Cyber Risk Insurers Lag in Buying Cyber Cover
As recently as two years ago, only half of the top 10 carriers writing cyber insurance had purchased cyber coverage themselves, a broker specialist said recently.
During an interview at the Standard & Poor’s 2015 Insurance Conference, Kevin Kalinich, global practice leader for cyber insurance at Aon, told Carrier Management that the number buying cyber insurance for their own companies is up to seven of the top 10 carriers, and that two more are in the process of purchasing insurance. (Kalinich defined the top carriers as the 10 that write the most premium volume in the cyber insurance market, noting that Aon is the broker for a number of the top carriers.)
“It’s over a majority, but it’s still not unanimous that they all buy cyber insurance, the same product they’re selling,” he said.
Kalinich also reported that 67 insurance companies write some form of standalone cyber insurance today. Among market participants, “the appetite has changed but not necessarily expanded,” he said when asked if a soft market for commercial insurance has broadened carrier appetites or prompted price declines.
“After the large data breaches, what has happened is that many of the insurance companies that jumped in with both feet suffered their first cyber losses and are reevaluating their commitment to cyber insurance. They have either contracted, or are reducing the limits that they’ll offer from a particular risk – from $20 million to $10 million or from $10 million to $5 million. Or they have moved from the large risks of retail, hospitality, financial institutions and healthcare into more middle-market risks that they view as [having] a smaller probability of a catastrophic loss.”
Kalinich separates larger, higher-risk classes from lower-risk, middle-market categories, noting that there’s “quite a bit of competition” in the middle market. “Insurance carriers realize that they can make money as long as they have a diversified portfolio of risk and that the insured meets minimum standards.”
In larger, high-risk categories, some carriers have pulled out from being primary, resulting in less competition.
Kalinich reports that there is a greater focus on retention than on pricing among carriers, with retentions that were once $1 million rising to $5 million or $10 million. “Some of the exclusions have expanded and restrictions [have increased]. Unencrypted laptops – we’re not going to cover that,” carriers say. Or “we might cover business interruption for an entity, but we’re not going to cover business interruption if it’s a third party that is disrupted and now it affects your business interruption. Those are the types of coverage issues that are being introduced into the larger risks,” he said.
How Carriers Price Cyber Insurance
Standard & Poor’s released a report at the conference applauding insurers for their restraint in offering cyber coverage – a positive from a credit ratings perspective. “Even insurers with a larger market share are guarded enough to use low limits and a whole slew of exclusions (such as excluding damages resulting from data handled by an external contractor), which we believe is sensible. The need for risk-averse underwriting is heightened considering the lack of actuarial data, potential systemic consequences, loss creep and clash risk,” rating agency analysts wrote in “Look Before They Leap: U.S. Insurers Dip Their Toes Into the Cyber Risk Pool.”
The report highlights the fact that providing cyber risk coverage presents “a huge area of opportunity” for insurers, with a $10 billion potential market size seen as a real possibility within the next five to 10 years. The challenges inherent in pricing a coverage for which reliable actuarial is not yet available and probabilistic models are suspect (mainly because of “the unpredictable behaviors associated with cyber attacks”).
So how are insurers pricing coverage?
Kalinich said insurers rely on a combination of methods. “Initially, they were using a number of personal identifiable information records and then multiplying it by a number – between $175 and $225 per record.” But insurers realized “there was differentiation depending on the type of information. Social Security number and patient information in healthcare is worth more than credit card information from a retailer.”
“As you increase the number of records, the cost per record goes down dramatically to be below $5 per record.”
In addition to getting better at bifurcating the risks related to PII, insurers are getting better at differentiating risks beyond PII exposures. “An entity that is dependent on manufacturing, transportation, logistics, they’re looking at those types of risks now compared to what losses they’ve seen, doing modeling based on what they want to get for their return on the capital and adjusting as they get more claims and adjusting as they see more entities,” he said.
“The second thing they’re doing different is partnering with modeling companies and rating companies – not rating agencies like the S&P but the equivalent for cyber risks.”
“These entities now can assess their cyber exposures and give them ratings in various categories to determine both the frequency and severity of a potential loss. The insurance companies reward those companies that embrace those assessments and make changes, and mitigate and remediate vulnerabilities,” Kalinich said.
“Four or five years ago, the insured may have paid for an IT security assessment. Now, insurance companies are not only including some of those as part of their service offering, but they’re demanding that you take on this type of antivirus software or intrusion detection or the equivalent. They still let you do the equivalent.”
“It’s actually a tremendous benefit, more so for the small and middle-market companies that might not have that expertise,” he said, distinguishing them from larger insureds who want to have direct relationships with third-party vendor partners instead of having those controlled by the insurance company.
Kalinich said pricing differentials between carriers are decreasing as the use of these assessments are not becoming more widespread. “You would think that they would converge and come closer together based on their assessments. We have seen tremendous divergence in pricing and retention,” he said
More typically, there are coverage variations among carriers. “Cyber insurance is not a homogeneous product,” S&P analysts said in their report – a situation that is not bothersome to Kalinich.
“It’s okay to have the nuances in the policies to differentiate the coverages,” he said, when asked if a standardized offering might benefit insurers. “Where I think there needs to be more commonality is all carriers looking at some of the same type of factors that go into the risk,” he added, reasoning that “if they start taking into account the important factors on a more macro level, that will improve risk management in totality.”
“So you can’t have an organization use adverse selection to go to a carrier that doesn’t understand the [right] questions [to ask]. It actually would improve the whole risk management if they have a baseline of the factors that they consider,” he said.