A relatively new specialty poses challenges to traditional P&C insurers.Massive security breaches at major financial institutions like Equifax and cross-border ransomware attacks have highlighted a pressing need for corporations to bolster their cyber security measures. Projections about the future growth of the cyber insurance market reflect their increasing commitment to protecting their digital infrastructure.
Deloitte notes that the U.S. cyber insurance sector currently accounts for $1.5 billion to $3 billion in annual premiums, a sliver of the $505.8 billion insurers underwrote in 2015. According to P&S Market Research, the global market for cyber insurance will reach nearly $17 billion by 2023. As cyber insurance continues to expand, however, underwriters are struggling to adjust traditional models to better accommodate new risks, creating significant challenges for the collective insurance industry.
Lack of Historical Data
Traditionally, underwriters have assessed potential risks and the probable cost of claims by examining historical data, but since cyber insurance is a relatively new specialty, insurers haven’t compiled enough hard data to accurately develop predictive models for possible losses. Since cyber attacks can happen anywhere at anytime, they’re also harder to predict than natural catastrophes, which tend to strike specific areas during defined seasons. In addition, many cyber attacks go unreported, preventing underwriters from analyzing their costs and identifying common risks. Without more comprehensive data, underwriters can’t effectively price policies, forcing insurers to offer too narrow coverage for many corporations.
What Is a Cyber Attack?
Underwriters also struggle to define a cyber attack. Stealing personal information is the primary cyber security hazard, but other risks such as denial of service,and intellectual property theft are emerging, as well. Those risks may often mingle with other property and casualty insurance segments, leading to overlapping coverages. Because cyber attacks could be covered by so many lines of insurance, John Coletti suggested at Advisen’s 2017 Cyber Risk Insights Conference that cyber risk policies will soon mirror broader all-peril-, all risks-type contracts.
The changing nature of cyber breaches also creates confusion over how to underwrite cyber security risks. At the Advisen conference, Tim Francis, Enterprise Cyber Lead at Travelers, cited increased W-2 fraud as an example of a risk that blurs the distinction between cyber attacks and other sources of damage. Such an attack would seemingly be insured as a property crime, but as Francis explained, it does contain an element of cyber theft because a person infiltrated a computer network.
Rather than underwrite all potential exposures, Coletti said that the industry must strictly define cyber risks and cover only those liabilities. “You can’t just dilute cyber policies with anything that is new and different and has some sort of cyber element to it,” he said. “It dilutes the value of what a true cyber policy is for, which is a cyber attack.”