As insurers strive to access the untapped potential of the cyber market, a number of factors hindering progress must be addressed. EXPOSURE investigates.

It is difficult to gain an accurate picture of the global financial impact of cyber-related attacks. Recent studies have estimated annual global cybercrime losses at anywhere from $400 billion to upwards of $3 trillion.

At the company level, the 2016 Cost of Cyber Crime and the Risk of Business Innovation report by the Ponemon Institute pegs the annual average cost of cybercrime per organization in the U.S. at $17.4 million, up from $15.4 million in 2015; well in front of Japan ($8.4 million / $6.8 million), Germany ($7.8 million / $7.5 million) and the U.K. ($7.2 million / $6.3 million).

In response, firms are ramping up information security spending. Gartner predicts the global figure will reach $90 billion in 2017, up 7.6 percent on 2016, as investment looks set to top $113 billion by 2020, with detection and response capabilities the main drivers.

The insurance component

Set against the global cyber insurance premium figure — in the region of $2.5 billion to $4 billion — it is clear that such cover forms only a very small part of current risk mitigation spend. That said, premium volumes are steadily growing.

“We’re looking behind the headline, understanding how the attack was carried out, what vulnerabilities were exploited and mapping this rich data into our models” — Thomas Harvey, RMS

In the U.S., which accounts for 75 to 85 percent of global premiums, 2016 saw a 35 percent rise to $1.35 billion, a figure based on statutory filings with the National Association of Insurance Commissioners, so not a total market figure.

“Much of the premium increase we are seeing is driven by the U.S.,” Geoff Pryor-White, CEO of Tarian, explains. “But we are also seeing a significant uptick in territories including the U.K., Australia and Canada, as well as in the Middle East, Asia and Latin America.

“Events such as the recent Wannacry and NotPetya attacks have not only helped raise cyber threat awareness, but demonstrated the global nature of that threat. Over the last few years, most attacks have been U.S.-focused, targeting specific companies, whereas these events reverberated across the globe, impacting multiple different organizations and sectors.”

Untapped potential

Insurance take-up levels are still, however, far from where they should be given the multibillion-dollar potential the sector offers.

One aspect hindering market growth is the complexity of products available. The Hiscox Cyber Readiness Report 2017 found that 1 in 6 respondents who did not plan to purchase cyber insurance agreed that “cyber insurance policies are so complicated — I don’t understand what cyber insurance would cover me for.”

As Pryor-White points out, cyber products, while still relatively new, have undergone significant change in their short tenure. “Products initially targeted liability risks – but to date we have not seen the levels of litigation we expected. The focus shifted to the direct cyber loss costs, such as crisis management, data recovery and regulatory fines. Now, as client concern grows regarding business interruption, supply chain risk and reputation fallout, so products are transitioning to those areas.”

He believes, however, that coverage is still too geared towards data-driven sectors such as healthcare and financial institutions, and does not sufficiently address the needs of industries less data reliant. “Ultimately, you have to produce products relevant to particular sectors. NotPetya, for example, had a major impact on the marine and manufacturing sectors – industries that have not historically purchased cyber insurance.”

Limits are also restricting market expansion. “Insurers are not willing to offer the more substantial limits that larger organizations are looking for,” says Thomas Harvey, cyber product manager at RMS. “Over the last 12 months, we have seen an increase in the number of policies offering limits up to $1 billion, but these are complex to put together and availability is limited.”

That underwriters are reticent about ramping up cyber limits is not surprising given levels of available cyber data and the loss potential endemic within “silent cyber.” A recent consultation paper from the U.K.’s Prudential Regulatory Authority stated that “the potential for a significant ‘silent’ cyber insurance loss is increasing with time,” and warned it extended across casualty and property lines, as well as marine, aviation and transport classes with the evolution of autonomous vehicles.

Robust exclusions are called for to better clarify coverage parameters, while insurers are urged to establish clearer cyber strategies and risk appetites, including defined markets, aggregate limits for sectors and geographies, and processes for managing silent cyber risk.

Exclusions are increasingly common in packaged policies, either for all cyberattack-related losses or specific costs, such as data breach or recovery. This is driving a strong uptick in demand for standalone policies as clients seek affirmative cyber cover. However, as Pryor-White warns, “The more standalone cover there is available, the more prevalent the aggregation risk becomes.”

Getting up to cyber speed

Data is at the core of many of the factors limiting market expansion. Meaningful loss data is effectively limited to the last five to ten years, while the fast-evolving nature of the threat limits the effectiveness of that data. Further, rapid developments on the regulatory front are impacting the potential scale and scope of cyber-related losses.

“One of the main issues hindering growth is the challenge insurers face in assessing and managing risk correlations and the problems of accumulation. Models are playing an increasingly prominent role in helping insurers overcome these inherent issues and to quantify cyber risk,” says Harvey. “Insurers are not going into this sector blind, but have a more accurate understanding of the financial downside and are better able to manage their risk appetite accordingly.”

While historical information is a foundational element of the RMS cyber modeling capabilities, each incident provides critical new data sets. “We’re looking behind the headline loss numbers,” Harvey continues, “to get a clear understanding of how the attack was carried out, what vulnerabilities were exploited and how the incident developed. We are then mapping this rich data into our models.”

The data-sourcing approach is very different from a traditional cat model. While securing property data from underwriting slips and other sources is virtually an automated process, cyber data must be hunted down. “You’re seeking data across multiple different sources,” he adds, “for a risk that is constantly expanding and evolving – to do that we’ve had to build new data-gathering capabilities.”

Partnership is also key to cracking the cyber code. RMS currently works with the Cambridge Centre for Risk Studies, a number of insurance development partners, and additional technology and security companies to expand its cyber data universe.

“We’re bringing together insurance domain knowledge, cyber security expertise and our own specific modeling capabilities,” Harvey explains. “We’ve looked to build out our core capabilities and introduce a diverse skill-set that extends from experts in malware and ransomware, as well as penetration testing, through to data scientists and specialists in industrial control systems. We’re also applying new techniques such as game theory and Bayesian networks.”

Following the launch of its first cyber accumulation model in February 2016, the firm has expanded its capabilities on a number of fronts, including the ability to model silent cyber risk and the inclusion of a series of new cyber-physical risk scenarios.

Better data and more accurate modeling are also critical to the sector’s ability to raise limits to meaningful levels. “We’re seeing a lot of fairly dramatic potential loss numbers in the market,” says Pryor-White, “and such numbers are likely to make capital providers nervous. As underwriters, we need to be able to produce loss scenarios based on solid data provided through recognized aggregation models. That makes you a much more credible proposition from a capital-raising perspective.”

Data interrogation

“The amount of cyber-related data has increased significantly in the last 10 years,” he continues, “particularly with the implementation of mandatory reporting requirements – and the launch of the EU’s General Data Protection Regulation will significantly boost that as well as driving up insurance take-up. What we need to be able to do is to interrogate that data at a much more granular level.”

He concludes: “As it stands now, we have assumptions that give us a reasonable market view from a deterministic perspective. The next stage is to establish a way to create a probabilistic cyber model. As we learn more about the peril from both claims data and reporting of cyber events, we gain a much more coherent picture of this evolving threat, and that new understanding can be used to continually challenge modeling assumptions.”