Matt Cullen, Assistant Director, Head of Strategy, ABIOnly a few years ago hacking, data theft and cyber extortion would be most commonly encountered as exotic concepts explored in film and literature. In the real world these were ‘things that happened to other people'. Today, any individual or business which uses the internet is part of the story – subject to a multitude of cyber related risks.
In this context, cyber insurance is part of an increasingly important toolkit through which a firm - from the largest corporate to the sole trader - can manage these risks. The importance is reflected in a recent publication by Marsh and the UK Government on the role of cyber insurance in UK cyber security, and the increasingly active interest of the PRA in cyber insurance.
But despite significant opportunities for growth, there are challenges to bear in mind. Here are five which stand out:
- The demand side. While cyber risk is growing significantly, demand for cyber insurance products is far from universal. The report mentioned above estimates that only 2% large UK businesses have stand-alone cyber insurance. And while the Government’s impressive Cyber Essentials scheme raises corporate awareness of basic cyber risk management, it does not explicitly encourage the consideration of cyber insurance as part of this package. An opportunity for phase two perhaps.
- Data availability. Throughout history the insurance sector has developed and come to rely on huge amounts of exposure and risk data. Property insurance pricing for example is built on many years’ experience of natural disaster frequency and cost, fire and theft statistics and so on. Not only does this historic data barely exist for cyber risk, the nature and scale of the risk is evolving so quickly that historic data becomes a sub-optimal indicator of future risk regardless.
- Risk aggregation. Cyber risk has significant potential for aggregation – catastrophic losses across many policyholders as a result of a single event, e.g. a major cloud provider suffering an outage or a hack. Aggregate cyber risk is difficult to model, but could reach many billions of pounds globally as the market grows.
- Skills. Cyber is a highly complex and technical field, and in the current soft insurance market chasing new business opportunities is a must. Insurers must ensure that when they eye up new cyber premium income, and given the relatively poor underlying data on the risk, they do so from a position of actuarial and underwriting intelligence on cyber risk.
- Keeping our own house in order. Finally, the more embedded insurers become in cyber risk management, the greater targets they are likely to become themselves for malicious cyber attacks. Being as resilient as possible to these threats will be crucial in maintaining the credibility of the cyber insurance market.
Matt Cullen is Assistant Director, Head of Strategy at the Association of British Insurers (ABI).