Insuring Against Cyber Risks Is Not That Easy

According to the recently published Allianz Risk Report, organizations rate business interruption and cyber incidents as the major threats to their operations in the coming year.

The Allianz “Risk Barometer” interviewed just under 2,000 respondents in 80 countries and combined business interruption and cyber threats in the one category, and 42% rated this as their greatest fear. Next on the list was fire and explosion, cited by 40%, (respondents could choose more than one) followed closely by natural catastrophes on 39%.

Separately, the cost of natural catastrophes in 2017 was reportedly USD 300 billion. It was a record year for disasters. This enormous figure pales into insignificance, however, when compared to the assessments of losses from cyber-attacks.

The launch event for the World Economic Forum’s 2018 Global Risks Report in London in January 2018 valued that cyber attacks to cost more than USD 1 trillion a year.  Lloyds of London estimated the cost of taking out a single cloud service provider at more than USD 50 billion.

Challenges to Insurance

Cyber insurance has been around since the early 2000s. According to John Drzik, president of global insurance brokerage March Advantage, the global cyber insurance market accounts for approximately USD 3.5 billion in premiums.

The amount sounds a lot, but when you consider that cyber attacks may have caused as much as USD 1 trillion in damages that leaves a considerable coverage gap.

Cyber insurance is growing rapidly, and Marsh expects premiums to reach USD 10 billion by 2020. But given the escalating cost of cyber-attacks, the increase in premiums is hardly likely to bridge the coverage gap.

Part of the answer lies in the difficulty of assessing the risks and quantifying the potential damage.

Cyber attacks come in so many different guises that assessments are currently little more than guesswork. The insurance industry also lacks precedents and much of a historical track record in understanding the risks and setting premiums accordingly. The paucity of actuarial data going back years is a significant barrier to the accurate pricing of risk.

Credit reporting agency Equifax was one of the cyber attack stories in the US last year. The breach affected more than 140 million Americans, and the immediate loss was estimated at USD 125 million, or a quarter of the company’s net income.

It was not the end of it, however, as the company is also facing more than 50 class action lawsuits that might also be covered by insurers.

How Cyber Insurance Will Differ

Cyber insurance is not like insuring a car against damage, or the damage it may cause. There is the initial disruption, but then there is the loss of data, potential ransom payments and ultimately the reputational damage, which can be terminal.

If an organization is a publicly listed company, there is also the possibility of legal action from shareholders aggrieved at the falling share price.

In this emerging insurance category organizations need to ask themselves a series of questions before they pay the premium.

For example, is the insurance comprehensive or partial, and how comprehensive is comprehensive? Comprehensive policies cover breach response and forensic costs, such as finding the cause and fixing it, but do they provide limited liability for damages?

Like the "act of God" caveat in traditional insurance policies, some cyber insurance policies exclude damage from infrastructure failures or from hacking by state-sanctioned operatives. So if the North Korean Government hacked you, you might not be covered.

New Role of Modeling, Analysis

Understandably, the world of cyber insurance is now seeing the emergence of specialist risk analysis software and new forms of modeling to understand potential exposures.

Some of these take note of which cybersecurity products an organization previously installed and arrive at an overall view of their protection, and their exposure.

They are useful not just for insurers but organizations as well. Barbican Insurance Group, for example, has just installed a predictive analytic modeling product to assess cyber risk and is making the platform also available to its customers.

The early lesson in cyber insurance is that, like cybersecurity, it pays to be proactive. Unlike other types of insurance, this is not an area where organizations can buy peace of mind by merely purchasing a policy.

Right now, cyber insurance is only one component in the imperfect world of implementing the right cybersecurity stance, and understanding that is the key to maximizing its effectiveness.