top of page

Parles nous de ta boite 25/06

Public·9 membres

The Upcoming Boom Of Cyber Risk Insurance And What It Means For Your Business [PORTABLE]

Given such a risky environment, you might expect the market for a dedicated, stand-alone cyber insurance policy to be expanding exponentially. Yet the industry still has a long way to go to fulfill such lofty expectations.

The Upcoming Boom of Cyber Risk Insurance and What It Means for Your Business


Our immediate goal was to determine the reasons behind the slower-than-expected adoption rate for stand-alone cyber insurance in the middle market. Such buyers may not be household names, but often have large operations, usually with a full-time risk manager handling insurance purchasing. Among the topics we examined:

Another interesting finding was that the more experienced the buyer, the more likely they were to get a stand-alone policy. Seventy-one percent of respondents who had purchased insurance for their companies for more than 10 years had the coverage. But among buyers with one to three years of experience, only 47 percent bought cyber coverage, falling to 36 percent for those in their first year on the job. This indicates that experienced buyers may not only be more aware of cyber risks and the need to get additional, dedicated coverage, but also may be in a more credible position to persuade their C-suite about its importance.

Insurers should therefore be arming their distribution force with the latest statistics to highlight the likelihood and potential fallout of a cyberattack for those unfamiliar with the risk or the insurance available to cover it. They also should use real-life examples as case studies to clearly demonstrate not only how a stand-alone policy might help mitigate the damage of an attack, but why, in many circumstances, coverage in a standard policy alone may not get the job done.

Even so, while insurers should be able to stratify pricing by industry and type of business, reliable technical pricing may remain elusive, given the evolving nature of cyber risk. This also could render historical data somewhat irrelevant as new threat actors and attack techniques continue to emerge. Insurers also should be wary of aggregation risks, where a single cyber event could potentially trigger multiple losses under different policies or impact many customers simultaneously and result in a cyber catastrophe.15

This could help agents and brokers market the coverage by offering a more effective, wider-ranging suite of cyber services, beyond just the annual sale of another insurance policy. It would also help plug a potential coverage gap and address a major emerging risk before competing intermediaries use cyber services beyond insurance as leverage to quote an entire commercial account.

On the flip side of this argument, intermediaries also should be made aware of the potential professional liability exposure they could face if an uninsured or underinsured client is hit with a cyberattack. Consider what happened after Superstorm Sandy, when many businesses sued their agents for failing to recommend separate flood or business interruption policies to supplement their standard property coverage.26

Insurers appear to have room to experiment on prices, limits, and coverage terms, as well as marketing approaches. Still, carriers may not have a lot of time to adapt because they are not operating in a vacuum. As insurers contemplate shifts in strategy to increase stand-alone adoption, they should not take their place in the cyber insurance market for granted. Companies looking to alleviate cyber risk have other options.

Self-insurance is one alternative. Coverage options checked as acceptable possibilities by current nonbuyers surveyed range from setting aside a dedicated cyber risk reserve fund (cited by 51 percent) to creating their own captive insurer (42 percent), to securitizing the risk by floating cyber bonds in the capital markets (41 percent). The latter example would follow the lead of buyers who sought greater certainty and control over their property coverage in potential disaster zones via the sale of catastrophe bonds.

Cyber insurance plays a key role in managing and reducing cyber risk. This is a relatively new area of insurance for most insurers, but one that has grown rapidly. In 2019 the U.S. cyber insurance market was $3.15 billion.[2] It is estimated that by 2025, it will be over $20 billion.[3] And these numbers understate insurance coverage of cyber risk, as many insurance claims arising from cyber incidents are submitted under non-cyber insurance policies. As the insurance regulator for New York, our goal is to facilitate the continued growth of a sustainable and sound cyber insurance market.

A robust cyber insurance market that effectively prices cyber risk will also improve cybersecurity. By identifying and pricing risk created by gaps in cybersecurity, cyber insurance can create a financial incentive to fill those gaps to reduce premiums.[4] By driving improved cybersecurity and cyber risk management, cyber insurance can also benefit consumers who entrust their sensitive data to these organizations.

