To Insure Cyber or Not to Insure Cyber: Cautions and Caveats for Carriers
While there are some issues with the data, virtually every report shows the cyber insurance market growing. Aon Benfield had it growing 37 percent last year to $1.8 billion. It’s profitable and the loss ratio is in the 30s or 40s, combined ratios are in the 60s. One report found 56 carriers writing cyber, another put the tally at more than 100 and Aon Benfield identified 170 carriers writing it now, up 30 from the year before, albeit with some only writing very little.
Whether there are 56 or 170, ISO’s Maroun Mourad thinks more should be doing it.
“There aren’t enough writers that are writing cyber in my opinion,” he said.
Whether and how carriers should enter the cyber insurance market was the topic for panelists at the Super Regional P/C Insurer Conference sponsored by Wells Media Group and Demotech. The experts offered their insights into the state of the cyber insurance market and the challenges facing carriers thinking about entering the market. The panel can be viewed online on the SuperRegional.net site.
Mourad, president of Verisk ISO Commercial Lines, was one of the panelists. He is a data analytics and insurance leader who has grown businesses in U.S. and Europe and around the world for Gen Re, AIG and Zurich. He has served clients across underwriting, operations and general management.
The other cyber insurance panelists were:
- Erica Davis, senior vice president and managing broker at JLT Re North America. This is a relatively new position for Davis. She was formerly with Zurich. At JLT Re, she leads the Cyber and E&O practice utilizing her underwriting experience and working with JLT specialty to design new cyber and other products.
- Mario Paez, vice president and National Practice adviser at broker USI in the technology privacy and network risk practice in Minneapolis. He has more than 17 years in insurance, the last 14 as a broker and prior to that, as an underwriter with Chubb. He specializes in management of professional liability insurance with the focus on technology in network security and privacy. He provides risk analysis and management consulting for a variety of industries.
- Matt Sherman, senior vice president of Specialty Reinsurance and programs division for NAS Insurance. He’s based in Los Angeles. NAS is a Lloyd’s coverholder and an MGA writing specialty lines including cyber. Sherman oversees development of turnkey reinsurance products for carriers. His unit creates private label and customizing tools including for cyber. He’s also a former carrier chief operating officer.
ISO’s Mourad believes just about every carrier should be eyeing the development of a cyber product. His reason is customer demand; the demand is outstripping supply. Mourad said there are market segments and sub-segments — from the healthcare sector and payment providers to the restaurant or the mini-supermarket down the street — that are collecting personally identifiable information and all have exposures.
According to JLT’s Davis, the number of carriers reportedly writing cyber doesn’t really tell the story and can be misleading. “What that translates to from a capacity standpoint is an estimated $1.5 billion in capacity,” she said. “The largest purchased tower is $720 million so you’re utilizing less than 50 percent of the traditional capacity available. I look at that face value and say we don’t need more carriers.”
But she added that the line of business is growing at over 20 percent year over year, risk managers consistently cite cyber as a top three risk management concern, and the World Economic Forum lists cyber as the number one risk to businesses globally. “For that reason, I think where we are today in terms of the towers that are being purchased isn’t necessarily reflective of where the need will be going forward,” she said.
Broker Paez thinks the answer to whether there is sufficient capacity in cyber also depends on the market being served, the specific industry class, the size of accounts as well as the agent-broker distribution network involved. He cites statistics of a 30 percent uptake overall. Paez, who works within the technology privacy and network risk area placing coverage, believes there is plenty of capacity with monoline underwriters with specialized underwriters to place very sophisticated, customized type of coverage. However, “that doesn’t mean that there isn’t a need for other carriers to be involved whether it’s from a capacity standpoint or from an extension onto an existing traditional policy form. There is still need and desire to address this risk.”
The bigger question is what’s the best way for carriers to coordinate coverage for their insureds and agent-broker distribution, according to Paez.
Sherman suggested that when it comes to 100 or 170 carriers in the space, the 80-20 rule probably applies in cyber and that new players entering would be a good thing. “There’re some major admitted players that are really doing the ‘big boys’ cyber, the really large limit, large multinational companies. Those players are few and far between and they’re the international carriers that we know,” he said. “But it’s still the very early days for the product to make its way into mainstream America or small and medium enterprises. That’s still evolving and still happening.”
Generally, more carriers in a market space is a good thing. “Product innovation comes with that. Competition is good for the end-user. The more and more carriers that enter the space over time I think is ultimately good for the product and good for the market,” USI’s Paez added.
Don’t Play Defense
How a carrier feels about entering can be important.
Davis thinks determining the internal risk tolerance is key because there is one subset that is scared of underwriting cyber and thinks of it as the “wild-wild West’ and then there is the other half that is “leaning into the product, thinks it’s sexy, it’s growing and it’s the future.”
It’s a challenge for organizations to determine where on the risk tolerance scale they fall but that once they determine that, they need to stick to it, according to the JLT executive. “This is not a product space where you want to dabble. You want to make sure that you’re invested in it, that you’re partnering with the right vendor panels, the right reinsurance brokers, the right resources and models available to you because if you’re going to make these decisions, you’re going to want to make them in the most informed and practical way and you want to make sure you have organization alignment around that,” she advised.
Sherman of NAS reminded executives that they must weigh more than their underwriting risk tolerance. There is the risk of a new venture, of educating brokers and agents, of educating the risk management team. “There’s risk all along the food chain, not just the underwriting risk in introducing any new product, but certainly one that is constantly evolving,” he stressed.
Sherman would be concerned about a carrier offering cyber from a purely defensive strategy of not trying to lose customers: “[I]t’s important for a carrier to be intelligent and thoughtful about the products they offer,” he said. “Just offering it as a defensive mechanism is sometimes not enough because you don’t want to be short-sighted about being really expert in the space. I think as carriers are learning to understand the product and be defensive, they also need to be comprehensive in their coverage.”
Paez suggested that brokers typically prefer five or six primary network security carriers, because the coverage is evolving, and they may reach a “comfort level” over time of working with them to meet specific needs.
“You see the brokerage community tend to navigate towards the markets that are most flexible, ones where they’re most familiar with their specific form. There’s a comfort level there for their own E&O, and also just in terms of ensuring that product is going to respond in a thoughtful manner,” he said.
That does not mean that other carriers cannot come in and unseat these incumbents, but it is a hurdle in terms of broker-agent education, he added.
Davis suggested that deciding to write cyber might be a polarizing decision within some carriers.
“I think it’s sometimes hard to manage that message internally. People might still view cyber as being that scary line of business. Maybe you don’t want to be at the leading edge of it. Maybe you want to see how it plays out, take a more reactive role in the market. I think just really understanding the fundamental challenges, some of which we’re talking about today lends itself to that,” she said.
Davis said casualty actuaries might be one audience with reservations. “They really have a hard time wrapping their head around the lack of modeling, the lack of actuarial data that exist in this product line. If you’re somebody who’s conditioned to need that information to make strategic decisions within your organization, then that’s a challenge,” she pointed out.
According to Paez, the need for learning about the risk and product extends beyond the carrier. “I think there’s a big need for additional agent-broker education on the various products, cyber insurance products and also, on the silent coverage that may or may not be available.”
Not writing cyber comes with risk as well, according to Mourad. One is having insureds going to another insurer. “Being an agent, the broker, an MGA or an insurer and basically saying, ‘Hey, I really need this. My incumbent insurer is not providing it to me, give me a quote.’ You’re opening up your doors to the competition,” said Mourad.
Accumulation of Challenges
The challenges around deciding whether to enter are many.
Davis stressed how the accumulation of risk keeps insurers from jumping in. “[T]his product line puts us as an industry in a very uncomfortable place,” she said. When the cyber product was first introduced, the focus was on individual risk selection and understanding like risk characteristics involved, for example, with a big retailer that might have 100 million records compromised.
“What originally was intended as being first party business interruption and evolved to contingent is now full throttle supply chain, upstream, downstream business interruption cover for businesses who very likely are reliant at least to some degree on the same third-part providers who offer cloud service,” she said.
What’s more, the industry is underwriting in this product “through a rear -view mirror,” she said, noting that loss ratios look good in the 30s and 40s but coverages are getting broader and broader; there are more and more entrants in the market, some of them bringing “naïve” capacity; pricing is depressed in that the product performance from the past may not necessarily be reflective of how it develops going forward; and there’s a lack of consistency and transparency about how the policies are underwritten. “Structures, terms and pricing tend to feel like they are more driven by market forces that anything else,” she said.
The talent demand around cyber is a legitimate worry, according to Mourad. “There are costs. You need to grow profitably with speed and efficiently. If every single insurance company effectively wakes up next Tuesday and says, ‘I want three cyber actuaries, four coverage form experts and a few underwriters, and I want to manufacture my own data, then you’re looking at a $10 million hole,” he said.
That is where Verisk and ISO come in as they can take care of much of that work.
Mourad said carriers sometimes hesitate around how much capital needs to be committed to writing the line and what the risk tolerance is against that surplus. But he said there are ways to get surplus or capital relief by the use of “smart structured reinsurance” agreements.
While some carriers may believe cyber is risky because not enough is known about it, Mourad dismisses that. “In my humble opinion, commercial auto is riskier if you look at the combined ratios, right?”
“I still hold the view that everyone should be in the cyber insurance business,” he said, “however, perhaps not everyone should write cyber against their own balance sheets.” That is where the MGAs like NAS and reinsurance partners like JLT can help insurers serve their clients but not necessarily absorb that risk onto the balance sheet.
- How the U.S. Cyber Insurance Market Is Performing: Aon Report
- Cyber Reinsurers Aim to Master the Dangers of Global Accumulation
- Verisk Company PCS Adds Global Cyber Industry Loss Index
- Cyber Business Interruption Risks Still Difficult to Figure
- Cyber Market Grew 32% But Small-Medium Firms Opted Out
- U.S. Cyber Market Is $2 Billion, Growing Fast, Profitable: Fitch