2020 Cyber Insurance Predictions
By Yakir Golan
In the past few years, I’ve watched insurers and reinsurers delicately maneuver around cyber insurance. Lucrative loss ratios have brought many new players into the market. I’ve spent the majority of my career surrounded by cyber, artificial intelligence and risk management. My experience led me to discover an interesting gap in the insurance industry regarding cyber risk.
Since then, I have been on a quest to increase awareness and knowledge of cyber risk to insurance professionals across the globe. I strive to harness my unique expertise to provide (re)insurers access to data, advanced algorithms and solutions in order to predict and price cyber risk.
As the market matures, insurers and reinsurers are gradually realizing that potential losses due to large loss events and cyber catastrophes are an imminent risk to their books and need to be addressed immediately.
(Re)insurers are allocating more resources into building their cyber underwriting and accumulation management capabilities while increasing their cyberthreat knowledge to keep up with the risk and demands of the industry.
2020 will be a significant year of change. Here are some personal predictions on where the industry is heading:
1. Increased Regulation Across Countries And Industries
As data privacy and protection legislation continues to grow, increased regulation around cyber risk will be one of the main drivers of the cyber insurance market. Currently, over 100 countries have already implemented or are in the process of implementing some form of legislation around curtailing cyber risk.
In 2017, the National Association of Insurance Commissioners (NAIC) in the United States adopted an Insurance Data Security Model Law, which provides for reporting a cybersecurity event within 72 hours to regulators and providing notice to consumers within a specific period of time allotted by state law. Increasingly more and more states are beginning to adopt the law. Some states, such as New York, have also implemented policies that force companies to submit proof of compliance with regulations.
In Europe, the EIOPA published a report titled “Cyber Risk for Insurers – Challenges and Opportunities,” in which they assert the need for a cyber resilience framework for European insurers. Most interestingly, the report cites a “well-developed cyber insurance market” as a driver in transforming the digital economy.
Cyber risk policies and programs, incident response plans and more are already mandated by different governing bodies. It would be fair to say that in the near future, as regulatory bodies such as the PRA, FCA, BaFin, MAS and EIOPA set increased regulations for certain industries to ensure an appropriate degree of protection for businesses and individuals, cyber insurance will become a necessary mandate to meet regulations.
2.Increased Cyber Exclusions
Additional insurance groups will exclude cyber from other offered policies. Conventional property and casualty (P&C) insurance covers physical perils; however, policy wording has led to unintended cyber coverage, often referred to as “silent cyber” risk. In fact, the International Underwriting Association (IUA) has already developed two wordings for the London Market model to address this issue.
I’ve already seen insurers such as AIG, Allianz and Lloyds make more concrete statements affirming exclusion of cyber from their P&C coverages. As awareness to silent risk exposure increases across the globe, I predict we will see more and more insurers move in this direction and exclude cyber risks from conventional commercial P&C coverages.
3.Broader Scenarios With Enhanced Context To Manage Cyber Risk
With more and more cyberattacks occurring, (re)insurers need to have a wider perspective for possible cyber catastrophes and large losses. Today, common modeled cyber scenarios span from cloud outage to massively distributed ransomware attacks. In order for (re)insurers to better assess potential losses due to cyberattacks, the number of modeled scenarios needs to increase, and it must represent a wider range of possible attacks.
The core building blocks for scenarios that closely simulate large and catastrophic losses due to cyberattacks will need to replace assumptions with data. As the market acknowledges that cyberthreats are continuously evolving, the demand for a more diverse set of scenarios will continue to increase.
4. Emerging Endeavors Surrounding Parametric Insurance
(Re)insurers are looking for innovative ways to push traditional boundaries of cover, and although parametric cyber insurance is still in its infancy, we’ll see increased endeavors in this niche. The biggest challenge for parametric insurance is properly correlating historical losses with an index to limit the basis risk.
Insurers’ access to cyber risk data has increased due to solutions provided by modeling vendors’ advanced data harvesting capabilities. This gives insurers better parameters to accurately quantify emerging cyber risk, and these capabilities will allow them to build parametric product offerings to transfer their cyber risk.
5. Increased Cyber Reinsurance Capacity
Increasing confidence around cyber risk accumulation and exposure management will lead to an overall increased cyber reinsurance capacity. Major headway has been made in regard to mitigating systemic cyber risk accumulations. The exclusion of cyber from other P&C policies and advances made in the development of models will create a more transparent view of the risk reinsurers take on, leading to a higher risk appetite.
As appetite increases and more policies are sold, we will see a trend in declining cyber premium rates. Of course this trend will only hold true until the next cyber catastrophe hits, and rates will most likely rise after (re)insurers feel the effect of massive loss across their portfolios.
The cyber insurance industry is at a time of accelerated growth. Every year brings new trends and more opportunities to develop cyber insurance products. As we enter 2020, it’s important to pay attention to the major advances being made around identifying and quantifying cyber risk and the impact these capabilities will have on the industry.