Confusing, Costly Cyber Policies Create Obstacles to Market Growth: Deloitte

March 3, 2017 by

Despite the rising profile of cyber risks, buyers have failed to widely embrace cyber coverage. At the same time, insurers generally have remained cautious about writing the coverage on a large scale basis.

A recent report published by accounting and consulting firm Deloitte detailed the reasons for this mismatch between a source of organic growth for insurers and what could become an essential tool for buyers to fill a potentially huge exposure gap.

If cyber coverage “continues to be perceived by many buyers as insufficient, uncertain, overly complicated, and/or too costly,” the insurance industry may find alternative markets stepping in to fill the void, warned the report, titled “Cracking the code on cyber insurance.” (See below for further comments on this point).

To demonstrate the huge potential for growth in this line in the traditional market, Deloitte revealed that cyber insurance only generates between $1.5 billion and $3 billion in annual US premiums, a fraction of the $505.8 billion in premium written by US carriers in 2015.

Further, the global cyber insurance market could amount to $20 billion by 2025, said the report, quoting a prediction from Allianz Global Corporate Specialty.

Many companies “have yet to purchase a cyber policy – or if they have, their coverage tends to leave them underinsured,” said Deloitte, pointing to a survey by the Council of Insurance Agents & Brokers (CIAB), which reveals that just 29 percent of US firms had bought cyber insurance as of October 2016.

“While bigger companies are more likely to buy the coverage, the majority of large organizations are still going bare on their exposures,” the report noted.

The report went on to discuss the obstacles to meeting cyber coverage demand, from the perspective of insurers as well as buyers.

Obstacles from insurers’ perspective are:

  • Dearth of data. The lack of historical data makes it difficult to build predictive models because 1) insurers haven’t been selling cyber insurance long or widely enough to generate their own data, 2) there is no centralized source of information about cyber events, and 3) many cyber attacks go unreported and undetected. For example, the bulk of reported losses in the US involve breaches that expose personally identifiable information (PII), often because of legal notification requirements in various states.

“Other cyber events – such as denial of service attacks, ransomware, and theft of intellectual property – are often kept under wraps,” the report said. It warned insurers to take into consideration reporting bias when building models as well as underwriting and pricing systems.

  • Cyber attacks keep evolving. Insurers continue to collect data and hone predictive models based on prior cyber threats, but the “underlying exposure keeps changing,” the report said, explaining that it’s difficult to create predictive models “when it’s not clear what new objective, strategy, or technique hackers may come up with next.”
  • Potential catastrophic accumulation. Given the dearth of data, insurers fear “being overwhelmed by a sudden aggregation of losses.” Brokers interviewed for the report explained that reinsurers in particular are “skittish about the potential for a ‘cascading’ event triggering a wide range of policies across companies, countries and entire industries.”
  • Tunnel vision in coverages offered. An often “narrow view” of cyber risk is leading insurers to focus products on PII theft, rather than many other more complex risks that could benefit from cyber protection.

Obstacles from buyers’ perspective are:

  • Buyers often don’t understand cyber risks or insurance options. Brokers interviewed for the Deloitte report said that large and small buyers often “have a hard time quantifying” their risk exposures, which creates uncertainty about coverage needs and the cost/benefit generated from risk transfer.
  • Cyber risk is spread over a wide range of coverages. Cyber risk can be included in a wide range of products such as general liability, property, professional liability, business interruption and crime policies, the report said, which “complicates efforts to assess coverage needs, match policies with exposures and compare alternatives.”
  • Cyber policies lack standardization. Cyber insurance coverage is often written using customized policies, which results in different coverage terms, conditions and exclusions from carrier to carrier, the report added.

“Similar cyber insurance products offered by different providers often include alternative features, which makes it difficult for buyers to compare policies by value and price,” according to the report. Concerned about potential coverage gaps, businesses want to avoid buying coverage they don’t fully understand with language that may be subject to interpretation, the report continued.

  • Legal landscape in flux. Without clear or standardized policy language, conflicts could prompt settlement disputes, which could leave buyers uninsured for a major loss, the report warned. One of the carriers quoted in the Deloitte report said: “Cyber coverage disputes have not made their way through the court system yet. Policy terms and conditions have therefore yet to be battle-tested because case law isn’t clear.” This insurer went on to say that conflicting state regulations could “create exposures and coverage gaps.”

To overcome the obstacles to growth in the cyber insurance market, the report recommended several courses of action, including:

  • Developing a “risk-informed model” rather than a definitive predictive model for cyber risks. With a risk-informed model, underwriting and pricing assessments would focus on “specific risk-management steps applicants could take to be secure (prevention), vigilant (detection) and resilient (loss control and recovery) in their cyber-related operations,” the report said.
  • Taking a “segmentation approach” to underwriting. “This would narrow the scope of cyber expertise required” by targeting specific industries or niches, the report said. Rather than writing generic cyber policies across the spectrum of cyber risks, the Deloitte report suggested that insurers become specialists in different types of exposures, such as data breaches or denial of service attacks, or in areas of technology, such as the internet of things or domain name servers.
  • Taking a slice of a layered, multi-insurer coverage program. This option would help ease concerns about catastrophic loss aggregation, the report said, particularly in the large account segment.
  • Cyber reinsurance. Greater reinsurer involvement “could help ease the primary market’s aggregation burden and encourage more aggressive growth.”
  • Holistic cyber risk management programs. The cyber insurance product could be redesigned to differentiate “policies beyond their price, terms and coverage limits to emphasize associated risk management offerings,” offering risk prevention services and post-loss response and recovery support. Such services could help “secure the client’s cyber insurance purchase, while helping bolster retention of the account and making relationships with clients more dynamic.”
  • Standardizing policy language. Standardization would help insurers and clients know what they are selling and buying, while avoiding the potential for coverage disputes and costly litigation, the report indicated.

The report cautioned that an insurance policy isn’t the only risk-transfer option for covering cyber risks. To avoid displacement by alternative markets or more proactive traditional competitors, carriers need to actively weigh options “to facilitate their entry or expansion in this promising but problematic market,” the report continued.

“Bigger buyers are likely to consider alternatives they have tapped in the past when insurance coverage became scarce or too expensive – such as captives, risk retention groups and securitization,” the Deloitte report emphasized.

Examples of alternative options that could be developed include cyber bonds to transfer exposure to capital market investors or the formation of cyber risk retention groups covering groups of small to midsize companies.

“These are all very real, even likely possibilities, especially if insurance coverage continues to be perceived by many buyers as insufficient, uncertain, overly complicated, and/or too costly for the value offered,” the report emphasized.

Source: Deloitte

The full Deloitte report can be viewed on the company’s website.

Related: