Silent Cyber Risk is Largest Inhibitor of Cyber Insurance Market Growth, UK Study Finds
Business Wire, April 2018
LONDON–(BUSINESS WIRE)–A new study of the UK cyber risk insurance and broker community reveals startling findings. First and foremost, the insurance industry needs to address non-affirmative cyber in a meaningful way. Second, measurement of cyber risk in financial terms is highly deficient among insurance customers and the insurance industry itself. Finally, a series of catastrophic cyber events or a systemic cyber event will drastically alter the way in which insurers measure the risk profile of each applicant.
The survey was sponsored by Secure Systems Innovation Corporation (SSIC), the cyber risk management firm that created X-Analytics®, the world’s first cyber risk model that quantifies the economics of cyber risk.
More detailed survey results follow:
‘Silent’ Cyber Risk is Key Market Growth Inhibitor
More than three-quarters (77 per cent) of UK cyber risk insurance brokers and insurers believed that the insurance industry needs to urgently address non-affirmative cyber or ‘silent cyber’ in a deeper, more meaningful way. Silent cyber refers to instances where cyber perils (such as service interruption or data breach) are neither explicitly included, nor explicitly excluded, by an insurance policy’s wording. There was also a recognition that this problem could not be resolved swiftly, according to 22 per cent of respondents.
Lack of Cyber Risk Understanding Inhibits Purchasing
Responses to a separate question on why cyber insurance is not being purchased by more companies as a means of transferring risk indicated that companies ‘not understanding policy coverage’ and ‘cyber policies were still too confusing and did not tie easily to known cyber peril categories,’ were the second and third most heavily-weighted responses respectively. The most significant factor holding back the market from the buyer’s perspective was firms ‘not understanding their own risk exposures,’ according to respondents.
Inadequate Customer Measurement of Cyber Risk
Results also reveal that an astonishing 89 per cent of respondents know that their customers either have an inadequate method for measuring the cost of a data breach or remain unsure of their customers’ data breach measurement capability. The same percentage (89 per cent) said that customers could not adequately measure the potential impact of a cyber extortion (e.g. ransomware) event.
Customer measurement capability across other cyber perils fared little better. Eighty-seven per cent of insurers and brokers said customers had inadequate or unknown measurement systems for theft of intellectual property. Additionally, 83 per cent of respondents felt that customers could not measure the cost of a cyberattack that interrupts service.
Only one in every seven customers (14 per cent) has adequate measurement for cyber/physical (property and casualty damage due to cyber incidents) peril events. Only 10 per cent of insurers indicated that customers were adequately measuring likely costs associated with a potential data breach.
Cyber Perils Disconnected from Policy Clauses
Linked to silent cyber exposure, nearly half (47 per cent) of respondents admitted to having no clear connection between core cyber peril events and cyber risk insurance cover elements in their policy wording. Only eight per cent of insurers and brokers felt their policy wording now closely reflected the top five most-understood cyber peril threats.
If insurers do not map key cyber peril events to key cyber risk policy clauses—defining affirmatively what is explicitly covered or excluded—there is a real danger that vital cyber perils will not be covered.
Catastrophic or Systemic Events Set to Reshape Cyber Insurance Market
Sixty-two per cent of respondents agreed that a series of catastrophic cyber events or systemic event (single action that impacts claims on multiple policies within insurers’ portfolios) could drastically alter the way in which insurers measure the risk profile of cyber insurance applicants. A further 35 per cent said that catastrophic claims had the potential to reset the market but that this would depend on the size of resulting claims.
Aggregated Risk Uncertainty Hinders Cyber insurance Book Growth
The survey also uncovered strong evidence of a lack of market understanding and pricing of aggregated risk. Six out of every 10 cyber brokers and insurers (60 per cent) agreed or strongly agreed with the statement that ‘lack of understanding of aggregated risk within cyber insurance portfolios is hindering market growth.’
Board-Level Demand is Largest Purchasing Driver
Specific demand for cyber cover from board-level executives is the most heavily weighted driver of new cyber insurance sales. Demands placed on boards by due diligence requirements runs a close second.
These due diligence demands perhaps explain why ‘the board as a whole’ is regarded as the most significant decision-making group for new cyber cover (for 42 per cent of all respondents).
