A new study of the UK cyber risk insurance and broker community reveals startling findings. First and foremost, the insurance industry needs to address non-affirmative cyber in a meaningful way. Second, measurement of cyber risk in financial terms is highly deficient among insurance customers and the insurance industry itself.
Silent cyber risk is key market growth inhibitor
More than three-quarters (77 per cent) of UK cyber risk insurance brokers and insurers believed that the insurance industry needs to urgently address non-affirmative cyber or ‘silent cyber’ in a deeper, more meaningful way. Silent cyber refers to instances where cyber perils (such as service interruption or data breach) are neither explicitly included, nor explicitly excluded, by an insurance policy’s wording. There was also a recognition that this problem could not be resolved swiftly, according to 22 per cent of respondents.
Lack of cyber risk understanding inhibits purchasing
Responses to a separate question on why cyber insurance is not being purchased by more companies as a means of transferring risk indicated that companies ‘not understanding policy coverage’ and ‘cyber policies were still too confusing and did not tie easily to known cyber peril categories,’ were the second and third most heavily-weighted responses respectively. The most significant factor holding back the market from the buyer’s perspective was firms ‘not understanding their own risk exposures,’ according to respondents.
Inadequate customer measurement of cyber risk
Results also reveal that an astonishing 89 per cent of respondents know that their customers either have an inadequate method for measuring the cost of a data breach or remain unsure of their customers’ data breach measurement capability. The same percentage (89 per cent) said that customers could not adequately measure the potential impact of a cyber extortion (e.g. ransomware) event.
Customer measurement capability across other cyber perils fared little better. Eighty-seven per cent of insurers and brokers said customers had inadequate or unknown measurement systems for theft of intellectual property. Additionally, 83 per cent of respondents felt that customers could not measure the cost of a cyberattack that interrupts service.
Only one in every seven customers (14 per cent) has adequate measurement for cyber/physical (property and casualty damage due to cyber incidents) peril events. Only 10 per cent of insurers indicated that customers were adequately measuring likely costs associated with a potential data breach.
Cyber perils disconnected from policy clauses
Linked to silent cyber exposure, nearly half (47 per cent) of respondents admitted to having no clear connection between core cyber peril events and cyber risk insurance cover elements in their policy wording. Only eight per cent of insurers and brokers felt their policy wording now closely reflected the top five most-understood cyber peril threats.
If insurers do not map key cyber peril events to key cyber risk policy clauses—defining affirmatively what is explicitly covered or excluded—there is a real danger that vital cyber perils will not be covered.
Catastrophic or systemic events set to reshape cyber insurance market
Sixty-two per cent of respondents agreed that a series of catastrophic cyber events or systemic event (single action that impacts claims on multiple policies within insurers’ portfolios) could drastically alter the way in which insurers measure the risk profile of cyber insurance applicants. A further 35 per cent said that catastrophic claims had the potential to reset the market but that this would depend on the size of resulting claims.
Aggregated risk uncertainty hinders cyber insurance book growth
The survey also uncovered strong evidence of a lack of market understanding and pricing of aggregated risk. Six out of every 10 cyber brokers and insurers (60 per cent) agreed or strongly agreed with the statement that ‘lack of understanding of aggregated risk within cyber insurance portfolios is hindering market growth.’
Board-level demand is largest purchasing driver
Specific demand for cyber cover from board-level executives is the most heavily weighted driver of new cyber insurance sales. Demands placed on boards by due diligence requirements runs a close second.
These due diligence demands perhaps explain why ‘the board as a whole’ is regarded as the most significant decision-making group for new cyber cover (for 42 per cent of all respondents).
Risk remediation versus risk transfer poorly understood
With cyber risk, there are only three practical choices: remediate, transfer, or accept cyber risk. This assumes that each organisation has the ability to measure cyber risk and draw a delineation between risk remediation and risk transfer.
Nearly three-quarters (73 per cent) of respondents believe that most organisations do not understand the delineation between risk remediation and risk transfer as a mechanism to buy cyber insurance. This implies that most organisations are using intuition to determine the type and limit of their cyber coverage.
Outside-in cyber risk assessments not good enough
Only a tiny minority of brokers and insurers (2.6 per cent in this survey) believe that information gleaned from a short questionnaire or internet-based tool is an effective way to measure an applicant’s risk profile. However, the use of ‘outside-in’ internet-based tools and short questionnaires continues to dominate. Remarkably, only five per cent routinely commission a risk assessment from a third-party cybersecurity vendor to better understand their applicant’s risk profile. This must change if carriers are to manage cyber book risks adequately.
Brokers to carry largest share of market education
More than nine out of every 10 insurers and brokers (94 per cent) saw a significant need to educate the buyer during the pre-sales process to expand sales opportunity and avoid misalignment of cyber insurance policy to customer needs, with 65 per cent of respondents putting the onus on brokers to educate the market. Only a tenth (11 per cent) felt an independent third-party body or regulator (sponsored by the industry) ought to take the lead. A further 11 per cent felt underwriters ought to be responsible for this market education work.
Robert Vescio, inventor of X-Analytics, a cyber risk quantification model used to model the economics of cyber risk exposure, commented on the survey’s findings:
“There are more than 130 insurers writing cyber premiums globally. Does this mean that cyber risk is well-understood and that there are agreed-upon standards for underwriting throughout the industry? According to the survey, the answer is a resounding ‘no.’ Cyber risk is clearly not yet well-enough understood or measured right now.
“There remains significant market pressure to underwrite and quote policies as efficiently as possible, even while admitting a widespread inability to measure an applicant’s risk profile. This generates mismatches between desirable underwriting principles and prevalent practices for writing cyber cover today.
“The survey also highlights an urgent need to model non-affirmative or ‘silent’ cyber risk and develop a better understanding of aggregate risk within an insurer’s portfolio. Many insurers are now concerned that a series of major cyber events could rapidly erode the finite margin across numerous portfolios and test if there is enough capital to cover significant cyber-related claims within a calendar year.”