The Challenges of Cyber Risk Insurance
Libby Benet, JD is the Global Chief Underwriting Officer of Financial Lines at AXA XL. Libby is a Supervisory Board Member at S-RM, a global intelligence and cyber consultancy and a member of the Minnesota Lawyers Mutual Board of Directors. Libby holds a BA in Political Science from Towson University and a JD from University of Baltimore School of Law.
The digital transformation of our economies creates many opportunities but also generates ubiquitous cyber risks. Already in 2017, the OECD considered the insurance sector as a key actor to improve global cyber resilience and cyber risk management.¹ In addition, awareness of cyber risks has greatly increased in the general population, who has witnessed a rising number of attacks during the Covid-19 crisis, including including critical infrastructures, such as hospitals.
What are the challenges to cyber insurability?
Technologies that connect to the internet have not always had security as the top priority, as innovation was the first order of business. Therefore, many of the vulnerabilities introduced for companies and governments are not fully insured today. While changing, the number of governments and companies that purchase cyber insurance is still relatively low worldwide. As a result, cyber losses remain mainly uninsured today.
And indeed, there are many challenges with cyber insurability. First, the insurance sector relies on recognizing patterns in data to be able to price the product. With a natural peril for example, we have historical weather data that helps us predict what happens with a hurricane or a tsunami, while in comparison, we barely have 10-12 years of cyber insurance data. What makes the risk analysis even more complex is that the threat is man-made and constantly evolving. Additionally, there are many layers of connected and interconnected technologies, each with their own specificities, such as software, hardware, IoT, remote monitoring and so on.
When we look at accumulation modelling within cyber it is very immature. We have a couple of realistic disaster scenarios and models, but they are only a few years old and do not yet fully include changes in threat actor behavior. Further, traditional risks such as fire and explosion and other types of property damage that are a result of a cyber event are not yet fully modelled in the industry. It’s very early days in the accumulation-modelling world.
Lack of data and issues with modelling generate uncertainty. This is an opportunity for the insurance sector, but you really need cyber security and insurance experts to come together to assess the issues and to analyze the cyber maturity of the company seeking the insurance coverage.
¹ Enhancing the Role of Insurance in Cyber Risk Management, OECD, December 2017
What makes the risk analysis from an insurance perspective even more complex is that the threat is constantly evolving and that there are many layers of connected and interconnected technologies, each with their own vulnerabilities and specificities, such as software, hardware, IoT, remote monitoring and so on.
What are the main trends in the development of cyber insurance?
What is really new in 2021 is the outsized impact of ransomware cases, with severe losses this past year. It is changing the risk appetite of the insurance sector, which is in reactionary mode at this stage.
Another very important trend is the move from ‘silent’ to ‘affirmative’ policies, that is, being explicit about what is included and what is excluded from policies. The reinsurance community began exploring these questions around 2015-2016. AXA XL made the move in 2019, then Lloyd’s mandated insurers be explicit in their policies and giving insurers 24 months to roll out the form changes. Some in the reinsurance community are now asking their clients whether their policies are silent or affirmative. I think that this will drive the behavior of the insurance sector on all lines of business in the next year or two. This will not only affect the direct cyber products themselves but those products where cyber is a peril in other lines of business such as property or liability.
Finally, there is a growing global awareness of cyber risks and losses. Small businesses will start buying stand-alone policies covering cyber with higher limits, as opposed to insurance packages that include cyber.
However, the imbalance between supply and demand is impeding the development of the sector. Overall, there are not enough insurance companies or capacity for covering cyber risks yet. On the insurance company side, there is also a fear of the unknown in terms of shifting threat actor behavior. Additionally, there’s a limitation in accessing underwriting and risk expertise in this area. There is also a lack of maturity on the topic with key stakeholders, such as agents and brokers, who are the advisors to companies. However, there is a very strong commitment by the cyber community to improve education and awareness amongst intermediaries.
What should boards of directors know about cyber risks?
Another limitation to the development of the cyber insurance sector, is the awareness and maturity of boards of directors regarding the risk and whether they should address it through a combination of cyber security spending, self-insuring the risk or whether they want to transfer it to an insurer. Publicly traded Company Boards tend to have greater maturity than privately-owned ones but like much in cyber this too is relatively immature.
There are several things a publicly traded board should reasonably be required to know about cyber issues. Think of a three-legged stool: there are standards and frameworks, there is overall governance and finally there is the assessment of the financial harm of a risk un-addressed. The not-for-profit research by the Crossroads Group highlights the need to identify circumstances that contribute to the organization’s cyber risk, first at a local scale within an organization, and to determine the organization’s appetite for these risks.² This leads to the implementation of a cyber risk plan containing actions to be taken to manage cyber risk and of course to setting up oversight mechanisms.
2 Cybersecurity is at a Crossroads, Cyber Crossroads, May 2021