June 28 is National Insurance Awareness Day. With growing concern about how best to manage cyber risk, maybe we should give it an honorary designation this year.
National Insurance Awareness Day is not exactly a Hallmark holiday. Its origin is a mystery, but insurance dates from over 2000 B.C., and it is mentioned in the Code of Hammurabi. Imagine that – it existed even before the first written laws.
Cyber insurance is the hottest topic among insurers today. “Industry observers have predicted that the cyber line of business will be one of the leading growth areas within the property and casualty (P&C) space. Cyber coverages have been estimated to increase up to $20 billion by 2020. The transition to standalone cyber policies [from packaged policies] may contribute to better pricing and reserving methods, which may ultimately lead to refinements in modelling tools and contribute to more accurate understanding of risk aggregation.” [Intelligent Insurer]
Insurance Journal recently reported a 35% increase in cyber premiums written from 2015 to 2016. Right now, there’s a “gold rush” going on among insurers to cash in on the very high margins being reported in cyber insurance. At the same time, industry observers admit that cyber underwriting is still far less sophisticated than that for other P&C lines. Insurers themselves realize they aren’t sure whether their premiums are too high or too low for the risks they currently cover.
Awareness and understanding of cyber insurance must get better, and operating in a silo without learning more about cybersecurity, threat measurement and monitoring, and mitigation best practices. There’s no doubt insurers have challenging obstacles, including the lack of broad historical data, hindering their ability to assess cyber risk compared to other types of risk, but educational efforts to help insurance professionals better comprehend the world of cybersecurity through partnerships and ongoing coordination with security experts will help clear those hurdles.
What trends are driving broader awareness and acceptance of cyber insurance, and what are the results likely to be? Here are three predictions:
- Better Management of Cyber Risk
“Future growth in cyber premiums will likely come from more consistent policy terms and conditions as insurers gain better understanding of loss potential and coverage, better cyber underwriting models, as well as efforts to comply with increased cyber regulatory standards across numerous industries, particularly financial institutions.” [Jim Auden, managing director, Fitch Ratings, quoted in Insurance Business Magazine, June 23, 2017]. Actions like FFIEC’s guidance and assessment tool, the New York Department of Financial Services cyber regulations, and the executive order mandate that all federal agencies report their cybersecurity status using the NIST Cybersecurity Framework are moving us closer to a “cyber Sarbanes-Oxley” state of affairs. The future will require a greater awareness and monitoring of the state of the people, processes, and policies devoted by insurers to manage cyber risk.
- Rewards for Better Cyber Risk Handling
The three largest cyber insurance issuers – AIG, XL Group Ltd., and Chubb – had a combined 40% market share at the end of 2016, and 83% of the policy value was written by only 15 companies. As awareness of the need for cyber insurance drives demand, more insurers will enter the market, offering a myriad of policies that provide a wide array of choices to a rapidly increasing number of policy seekers. More sophisticated risk assessment will naturally evolve. Underwriters will begin to reward applicants who can demonstrate a top-down awareness of cyber risk, and whose boards and senior executives lead their organization in taking a broader approach to managing cyber risk, treating it as another form of enterprise risk.
- Liability Limitation That Augments Insurance
“There are a range of policies that may cover aspects of cyber-related claims: these include stand-alone Cyber policies, Commercial General Liability, D&O/management liability, Commercial Crime coverage, and other blended products. Each is subject to limits, sub-limits, exclusions and endorsements.” [PropertyCasualty360] With so many overlapping policy types available, coverage for management liability in the case of a breach can easily fall through the cracks. While most companies assume their current D&O coverage covers them, massive shareholder derivative suits against boards and executives may prove that wrong. If the Yahoo suits result in awards for the hundreds of millions of dollars on the liability table, it’s inconceivable that their D&O coverage will be sufficient. Astute risk managers will consider augmenting traditional insurance with other ways to cap liability, including the use of technology that has been vetted by DHS under the SAFETY Act.
To the organizations that currently enjoy cyber insurance – you are a step ahead of the 50% of U.S. firms who don’t, and the 27% with no plans to buy it in the near future. [Insurance Journal] While the policy options need some work, a lot of work in some instances, companies without an appropriate layer of asset protection are leaving the door open to millions of dollars worth of uninsured damage. Cyber attacks are not an “if” conversation anymore, but a “when.” We’ll see a wave of enhanced standalone cyber insurance policies in the future, but it’s to begin understanding the risk your enterprise faces (interally and externally) and weighing options for a more secure cyber existence.