The demand for cyber risk insurance is growing quickly. This should not be a surprise given the high volume and high visibility of cyber-attacks on large companies in the US and Canada.
However, businesses in North America report difficulties in securing the cyber coverage they need. Insurers still lack the actuarial data needed to develop models and price policies accurately. The National Association of Insurance Commissioners says that insurers are approaching this market “cautiously, offering relatively low limits and a large number of exclusions.”
The NAIC cited a Standard & Poor’s report from mid-2015 which described in more detail some of the problems that insurers face in modeling cyber-risk. These problems include the lack of reliable actuarial data and the scarcity of metrics for cyber risk, such as the number of attacks, the number of successful attacks, and the prevalence of security features. As S&P said in its report: “We believe that probabilistic models pose high levels of uncertainty, mostly because of the unpredictable human behaviors associated with cyber-attacks. Therefore, we are cautious of any insurer that places too much emphasis on modeling cyber risk for pricing or exposure-management purposes.”
According to S&P (whose report is quoted in the media but is only available to subscribers) attacks will increase in both frequency and sophistication as losses grow. Lloyd’s currently estimates that there are around $400 billion in annual losses due to cyber hackings and that only a small number of these events are insured. Strong demand and limited supply should create opportunities for P&C insurers, but only for those willing to take on the tough tasks of collecting and aggregating cyber data and applying sophisticated modelling and analytics to determine real risks and appropriate pricing.