Taking cyber cover
September 2015 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
There are few threats more prominent on the risk radar of senior executives today than cyber. High-profile cyber attacks and breaches have firmly established the threat in the corporate risk psyche, with the increasing frequency, severity and cost of such incidents elevating them beyond the remit of risk and IT managers, and into the boardroom.
The rapid rise of cyber-related risks up the corporate agenda has also fuelled a spike in interest in standalone cyber insurance cover. Between 2012 and 2014, the size of the market almost trebled, with estimated gross written premiums rising from $850m to approximately $2.4bn – and 2015 could see the market hit $4bn. While this growth rate is set to accelerate significantly, current insurance penetration levels remain low, representing only 3 percent of a global market potential estimated at $85bn.
The market scope
There are few companies in today’s hyper-connected global market that do not carry some form of cyber-related exposure. The often indiscriminate nature of the threat from cyber hackers, the potential danger posed by disgruntled employees, or the simple administrative slip up by a colleague mean that virtually all organisations are exposed to cyber risk.
It is not surprising, therefore, that the number of sectors currently purchasing cyber-related cover is expansive and growing. These range from retail companies, financial institutions and healthcare providers through to technology firms, lawyers and accountants, and extend from large-scale multinational corporations through to SMEs. It is being driven both by the increasing frequency of cyber attacks at this level, plus the rise in the number of government bodies and larger organisations applying a cyber clause to their supplier contracts.
However, the levels of take-up vary significantly from sector to sector, while from a geographical perspective similar variations are also being seen. Penetration levels in the US, for example, are at approximately 4 percent, while for the UK the figure is an estimated 2 percent. For other territories, it has yet to gain any real foothold.
This is clearly a market which offers huge growth potential, and over the last two years this potential has increasingly been realised.
The scale of the challenge
While cyber insurance cover has been available since the late 1990s, it is still in its relative infancy. Close collaboration between established players in the market and their clients, however, is helping stimulate product evolution and understanding of the associated risks. Insurers are looking to create bespoke cyber solutions which adapt to the changing nature of the threat they face from both technological and societal developments.
The fundamental challenge which the industry faces is to create a comprehensive, robust, responsive insurance solution without the benefit of historical data upon which to build it. While cyber can no longer be described as ‘an emerging threat’ given the fact that related incidents are an escalating risk for most organisations, the amount of loss-related data available to insurers and risk modellers remains limited. This level of uncertainty is further expounded by the systemic risk which extends the exposure far beyond the walls of the specific organisation.
Greater collaboration at industry level and with government is helping to overcome this problem, with risk modelling advances enabling the insurance industry to better calibrate potential exposures. Most recently, a report released by Lloyd’s and the Centre for Risk Studies at the University of Cambridge considered the economic and insurance impact of a cyber attack on the US power grid. The scenario – which was based on 50 generators being put out of action affecting power supplies to the North Eastern US, including New York City and Washington DC, and leaving 93 million people without power – resulted in an estimated economic impact of $243bn, rising to over $1 trillion in the most extreme circumstances, and an insured loss of $21.4bn rising to $71.1bn.
What the study helped reveal was not only the financial ramifications of a large-scale cyber attack, but also how widespread the potential claims fallout from such an event could be, with some 30 lines of business caught up in ‘the insurance blast radius’ from the event. In this particular scenario, exposures ranged from property damage and business interruption through to event cancellation and general liability.
A question of clarity
Given the expansive and dynamic nature of the risk, it is imperative that every step is taken by the insurance industry to introduce sufficient clarity of coverage into cyber-related policies. The term ‘cyber coverage’ is extremely broad and can span a wide spectrum of policy components. For example, these can include technology and miscellaneous errors and omissions, multimedia liability, security and privacy liability, data recovery and loss of business income, privacy defence and penalties, crisis management costs, regulatory defence costs, and data extortion.
It is therefore critical that insureds work closely with their brokers and insurance providers to establish a clear picture of their potential cyber exposures, and build an insurance solution relevant to their specific requirements. Further, insurers and insureds alike must acknowledge the challenge of keeping pace with what is a constantly evolving risk environment.
A collective response
There is little doubt that given the continuing rapid rise in the frequency and severity of cyber-related incidents, many of which are high profile, cyber insurance will become an increasingly prominent component of the risk management strategies of most organisations. Companies are becoming more aware of the fact that general liability and umbrella policies are simply not fit for purpose in the new cyber reality – in some cases at significant cost.
Moving forward, what will be key to success in the battle against the cyber threat is our ability to understand the risk we face. Only through close collaboration between the insurance industry and our clients, from multinational organisations to SMEs, can we gain the level of insight required to ensure a proactive approach to risk management and identification.
Geoff White is an underwriting manager at Barbican Insurance Group. He can be contacted on +44 (0)20 7082 1979 or by email: email@example.com.
© Financier Worldwide
Barbican Insurance Group