The cyber insurance market continues to grow but carriers must be mindful that it poses a high risk threat as well as an opportunity, especially as the sector itself ranks among those at highest threat of attack.
That was the message from Moody’s Investors Services, in a detailed report from the rating agency, entitled “Cyber Insurance: High-Risk Product With Potential to Grow”.
The study notes the “small but rapidly growing” cyber market that has sprung up among global property and casualty (P&C) insurers, in response to the lengthening list of high profile, high cost cyber-attacks, against organisations such as Target, SONY, JP Morgan, Anthem, Office of Personnel Management and TalkTalk.
While the area has represented an emerging opportunity for insurers, as “one of the highest priorities for corporate boards, regulators and government officials”, Moody’s also highlighted the risks.
“We view expansion of the cyber risk insurance market as similar to that of other high risk/return product segments, such as terrorism and fidelity/crime. The addition of a high-risk product to a well-balanced and risk-controlled underwriting portfolio is credit negative in the near term as underwriters test the risk/return spectrum of the product,” said the rating agency.
“However, insurers are generally approaching the market cautiously, offering – with support from reinsurers – relatively small limits until the product matures and has a longer-term track record,” said Moody’s.
Problems measuring the risk – lack of analysable data and problems in producing useful models – are focusing cyber insurers on limits management, including assessing aggregations and modelling scenarios, to evaluate underwriting exposures.
Uncertainties about the real risk exposures “may constrain ultimate scope of market”, particularly for the insurability of extreme losses, but demand for cyber cover continues to rise, stressed the rating agency.
Moody’s cited a nearly 30% increase in data breaches reported in the US in each of the past two years, reported by the non-profit Identity Theft Resource Centre (ITRC), noting that the trend continued into 2015, with 577 breaches reported by ITRC as of September 29.
The average cost of a reported cyber-crime to a US corporate was about $15m last year, according to Hewlett Packard, the highest cost among countries looked at and the biggest cyber insurance market.
In response, more than 50 insurers were described as offering stand-alone cyber insurance coverage, up from fewer than 10 when stand-alone products first appeared around 15 years ago, while many other firms offer endorsements to commercial general liability or multi-peril policies.
“Some of the largest players in the stand-alone cyber market include global leaders Ace, AIG, Allianz, XL, Zurich and several Lloyd’s syndicates,” said the rating agency.
Gross written premiums for US cyber insurance are estimated at about $2.75bn, noted Moody’s, up from roughly $2bn in 2014 and growing 25%-35% annually, although the market is still skewed towards insuring US entities and insuring the biggest corporates.
Regulators, such as the US National Association of Insurance Commissioners (NAIC) are encouraging the growth of the cyber risk industry by increasing reporting rules and driving corporate cyber security standards.
“Beginning in 2016, the NAIC, as part of its annual statement filing requirements, will be asking insurers to complete a cyber insurance supplement, which asks companies to disclose premiums, claims and other information related to cyber policies and endorsements, so as to gain a better understanding of the market,” said Moody’s.
The final aspect highlighted is that insurers “face their own operational risk” for cyber, “as they gather and store sensitive data on commercial, institutional and individual clients and have a high dependence on systems technology”, noted Moody’s.
“Insurance companies depend on their customers' willingness to entrust them with health-related, financial, and other sensitive information. The nature of the data, and the fact that insurers frequently access and transfer it in their daily operations, makes them prime targets for cyber-attacks,” said the report.
“Moreover, as insurers increase the amount of information they make available on mobile devices and expand their use of social media, exposure to data security and cyber-security risks – and the cost of defending against these risks – increases,” added the rating agency.
The study highlighted the February 2015 cyber-attack against Anthem, a US health insurer, which reported that attackers had gained unauthorised access to its systems and stolen members’ and employees’ personal data.
“Although the company has not yet quantified the cost, it has incurred expenses subsequent to the cyber-attack to investigate and remediate this matter, and expects to continue to incur expenses of this nature in the foreseeable future,” said Moody’s.
The firm is also facing potential fallout and costs from government and regulatory inquiries and legal action, with purported class action lawsuits and other claims relating to the attack.
Moody’s noted that so far, no P&C insurer has reported a major online data breach or large scale cyber-attack, but that attacks are so common, the risk is significant one, and – ironically – the industry is under-insured.
“Many companies have some cyber insurance, but coverage is limited,” said Moody’s.