Cyber Insurance Risks Are Moving Too Fast For Underwriters

Uploaded on 2019-02-13 in FREE TO VIEW, BUSINESS-Services-Financial, TECHNOLOGY--Resilience

Today with the growing number of inter-connected systems, devices and machines there is no business without Cyber risk and these emerging perils can provide exciting opportunities for insurance firms to pursue organic growth but they also require a continual and growing understanding of the changing market and some underwriters are falling behind.

The prospect of deploying capital into a new product like cyber insurance, and potentially becoming a market leader in that space, is something nearly all insurers strive towards. However, the speed of change is making it difficult for underwriters to stay ahead of the game.

Cyber is by far one of the hottest new perils to grasp the attention of insurance markets worldwide. Market capacity has grown considerably in the past decade, spurred on by developing social and regulatory frameworks around privacy and personal data protection, as well as a sharp uptick in malicious cyberattacks.

Cyber insurance was born as a business interruption coverage for non-malicious cyber-triggered loss events. Since then, the product has evolved to protect firms against privacy breaches, malicious cyberattacks, systems failure coverage, contingent business interruption and contingent business failure.

As a net new peril, some of those coverage aspects are still very difficult to underwrite, particularly when assessing contingent risks, according to Josh Ladeau, global head of tech E&O and cyber at Aspen Insurance.

“We’ve reached a situation where the cyber insurance market has so much capacity and there’s so much focus on cyber as an area for growth in insurance, that the market’s almost moving a bit faster than we can genuinely underwrite to,” Ladeau told Insurance Business.

“If we look at contingent business interruption risk, for example, the quality of a given risk is reflective of its scrutiny of the third-parties it does business with.

“Typically, a cybersecurity-driven organisation will tend to choose third-party vendors that also demonstrate good levels of cybersecurity and resilience. Underwriters have some capability to write around that, but contingent risk remains an exponential threat which is difficult for underwriters to wrap their arms around.

“Furthermore, the limits and the nature of that contingent coverage has changed in the past year. Whereas a year ago, underwriters could get away with naming vendors they would consider for third-party business interruption risk, now they’re under pressure to offer blanket coverage at full limits for all of the vendors in a particular insured’s third-party relationship tree.”  

The ardent market enthusiasm for an emerging peril is not a new phenomenon, but if capacity grows out of control, that’s when cracks can start to appear.

Ladeau pointed out that capacity in the cyber insurance marketplace is currently outpacing appetite for the risk, a dynamic which has created a depression on pricing and rates.   

“It’s very interesting to watch what happens as losses develop in the cyber space,” Ladeau commented. “So far, a loss for a given risk has typically only had a temporary and narrow impact on that industry class. For example, a large loss like the Marriot breach, might cause a small shift in pricing around hospitality as an industry segment, but only for a short amount of time. The industry currently has a short memory around some of these losses.

“Even massive losses, like a potential limit loss on a $350 million tower, aren’t necessarily slowing the risk selection appetite of most cyber markets. You might see a few players backing away, but there are always markets ready to take their place.”

Some of the most significant cyber losses to date occurred in 2017. The NotPetya and WannaCry attacks shook the entire world, causing large aggregated losses with wide-reaching implications.

In the same year, US credit agency Equifax suffered a data breach that affected 143 million consumers and JPMorgan suffered one of the biggest bank breaches in history.

As the industry experiences more aggregated cyberattacks, the portfolio strength of insurers will likely be tested and the pack might thin out, according to Ladeau.

“Lots of markets have entered the cyber space and are playing it in the same way they would any other professional services product. With something like lawyers’ professional liability, offering $10 million in excess of $100 million for relatively thin rate is often considered a safe way to build a portfolio.

“We’re seeing markets take similar capacity plays for cyber insurance, but in reality, the cybersecurity landscape is completely different. There’s a different trajectory for typical loss in cyber,” Ladeau commented.    

“I think that’s being learned by the market, but again, the amount of capacity available is almost overshadowing that for now. What I think you’ll see in the future is a greater frequency of these mass-level attacks, more acknowledgement of that threat by insurance companies, and greater understanding that cyber events are more often tower-implicating losses rather than small-level losses on accounts.

“That will thin out the crowd in terms of the amount of high-excess capacity players there are in the market, which I think will start to drive a change in pricing as well as hopefully some constriction around coverage grants.”   

Insurance Business

You Might Also Read:

Insurance: Common Cyber Security Myths:

« Meeting The Cyber Talent Challenge Head-On
NASA's Daily Shutdown Threat »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

International Association of Professional Security Consultants (IAPSC)

International Association of Professional Security Consultants (IAPSC)

Members of the IAPSC represent a unique group of respected, ethical and competent security consultants.

Volexity

Volexity

Volexity is a leading provider of threat intelligence and incident suppression services and solutions.

Redbelt Security

Redbelt Security

Redbelt is a cyber security consultancy. We integrate people, systems, services and products to transform how your information security is delivered.

Proton Data Security

Proton Data Security

Proton Data Security is a certified small business specializing in the design, manufacturing and sales of data security products for permanent erasure of hard drives, tapes and optical media.

ProSearch Partners

ProSearch Partners

ProSearch Partners are national talent acquisition specialists exclusively focussing on Technology and Digital talent including Cybersecurity, Data Analytics and Execs.

Lexsynergy

Lexsynergy

Lexsynergy is a global domain name management and online brand protection company.

Fly Ventures

Fly Ventures

Fly Ventures is a seed-stage venture capital fund for outstanding teams building Enterprise and Deep Tech startups in Europe.

DataPassports

DataPassports

DataPassports is a data-centric security and privacy solution that enforces privacy and security from end-to-end with transparent protection of data at the source.

Trianz

Trianz

Trianz Cybersecurity Services are Powered by One of the World’s Largest Databases on Digital Transformation. We Understand Evolving Risks, Technologies and Best Practices.

SessionGuardian

SessionGuardian

SessionGuardian (formerly SecureReview) is the world's first and only technology which ensures second-by-second biometric identity verification of your remote user, from log on to log off.

MAXXeGUARD Data Safety

MAXXeGUARD Data Safety

MAXXeGUARD: The High Security Shredder. MAXXeGUARD easily destroys hard disks up to the highest security levels as well as other digital data carriers like SSD’s, LTO’s, USB’s, CD’s etc.

PhishFirewall

PhishFirewall

PhishFirewall is an advanced AI-driven CyberSecurity Awareness Education, Threat Emulation, and Human Security Analytics Platform.

FTx Identity

FTx Identity

FTx Identity is the world's most advanced age verification technology (AVT) and identity management system.

Olympix

Olympix

Dev-first Web3 security that starts at the source. Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.

Vorlon

Vorlon

Vorlon's agentless patent-pending solution facilitates risk profiling of apps, and provides AI-driven behavioral analytics with response recommendations.

Health Sector Cybersecurity Coordination Center (HC3)

Health Sector Cybersecurity Coordination Center (HC3)

HC3 was created by the US Department of Health and Human Services to aid in the protection of vital, controlled, healthcare-related information.