in data breaches in recent years, property/casualty (P&C) insurers' efforts to offer cyber risk coverage for their policyholders have advanced significantly, and insurers' cyber risk offerings are likely to expand further in 2018.

The number of US data breaches increased 44.7 percent in 2017, according to the Identity Theft Resource Center and Cyber Scout. Such a large one-year jump in incident frequency, combined with numerous higher profile and more severe events in 2017 such as the Equifax breach and the Wannacry and NotPetya ransomware attacks, highlights how challenging it is for insurers to underwrite and actuarially price cyber exposures in a rapidly evolving environment, according to Fitch.

Cyber insurance is currently a profitable niche segment for a number of insurers but as the market grows and becomes more competitive, Fitch believes that this opportunity may erode. Also, newer market entrants may be more vulnerable to underpricing risks and exposure to large future losses as they may lack the unique underwriting and claims expertise needed for cyber insurance.

Demand for cyber insurance is likely to grow. Risk surveys such as the recent Allianz Risk Barometer 2018 report continue to list cyber as a top-10 business risk. At the same time, the Council of Insurance Agents & Brokers' December 2017 Cyber Insurance Market Watch Survey indicates that only 31 percent of respondents' clients had purchased some form of cyber coverage. Further, a 2018 report by Lloyd's and AIR Worldwide estimates that a cyber event that knocks out a major US cloud provider for several days could cause $6.9 billion to $14.7 billion in damages, with only about 20 percent of those losses insured.

Demand for cyber insurance will also be spurred by increased regulation. This year, the European General Data Protection Regulation (GDPR) will introduce more stringent notification requirements for data breaches. Such regulations not only foster awareness of cyber risks but also increase the potential for fines and penalties when data breaches and other cyber incidents occur.

More businesses are seeking specific stand-alone cyber insurance policies to cover a wider variety of cyber exposures. For example, an increase in critical data theft and ransomware attacks is leading to greater interest in first-party business interruption and property damage coverage. Similarly, a rise in public company shareholder suits from cyber incidents that have generated large losses and reputational damage is leading to greater demand for cyber coverage specific to directors' and officers' liability policies.