Other parts of this series:
- Cyber insurance – the third wave is here
- Cyber insurance: three ways to reduce carrier risk
- Cyber threats: the IoT security gap—an opportunity for insurance
- Markets offering the largest cyber security insurance opportunity
- The new shape of cyber security insurance—meeting evolving threats head on
- Cyber security – the threat that insurers face
The rapid evolution of cyber threats and the immaturity of the cyber security insurance segment mean there is a lot of uncertainty—for insurers hoping to bring cyber security insurance offerings to market, as well as for purchasers of cyber security insurance. How are insurance leaders responding?
In previous posts in this cyber security insurance series, I looked at the evolving cyber security threat, how insurers can limit liability and where the biggest opportunities are emerging. In this post, I look at how cyber security insurance providers are structuring their offerings to meet evolving cyber threats.
The challenges for cyber security insurers
The many reports, articles and research papers addressing the emerging cyber insurance opportunity list a number of common concerns.
For insurers, the challenges include:
- Lack of cyber crime historical data: Makes it difficult to build the predictive models that can help assess probability of loss.
- Lack of critical mass: Insurers have not been selling cyber insurance on a big enough scale to generate a critical mass of data and policies.
- Lack of acknowledgement: A large percentage of cyber losses aren’t even acknowledged to outsiders as the attacks go unreported.
- Exposure: Insurers fear a potentially catastrophic accumulation of cyber exposure—i.e., a single event may spark multiple claims.
For consumers, the challenges include:
- Lack of understanding: Buyers often don’t know what risks confront them, don’t understand these cyber risks, and aren’t aware of their insurance options.
- Coverage: Cyber risk can be spread over a wide range of coverages. This complicates efforts to assess coverage needs, match policies with exposures, and compare alternatives.
- Lack of standardization: Coverage is often written using customized policies, resulting in different terminology from carrier to carrier.
- The legal landscape remains in flux: Policy language isn’t standardized and may complicate settlement disputes.
How are insurance companies responding?
ACE Group has created a strategic alliance with FireEye. The relationship brings together expert technical insight from FireEye to assess an individual organization’s threat exposure, with ACE’s Loss Mitigation Services program, a multi-tier offering that helps organizations fully understand and mitigate their cyber security risk.
More recently, cyber security solutions provider Fortinet and Australasian insurtech Cyber Indemnity Solutions (CIS) announced a collaboration to assess the security posture of Australian and New Zealand organisations and offer digital asset protection and cyber insurance as “a complete layer of threat mitigation”.
QBE’s cyber policy takes a modular approach to protection against the range of risks associated with digital technology. It also provides critical support in the event of a cyber attack. For example, it has teamed with breach specialist ReSecure to provide 24-hour-a-day access to help in the event of a cyber attack. Importantly, QBE also provides complementary access to an eRiskHub portal which provides tools and resources to help its customers understand exposures, establish a response plan, and minimize the effects of a breach on the organization.
AIG has launched CyberEdge, an end-to-end cyber risk management solution providing cover for third-party claims, first-party costs of responding to a security failure or privacy breach, business interruption and liability for content distributed on a company’s website. CyberEdge provides the insurance coverage, tools, and continued access to emerging best practices necessary for customers to assess and mitigate potential vulnerabilities to sensitive data breaches, computer hacking, employee error, and more.
Next steps for insurers
Many insurers are already exploring the cyber insurance market. However, as threats evolve there is a need to ensure appropriate risk mitigation. Lloyd’s has put a very clear strategy in action to address this.
Lloyd’s Cyber-Attack Strategy aims to balance the need for fast-paced innovation with the need for appropriate oversight and control. It asks syndicates to provide details of the risk-management frameworks they have in place for cyber attacks, their risk-appetites, and the factors they take into account when underwriting and pricing this business. This will, says Lloyd’s,
- Ensure that risk is clearly identified and understood and that potential costs are reflected in the premium. “Only by pricing the risk appropriately can insurers offer a sustainable risk-transfer mechanism for cyber attack”.
- Help it and the insurance sector to understand the potential for large accumulations of cyber-attack risk, and manage it appropriately.
Clearly, demand for cyber security insurance is growing. As more cyber security legislation is released, that need will grow. Finding the opportunity is not the challenge; managing the evolving risk is. This is a young market and insurers, along with industry and government, need to work together to understand risk, develop best practices and shape policy.
For more on the cyber security conundrum for insurers, and to get detailed insight into Accenture’s research, read this report.