Cyber insurance: a not so global market

The cyber threat knows no boundaries. Viruses or other forms of attack travel quickly, harming companies and individuals globally. But while the impact on businesses and individuals may be similar, independent of jurisdiction, different regulatory regimes mean that the products and services available to mitigate and manage such attacks differ markedly.

Despite these inconsistencies, the opportunity for growth for insurers is significant. With increasing digitisation and connectivity, cyber insurance demand is poised for growth. The cyber security insurance market is expected to reach $17.55 billion in 2023, up from $4.52 billion in 2017, registering a compound annual growth rate (CAGR) of 25.4 percent during the forecast period, according to the Global Cyber Security Insurance Market 2018-2023 report by Orbis Research.

A rise in cyber data breaches and increasing adoption of cloud-based services are just some of the factors driving the growth of cyber security insurance market, the report noted.

In 2017, ransom-ware attacks such as NotPetya and WannaCry spread globally causing damage across the globe and bringing everything from car factories, to hospitals to shops and schools to a halt. In addition, US-based credit agency Equifax in 2017 suffered a breach that affected 143 million consumers. More recently, in December 2018, hotel chain Marriott revealed a data breach affecting 500 million customers of its Starwood hotels across the world.

“We all face the same types of exposures,” said Elizabeth Queen, vice president, risk management at information and services provider Wolters Kluwer, during a December webinar titled ‘The European Cyber Insurance Market: Ready for Growth, but Will It Overtake the US?’ organised by Advisen.

But while the exposure to malware attacks and cyber-crime, as well as the risk to privacy breaches or brand reputation, may be similar worldwide, there are significant differences as to how these risks are managed in the US compared with Europe, Queen explained.

Regulation drives demand

One important difference between the two markets is their maturity in terms of cyber, privacy and reputation risk management. “The US is much more advanced in this area and for that reason we see the European market being more focused on cyber resilience and business interruption as a way to catch up,” Queen said.

Another distinguishing factor is litigation, Queen noted. “We all know how litigious the US can be and this drives up price. Therefore, the US market tends to be more focused on indemnity and expense coverage,” she said.

The lack of litigation in Europe means providers of cyber insurance focus on a different type of clientele than in the US. The conversation has moved from privacy to business interruption, Jamie Bouloux, CEO EmerginRisk, a Ryan Specialty Group-owned managing general agent, explained.

“We started moving away from security failure, started looking at operational failure, and ultimately moved into the area of system failure,” Bouloux said.  “We’ll see GDPR change the landscape back to privacy conversation.”

In Europe, the introduction of the European Union’s General Data Protection Regulation (GDPR) in 2018 has been a major factor for cyber insurance buying as it included penalties for data breaches that can reach up to €20 million or up to 4 percent of the company’s worldwide annual turnover, whichever is higher.

A penalty can be issued if a company fails to notify regulators of breaches within 72 hours. The law brings Europe more closely into line with the US, where many states have required firms to notify regulators about data breaches for some time.

“Pre-GDPR we didn’t have a breach regime in Europe, so the US cyber breach product did not appeal to buyers because people did not really understand breach,” said Hans Allnutt, partner, cyber & data risk practice leader at law firm DAC Beachcroft. GDPR is creating a breach environment and therefore driving forward the breach cover, Allnutt explained.

So far, stories around business interruption, operational reliance on electronic systems and cyber-crime have shaped the cyber insurance market in Europe, Allnutt explained. This has pushed the development of all lines of insurance within the cyber cover, the breach, crime, business interruption (BI) elements of it, resulting in a more sophisticated product in Europe, more demanding policyholders.

Both the US and the EU markets are heavily regulated but a different approach by governments creates distinct ways in how insurance buyers operate in the markets, Queen noted. “Europe is principles-based, there is a lot of room for interpretation,” she said.

“I am quite bullish on the European market,” Queen said. While in the US the approach to cyber risk is more conservative and policies and processes are fairly prescriptive, the European market is much more business practical as the laws are principle-based, she explained. “This is a major advantage of the European approach and is guiding the underwriting process,” she said.

“The principles-based European wording is more agile; less is more in this respect.”

To further develop the policy wording and products in Europe the cyber market would benefit from the introduction of blockchain technology, Queen suggested.

Blockchain, also dubbed distributed ledger technology, is the technology behind digital currencies such as Bitcoin and is praised for the fact that it creates a secure ledger of information that prevents the unauthorised modification, addition or removal of data.

As blockchain systems are immutable and do not require oversight by a central authority, an advantage of this technology is that it opens up new options for secure collaboration between competitors by removing the need for trust between third party organisations.

“If the market turns to blockchain technology it would be much easier to adapt simple, pragmatic pre-agreed wording than the archaic wording that is still used in America that people don’t use in everyday conversation but it’s what is expected to guide insurance transactions,” Queen said.

A test for European cyber

But as insurers and reinsurers chase growth and market share in this sector, some market participants have concerns that underwriting discipline is already being sacrificed. Martin Kreuzer, corporate underwriter cyber risks, Munich Re has this precise worry. “What currently concerns Munich Re is that we are in a time of decreasing premiums and policies have not yet been tested and claims might increase,” he said. “We have intense competition for premiums and we should look at disciplined underwriting of that risk.”

Bouloux agreed: “We are at a point where we are somewhat losing control of breath of the wording. A lot of that is being driven by market participants that are trying to create acceptance, create a market and drive growth.”

While noting that he is also bullish on the cyber market in Europe, he also noted that a lot of the policies are untested. He said the market’s development will be driven by the levels of claims and how these are managed. He added that difficulties could emerge if claims services are centralised due to things such as language barriers. This could lead to inaccurate assessments, Bouloux added.

Indeed, claims handling will be crucial for the assessment of the market approach, Queen agreed. “Because of wording differences or differences in understanding there might be disappointment on the side of the buyer,” she said.

The US cyber insurance market may be more stable because of its longer history allowing it to be tested and developed over a longer period, Bouloux suggested.

“The US may be in the second or third generation of cyber brokers and Europe is still using converted professional indemnity (PI) brokers or property brokers to try and sell cyber policies,” Bouloux said. “That is where a lot of the shortfalls occur.”

European risk is generally perceived as better than US risk and people are willing to make exceptions and underwrite accounts with less information, Bouloux noted. “They are willing to give a cheaper rate without due consideration what that actually means because we follow the market like the PI market,” he said.

But this may be a mistake. “The reality is that the PI market is rated on litigation and the cyber market shouldn’t be. The cyber market should be rated on crises response, crisis mitigation, business interruption and probably litigation as we are moving into GDPR,” Bouloux explained.

Eventually, the EU and US cyber markets should become more similar, Bouloux suggested.

“The rating should fall in line with kind of US expectations, which means that the underwriting and applications process should really be the same as in in the US,” he said.

“Cyber transcends borders and therefore the application process should transcend borders.”