Rating Agency Warns P/C Insurers on Taking On Too Much Cyber Risk
If they are not careful, property/casualty insurers could jeopardize their credit ratings with their expansion into standalone cyber insurance, a rating agency has warned.
Cyber attacks pose dangerous risks and uncertainty within many industries and thus “aggressive expansion” by insurers into cyber insurance could be credit negative for carriers, according to Fitch Ratings in a report, “Global Cyber Insurance Update: Expanding Threats Amplify Underwriting Opportunity, Loss Potential.”
According to Fitch, with an estimated $3 billion in premiums in 2015 that is expected to triple within four years, cyber risk insurance is the fastest growing segment in property/casualty insurance. Approximately 50 insurance carriers now offer some form of standalone cyber insurance coverage.
Yet there remains considerable uncertainty surrounding potential losses, proper pricing and appropriate policy terms, notes the report. The uncertainties of the market currently outweigh the potential benefits, Fitch said.
“Cyber risks are a broad peril affecting organizations of all sizes and in all market sectors. Insurance losses can materialize from several existing products including standard commercial liability, property, business interruption and professional liability and potentially several unforeseen product lines,” said James Auden, managing director at Fitch.
Auden said that while catastrophes, natural disasters and other risks are fairly well modeled and understood, modeling and available data for cyber risk are in their infancy. “Determining loss exposures from a cyber catastrophe is difficult as it requires an assessment of events that are feared, but not yet experienced in reality,” said Auden.
The report says an attack on a power grid or other major infrastructure could have a wider geographic scope than a natural disaster or conventional bomb attack. The lack of past precedents raises questions regarding claims and coverage.
Also, the relative newness of cyber risk creates challenges in establishing policy terms and in pricing risks, the report contends.
At this stage, Fitch said it would view “aggressive growth” in standalone cyber coverage, or movement to high portfolio concentration in cyber, as ratings negatives.
“Underwriting, pricing and reserving uncertainties currently outweigh the potential earnings growth benefits,” said Auden.
Controlled growth as part of a diversified portfolio, coupled with continually enhanced underwriting standards, would generally be neutral to ratings, Fitch said.
Fitch said it believes that insurers’ ability to monitor and evaluate cyber risks will continue to evolve.
Regarding pricing, insurers do appear to be adjusting their rates. Cyber insurance was the only line in the third quarter of last year where insurers saw consistent and large rate increases, which averaged more than 15 percent in the United States, according to an analysis from Marsh.
There are indications that insurers are also being cautious in their underwriting as they jockey to be part of a market pegged to grow to $20 billion by 2025.
“The potential is high for a widespread cyber event and underwriters are taking notice,” according to Jim Rice, a senior business executive at Xuber, who told Insurance Journal’s Stephanie Jones recently that insurers and reinsurers are continuing to work out underwriting requirements.
“Underwriting requirements are rising and both insurers and reinsurers are increasing their retentions, as well,” said Rice. “In some cases, we’re seeing some capacity reduction by some players who saw an opportunity and are leaving the market altogether and really focusing their attention on other lines of business.”
Along with Fitch, Rice believes the cyber line has been untested in terms of claims-paying ability thus far. While there have been large losses, such as those at Sony, Target and Anthem, there has been no widespread catastrophic occurrence to test insurers’ ability to pay claims on these losses.
“[T]he nature of potential catastrophic cyber loss is likely far more reaching than the industry probably understands,” Rice said. “Therefore as cyber matures and loss and underwriting data become more available, I think we’re going to see a lot more specialization in the cyber market, as we’re seeing now.”
Kevin Kalinich, global practice leader for cyber/network risk at Aon Risk Services and a panelist at the Standard & Poor’s Ratings Services 2015 Insurance Conference last June, said that as the market develops, providers will need some time to model risk sufficiently and to set premiums accordingly. This is difficult, Kalinich said, because the threat is evolving quickly. He said two decades of reliable data are needed to feed models.
“We’re much farther along than we were two years ago; we have much better information now,” he said last June. “But it’s not a static model. It changes over time and in two years it will be much better.”
Another reason insurers should be cautious is because there haven’t been any high profile coverage disputes to help define cyber coverage, according to Lynda Bennett, a partner the law firm of Lowenstein Sandler in the New York/New Jersey area. She said cyber insurance policies have “given new meaning to a complex and difficult-to-navigate insurance product.”
State insurance regulators share the anxiety over this market. The National Association of Insurance Commissioners (NAIC) has begun collecting financial data on cybersecurity and identify theft coverage data in required insurer financial.
According to Adam Hamm, North Dakota insurance chief and head of NAIC’s cyber task force, this mandatory data supplement requires that all insurance carriers writing either identity theft insurance or cybersecurity insurance report to the NAIC on their claims, premiums, losses, expenses, and in-force policies in these areas. It requires separate reporting of both standalone policies and those that are part of a package policy. The first batch of company filings is due April 1.
“With this data, regulators will be able to more definitively report on the size of the market, and identify trends that will inform whether more tailored regulation is necessary,” said Hamm. He said the data will enable regulators better understand the existing cybersecurity market and help them know what to look for as the market continues to grow, particularly if small and mid-size carriers increase their cyber business.
At the same time that insurers and regulators are still learning about cyber risk, so are more and more of insurance customers.
Matthew McCabe, senior vice president with insurance broker Marsh, told lawmakers in Washington this week reported that his firm’s U.S.-based clients purchasing standalone cyber insurance increased 27 percent in 2015 compared with 2014. That followed a 32 percent increase in 2014 over 2013, and a 21 percent increase from 2012 to 2013. This purchasing is supported by more than 50 carriers from around the world that potentially can provide more than $500 million in capacity, he said.
Panelists at the S&P conference said that buyers have been seeking to buy more coverage than insurers are willing to offer and even insurers with larger market shares have been cautious due to the lack of actuarial data. Insurers have been writing policies with low limits and excluding damages resulting from data handled by an external contractor.
Sarah Stephens, partner and head of Cyber, Technology and Media E&O at JLT Specialty Limited, said there were definitely some insurers over the past few years writing cyber with very little information but that approach has not been sustainable. “Insurers have swung the pendulum a little bit back to actually asking for detailed information, and really trying to differentiate a good risk from a bad risk. They’ll continue to do that,” she said at the Professional Liability Underwriting Society (PLUS) conference in September.
Manny Cho, regional underwriting manager at Axis Pro in San Francisco, said carriers are “picking and choosing” the different areas where they feel most comfortable.
“The interest in cyber is phenomenal right now. It’s never been hotter. This is a product line that’s been around for only 15 years. It feels like now it’s reached that stage of maturity where we’re seeing more and more buyers, we’re seeing more and more market participants, and everybody’s talking about cyber right now,” said Graeme Newman, a director at CFC Underwriting in London, at the PLUS conference.
According to Newman, insurers are reevaluating their products and pricing, while new players are entering and others are leaving. “The interesting thing is going to be how it develops over the next 12 to 24 months,” Newman said.