What will jumpstart the cyber insurance market?

As the debate over the industry’s approach to shouldering the potential fall-out of large-scale cyber incidents continues – estimates put the cost of data breaches to businesses at €1.84tn by 2019 − the time has come to reassess the approach to such systemic risks, writes Stroz Friedberg security science vice-president Phil Huggins for StrategicRISK’s sister title GR.

Corporate uptake of cyber cover remains in single-figure territory, with a recent report by the UK government suggesting that merely 2% of large organisations have taken steps to share risk. With significant scope for growth, joint innovation by insurers and cyber security specialists is urgently required to develop products that more closely meet the market’s cost and risk expectations.

It is difficult for insurers to identify the cyber risks borne by the insured. Despite the cyber security industry being awash with data on the numbers and types of breaches, it is not straightforward for insurers to differentiate among insureds. From a premium perspective, they each get a general market cost, rather than an individual tailored cost. This incentivises no one to improve, which creates a ‘lemon market’ for selling cyber risk.

Most insureds are interdependent on each other for their security. However, they are not encouraged to invest if the lack of investment by another firm harms them. This leads to a ‘race to the bottom’ as firms put less emphasis on protection compared to their peers.

Exacerbating this further is the dependency on outsourced services among insureds. This creates a correlation in cyber risk, as outsourcers become the common factor across industry sectors and geographies. The situation is similar in respect of technology, where the systems in place remain highly homogenous. Technology monocultures also exist across industry sectors and geographies, which means a single technology flaw could catastrophically affect swathes of businesses. These make portfolio segmentation challenging.

There is also a moral hazard, where purchasers of cyber risk insurance are rarely closely involved in the day-to-day cyber risk management, which is often performed by IT staff who are incentivised to deliver business benefits over business protection.

Nevertheless, there are opportunities for innovation. This requires insurers to turn their focus to developing innovative products that reduce the frequency and impact of potential claims, while incentivising behaviours that reduce the potential for harm.

Some of the opportunities for innovation include:

• measuring cyber resilience, rather than cyber security, of insureds. This would address situational awareness, diversity of capacity, level of integration of functions and actions, internal feedback loops and the ability to adapt, including the speed of adaptation to changing threats and circumstance. The end result would put insureds in a stronger position to emerge from catastrophic events bruised but not broken, which would help reduce claims;
• monitoring the external indicators of cyber hygiene and regularly feed these back to customers. Such insight could be tied to a variable level of cover, incentivise risk professionals and help IT specialists focus on measures that may reduce the frequency of claims;
• creating trusted forums for information sharing - to spread the knowledge of adversary activities, which would enable firms to respond faster, reducing the size of claims; and
• organising capability sharing groups, mirroring the NATO model, where an attack on one is treated as an attack on all. This addresses the capability and skills shortage impacting all insureds.

The complex nature of cyber threats and corporates’ continual inability to heighten their own preparedness and resilience means such risks will remain challenging to assess and, ultimately, price. However, those insurers prepared to develop a systematic and informed approach to tackling these risks will be uniquely positioned to secure a greater slice of this ever-increasing market.