Risk Remediation Versus Risk Transfer Poorly Understood
With cyber risk, there are only three practical choices: remediate, transfer, or accept cyber risk. This assumes that each organisation has the ability to measure cyber risk and draw a delineation between risk remediation and risk transfer.
Nearly three-quarters (73 per cent) of respondents believe that most organisations do not understand the delineation between risk remediation and risk transfer as a mechanism to buy cyber insurance. This implies that most organisations are using intuition to determine the type and limit of their cyber coverage.
Outside-in Cyber Risk Assessments Not Good Enough
Only a tiny minority of brokers and insurers (2.6 per cent in this survey) believe that information gleaned from a short questionnaire or internet-based tool is an effective way to measure an applicant’s risk profile. However, the use of ‘outside-in’ internet-based tools and short questionnaires continues to dominate. Remarkably, only five per cent routinely commission a risk assessment from a third-party cybersecurity vendor to better understand their applicant’s risk profile. This must change if carriers are to manage cyber book risks adequately.
Brokers to Carry Largest Share of Market Education
More than nine out of every 10 insurers and brokers (94 per cent) saw a significant need to educate the buyer during the pre-sales process to expand sales opportunity and avoid misalignment of cyber insurance policy to customer needs, with 65 per cent of respondents putting the onus on brokers to educate the market. Only a tenth (11 per cent) felt an independent third-party body or regulator (sponsored by the industry) ought to take the lead. A further 11 per cent felt underwriters ought to be responsible for this market education work.
Robert Vescio, inventor of X-Analytics, the world’s first cyber risk quantification model used to model the economics of cyber risk exposure, commented on the survey’s findings:
“There are more than 130 insurers writing cyber premiums globally. Does this mean that cyber risk is well-understood and that there are agreed-upon standards for underwriting throughout the industry? According to the survey, the answer is a resounding ‘no.’ Cyber risk is clearly not yet well-enough understood or measured right now.
“There remains significant market pressure to underwrite and quote policies as efficiently as possible, even while admitting a widespread inability to measure an applicant’s risk profile. This generates mismatches between desirable underwriting principles and prevalent practices for writing cyber cover today.
“The survey also highlights an urgent need to model non-affirmative or ‘silent’ cyber risk and develop a better understanding of aggregate risk within an insurer’s portfolio. Many insurers are now concerned that a series of major cyber events could rapidly erode the finite margin across numerous portfolios and test if there is enough capital to cover significant cyber-related claims within a calendar year.”
About the Survey:
A total of 78 broker and insurer firms responded to the 13-question online survey circulated to Insurance Post and Insurance Age readers by these titles’ publishing group InfoProDigital during a two-week period from March 9 to 23, 2018. Respondents included: brokers (54 per cent), insurers (41 per cent), underwriters (4 per cent), and re-insurers (1 per cent).
About SSIC:
Based in the Washington, D.C. area and also with offices in London, Secure Systems Innovation Corporation (SSIC) is a cyber risk management firm that informs strategic decision-making. Its innovative, patented method for measuring and modelling cyber risk, X-Analytics®, objectively expresses the economics of cyber risk. SSIC is changing how executives and boards understand and manage cyber risk. For more information, please visit https://www.securesystemscorp.com.
Categories
- Benefits Resources
- Bonding
- BOP
- Business Insurance
- Commercial Auto
- Commercial Property
- Company News
- Construction
- Crime Insurance
- Cyber Insurance
- Directors & Officers
- Employee Benefits
- Employment Practice Liability Insurance
- Entertainment
- General Liability
- Health Insurance
- Healthcare
- Healthcare Reform
- Homeowners Insurance
- Hospitality
- Manufacturing
- Medical Malpractice
- Mining & Energy
- Nightclubs
- Personal Auto
- Personal Insurance
- Professional
- Restaurants
- Retail & Wholesale
- Risk Management Resources
- Safety Topics
- SBA Bonds
- Security
- Seminars
- Technology
- Tourism
- Transportation
- Uncategorized
- Workers Compensation
Archives
- May 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- November 2018
- September 2018
- August 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- February 2013
- November 2011
- October 2011
- September 2011
- July 2011
- June 2011
- March 2011
- November 2010
- October 2010
- September 2010
- April 2010
- February 2010
- November 2009
- October 2009
- November 2008
- August 2008