A recent report from AIR and Lloyd’s of London estimates that a failure of a top cloud service provider could cost the U.S. economy USD 15 billion and insurers up to USD 3 billion, highlighting a sizable protection gap. Despite several eye-opening incidents (e.g., Wannacry and Petya ransomware attacks) that have showcased the loss potential caused by systemic cyber risk, insured losses for the industry have thus far been minimal. Low insurance penetration remains the primary reason this gap exists, but this issue is also exacerbated by the conservative strategy insurers are employing today.
Cyber insurers lack the confidence to underwrite risks they don’t fully understand and are mostly providing narrow coverage with low limits, high deductibles, or long waiting periods. As a result, nearly half (48%) of information security professionals feel that insurance is “somewhat adequate” at addressing the financial consequences of their organization’s cyber security exposure.1
This conservative approach—while seemingly effective at protecting balance sheets from catastrophic exposure—raises concerns that having a narrow view of managing systemic cyber risk results in overlooking opportunities to advance the viability of insurance business. Below are some trade-offs of taking this approach.
- Growth opportunities are missed. 76% of existing insureds seek higher coverage and limits.2 Upselling existing customers can be just as effective in driving growth as acquiring new ones.
- Innovation is hindered. 47% of cyber insurers say the recent major cyber events had no impact on their underwriting or pricing.3 Having experienced no losses, insurers are not learning from these events in a way that translates to evolving the product.
- Threats are omitted. Silent cyber exists in many lines such as general liability, E&O, and D&O where coverage isn’t actively limited. Insurers believe that silent cyber can increase combined ratios by 7%—potentially crippling in an environment of thin margins.4
Increasingly competitive markets will force cyber insurers to expand coverage, whether they are ready to or not. Meanwhile, the concerns about overexposure to catastrophic cyber risk remain driven by:
- A lack of knowledge about cyber risk and its potential impact
- Little or no cyber risk data being collected in-house
- Limited analysis bandwidth to identify growth opportunities
To overcome these obstacles, cyber insurers need to re-evaluate their approaches for managing cyber risk so that they can comfortably expand coverage in a way that doesn’t exceed their risk appetites. Despite its infancy, cyber risk analytics is being incorporated into risk management workflows by insurers who seek to close the knowledge gap so that they can underwrite cyber risk more confidently. Cyber risk analytics in ARC not only helps insurers get their business off the ground, but also provides the transparency and flexibility needed to keep up with the rapidly evolving threat environment and proactively adjust strategies to meet the market’s demands.
How confident is your organization’s ability to manage cyber risk?
1 SANS Institute, Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey
2 Advisen and Partner Re, 2017 Survey of Cyber Insurance Market Trends 3 Advisen and Partner Re, 2017 Survey of Cyber Insurance Market Trends
4 Willis Towers Watson, Silent cyber risk outlook