There’s a disconnect in the world of cyber, and it’s not an ethernet cable. The reports of many companies adopting cyber insurance at a rapid rate is a bit at odds with the experience of many in the insurance community who are being met with a combination of confusion, frustration and apprehension.
Recent studies lend some credence to the belief that cyber insurance may in fact be moving at a slower pace than assumed. While this slower adoption rate may be fueling some hidden risk, it also contains a silver lining and some unexpected opportunities.
One of the obvious factors hampering purchase rates is the lack of cyber litigation – cyber lawsuits have yet to drop and breaches have yet to become market moving events. This is obviously good news for many businesses that don’t have to worry about finding themselves in court over the transmission of a virus, or deal with constant compliance requests from clients/vendors. However, it also poses many challenges for the insurers and their ability to build stronger cyber products.
Aside from fueling the need/urgency of cyber insurance, litigation and loss data also help the carriers understand their exposures so that they can draft coverage appropriately by providing broad coverage without over-extending themselves. It also allows them to test their policy forms accordingly, ensuring their contract reacts in court, the way they were intended. In effect, case law serves as a sort of R&D for their policy forms. Without this data, many insurers will be forced to rely on alternative means of data collection such as stronger analytics and improved information sharing in order to more accurately predict their insurable exposures.
This need is creating opportunities for third party providers and solutions for both insurers and the public alike. Surprisingly there is also a silver lining for the insurers. While the analytics, information, and required ‘policy testing’ can be difficult to obtain (especially in the fast paced, constantly changing risk environment of cyber security), the carriers that are able to figure it out will reap the rewards through the development of more accurate predictive risk modeling which can be applied to a broader range of products and industries.
With businesses changing more rapidly than ever, on the horizon of autonomous cars, drone delivery and robo-advisors, the insurers with the most reactive/nimble predictive models, and those least apprehensive about entering into new markets will have huge advantages in the ability to insure emerging risks through first-to-market capabilities. In an industry that has always been viewed as slow to react, any improvement in reaction among insurers will be a welcomed change.
When it comes to cybersecurity investment, many companies have voiced a preference in strengthening internal controls over the placement of insurance. Simply put, some companies place more trust in the hardware/technology to prevent against an attack than they do in the insurance companies to provide adequate financial support after an attack.
On the positive side, this indicates that the c-suite is becoming more aware of (and educated on) cyber-risk, and the fact that companies are increasingly implementing improved security measures is good news for all – including the insurers who also benefit from the reduced risk. These same companies should be careful not to lose sight though - while loss prevention and security controls are a well advised investment, they should never be perceived as a substitute for insurance.
Installing sprinklers in your house doesn’t mean that it’s now safe to “self-insure” it. Addressing buyer apprehension is a bit more challenging. It can be all too easy to blame this apprehension on an un-informed c-suite (as many articles have). While lack of education is surely a contributing factor in some cases, it appears that same education may also be acting as a deterrent.
With cyber-risk continuing to top the list of c-suite concerns, directors are becoming more educated, and in turn, becoming more familiar with the current limitations of cyber insurance policies. This is particularly true for companies with in house counsel, CISO’s and risk managers that follow the cyber-environment. These limitations, combined with concerns over “failure to maintain minimum security standard” type blanket exclusions and recent cases such as the Johnson Bell case cast a doubt among the c-suite that cyber insurance will adequately cover their intended exposures.
This results in cyber insurance primarily being perceived as intended for breaches that affect personal information or result in lost income – in large part because that’s the way they are being crafted. Important coverage elements such as insurance for theft of IP/source code, brand restoration and meaningful coverage for social engineering attacks is largely illusive if not entirely unavailable.
Luckily, cyber insurance is a space with a lot of competition and which the carriers are heavily investing. In order to truly capitalize on that opportunity, insurers will need to provide better, stronger, more tailored coverages, which will also force the competition to react with better products in an effort to compete. The industry is just beginning to see some of this. This product-strengthening will benefit the public and insurers alike by helping to change any preconceived notions.
With big data being the obvious answer to many of the carriers’ challenges, many insurance companies and startups alike are investing heavily in the harnessing of analytics. However there is another easier-solved problem which is often overlooked: resources. Thanks in large part to constantly increasing cyber-regulations, cyber-risk has created a new environment of governance, compliance and best practices that is still foreign to many.
Many smaller and mid-sized companies are genuinely concerned, and interested in implementing the required internal controls, but are a bit in the dark about how to do so without incurring excessive costs. To complicate matters, when applying for first time cyber insurance, many purchasers are intimidated by the application questions revolving around said controls. These questions often inquire about existing BYOD (bring your own device) policies, notification procedures, phishing identification and/or periodic security testing – not to mention the overly technical questions that many purchasers struggle with. This often results in complete abandonment in the purchase process, which of course is a contributing factor to the slower adoption rates.
These challenges highlight opportunities for both the insurance companies and third party companies to provide education and cost-effective cyber compliance resources, both of which would greatly improve both awareness and purchase rates.
Many estimates seem to indicate that the cybersecurity and insurance market is set to triple in size over the next ten years. While this indicates a wealth of opportunities in a growing market over the next years, it’s also important to keep in mind the current challenges and address those first so that the expected growth may continue. It’s also an environment in which one well thrown curveball could completely shift everything.