Insurers play a critical role in mitigating and reducing the risks of cybercrime. We commend the progress many insurers have made in managing their cyber insurance risk to date and look forward to continuing to work with the industry to address challenges in the cyber insurance market.

All authorized property/casualty insurers that write cyber insurance should employ the practices identified below to sustainably and effectively manage their cyber insurance risk.[15] Based on our engagement with industry and experts, certain best practices have emerged.

Insurers that offer cyber insurance should have a formal strategy for measuring cyber insurance risk that is directed and approved by senior management and the board of directors, or the governing body if there is no board.[16] The strategy should include clear qualitative and quantitative goals for risk, and progress against those goals should be reported to senior management and the board, or the governing body if there is no board, on a regular basis. The strategy should incorporate the six key practices identified below.

Insurers that offer cyber insurance should determine whether they are exposed to silent or non-affirmative cyber insurance risk, which is risk that an insurer must cover loss from a cyber incident[17] under a policy that does not explicitly mention cyber. Even property/casualty insurers that do not explicitly offer cyber insurance should evaluate their exposure to silent risk and take appropriate steps to reduce their exposure. Silent risk can be found in a variety of combined coverage policies and stand-alone non-cyber policies, including errors and omissions, burglary and theft, general liability and product liability insurance.[18] Cyber risk likely has not been quantified or priced into these policies, which exposes insurers to unexpected losses.

Ultimately, insurers should eliminate silent risk by making clear in any policy that could be subject to a cyber claim whether that policy provides or excludes coverage for cyber-related losses. Elimination of this risk will take some time, given the many existing policies that can contain silent cyber risk. Insurers should therefore also take steps to mitigate existing silent risk, such as by purchasing reinsurance.

As part of their cyber insurance risk strategy, insurers that offer cyber insurance should regularly evaluate systemic risk and plan for potential losses. Systemic risk has grown in part because institutions increasingly rely on third party vendors and those vendors are highly concentrated in key areas like cloud services and managed services providers. Insurers should understand the critical third parties used by their insureds and model the effect of a catastrophic cyber event on such critical third parties that may cause simultaneous losses to many of their insureds. Examples of such events could include a self-propagating malware, such as NotPetya, or a supply chain attack, [19] such as the SolarWinds trojan, that infects many institutions at the same time, or a cyber event that disables a major cloud services provider. A catastrophic cyber event could inflict tremendous losses on insurers that may jeopardize their financial solvency.[20]

Insurers also should conduct internal cybersecurity stress tests based on unlikely but realistic catastrophic cyber events. Accurate stress testing requires accounting for both silent and affirmative risk. Moreover, because exposure to catastrophic cyber events varies across business industries and by type and size of the insured, insurers should track the impact of stress test scenarios across the different kinds of insurance policies they offer as well as across the different industries of their insureds. The cyber insurance risk strategy should account for possible losses identified in stress tests.

Insurers that offer cyber insurance need appropriate expertise to properly understand and evaluate cyber risk. Insurers should recruit employees with cybersecurity experience and skills and commit to their training and development, supplemented as necessary with consultants or vendors.

The cyber insurance market is currently estimated to be worth around $2bn in premium worldwide, with US business accounting for approximately 90%. Fewer than 10% of companies are thought to purchase cyber insurance today. However, the cyber insurance market is expected to grow by double-digit figures year-on-year and could reach $20bn+ in the next 10 years.

Data protection and liability risks dominate the cyber landscape today. Impact of BI from a cyber incident and further development of interconnected technology will be of increasing concern to businesses over the next decade and will spur insurance growth.

Our research revealed a number of significant obstacles carriers face when contemplating the sale of cyber insurance, as well as issues causing many prospects to hesitate when considering a transfer of at least a portion of their risk to third parties (see figure 1).

Another concern is that a relatively narrow view of what constitutes cyber risk may be prompting many insurers to focus their marketing efforts primarily at those facing the possibility of PII theft. However, those we spoke with said such coverage is rapidly becoming commoditized and price-sensitive, limiting long-term insurer growth and profit potential. 041b061a72

À propos

Bienvenue dans le groupe ! Envie de créer une boite? Envie d...
bottom of page