Moody's Investors Service: cyber growth, risks and profits

Over the last four years, the cyber insurance industry has grown substantially, putting property and casualty (P&C) insurers in the unique position of providing cyber coverage to other companies while also risking such attacks themselves, Moody’s Investors Service says in a report.

The report, Battling hidden cyber exposures, insurers position for growing opportunity, claims that in order to succeed in this small but profitable market, P&C insurers must prioritise the accurate assessment and management of cyber exposure while also addressing challenges that come with underwriting and modelling cyber insurance.

“The proliferation of new rules around the globe boosts demand for cyber insurance, but also raises questions and highlights uncertainty around the scope of the insurance coverage,” said Moody’s associate managing director Sarah Hibler when the report was released in July.

According to Moody’s, while P&C insurers are at risk of cyber attacks themselves, they are also in the unique position of providing other companies with insurance coverage for attacks. However, as Moody’s points out, not all cyber coverage takes the form of cyber insurance, a separate product type.

The report says that some cyber coverage is “silently” embedded in commercial property and liability policies because of ambiguous wording or because it is not excluded from those policies. Consequently, accurate assessment and management of cyber exposure is a top priority for P&C insurers, especially since commercial property policy limits are often multiples of limits provided for cyber-only coverage. Moody’s continues to view cyber insurance as a high-risk product, but insurers have generally taken a measured approach with the support of reinsurance, says the report.

Small but profitable—and growing
According to Moody’s, cyber is a small but profitable line for most insurers with increasing demand for coverage, although as the report points out cyber insurance, while a relatively small market, has grown quickly in the four years since Moody’s initial report on the product.

It is a highly profitable business for those insurers that continue to invest in underwriting, modelling and analytics.

Growth prospects for cyber insurance are promising given the changing nature of the risk, the pervasiveness of technology, the value of insurance as a risk management tool, and expanding regulation, all of which are driving demand for coverage.

Moody’s notes that assessing aggregate insured cyber exposure is complicated. In addition to embedded cyber exposures in traditional P&C policies, ongoing cyber-related insurance litigation complicates true cyber exposure assessment.

Two closely watched court cases (one involving Merck & Co and the other involving Mondelēz International, both related to the NotPetya cyber attack) will determine whether certain exclusions found in most traditional P&C policies can apply to cyber attacks. Other ongoing litigation deals with which parties under Article III of the US Constitution can sue for damages from cyber attacks that result in the theft of personal information.

Underwriting and risk management projects are beginning to address silent cyber exposures, the Moody’s report claims.

“Insurers, particularly those that write large national and multinational accounts, are shifting cyber risk to standalone policies or implementing cyber sub-limits or exclusions in traditional policies. Insurers and reinsurers are also using deterministic scenarios and working with third party vendors to model cyber risk,” it says.

However, it adds, unique difficulties remain for underwriting cyber insurance, as a lack of uniform policy wording and the evolving nature of the risk constrain the growth of cyber insurance as a separate product. Potential risk accumulations are another challenge because the same event can affect multiple clients, particularly as companies move to cloud computing.

Addressing silent cyber
Moody’s points out that regulators are also weighing in on silent cyber. On January 30, 2019, the Bank of England Prudential Regulation Authority announced the results of a follow-up survey on cyber underwriting risk.

Since publishing its cyber insurance underwriting risk report in 2017, the regulator outlined that it expected insurers to develop action plans by the first half of 2019 with dates and actions taken to address silent cyber risk.

In July, Lloyd’s of London announced that beginning in 2020, all first-party property policies should be clear as to whether cyber is or is not covered. For liability and treaty reinsurance, insurers will need to clarify whether cyber is covered in a staged approach in 2020 and 2021.

Lloyd’s also requires its syndicates to run realistic disaster scenarios, including that of a major data cybersecurity breach.

Moody’s says insurers continue to run deterministic scenarios and take underwriting actions, and use reinsurance to manage gross exposure. In April, Allianz announced that it had developed an underwriting strategy to address silent cyber exposures. Allianz’s large commercial business unit, AGCS, is taking the lead to implement a strategy for new business that will clarify whether cyber risk is explicitly included in traditional policies or covered in a specific cyber policy.

The company also plans to implement a strategy for renewal business, subject to regulatory and filing requirements in certain jurisdictions. Other Allianz companies will implement the strategy by January 2020.

Moody’s stresses that a number of unique challenges remain in underwriting cyber insurance. Although risk modelling for the exposure has advanced, underwriters still struggle with complexity and the ever-changing nature of the risk. The loss-frequency and loss-severity dynamic of cyber risk has more in common with terrorism or crime and fidelity perils than with a loss that an insured cannot be held to have anticipated.