The ever-emerging risk

Businesses have been grappling with cyber risk for decades, but while the risk itself is nothing new, what does feel different in recent years is the sheer scale of the challenge organisations face today. As the proportion of business that is done online increases, so does the risk of a cyber attack: today, especially in the shadow of the COVID-19 pandemic, the amount of business being done online has never been higher.

“The threat of ransomware has been around since the 1980s but the threat has increased significantly in the last five years and especially in the last 18 months,” says Greg Eskins, cyber product leader for the US and Canada at Marsh.

Marsh data show that cyber losses increased markedly, in terms of both loss frequency and severity, in 2019 and 2020. In 2020 this was compounded as cyber criminals took advantage of the large numbers of people working from home, outside the relative protection of their company’s corporate firewalls. Cyber risk—already a huge concern—has been catapulted to the top of the corporate agenda.

For organisations, and risk managers, it can be difficult to know where to start. “Businesses are still struggling to quantify and define cyber risk,” says Erica Davis, managing director and global co-head of cyber at Guy Carpenter. “Balancing cybersecurity investment versus risk transfer is a real challenge for them.”

Cybersecurity is the easiest and most effective place to start. Even businesses that plan to buy cyber coverage have an incentive to tackle their cybersecurity first. Underwriters incorporate enterprise risk management techniques into their decisions, pricing coverage based on the client’s cyber hygiene, explains Catherine Mulligan, global head of cyber for Aon’s Reinsurance Solutions.

“The evolution of privacy laws has had a big impact on the cyber market,” adds Mulligan. “Risk management includes pre-loss measures, risk transfer and dealing with realised losses, and there is a lot of emphasis on improving insureds’ overall cyber hygiene and resilience.”

The challenge has been exacerbated by recent suggestions that the very fact of having cyber coverage could mark companies out as targets. Mulligan admits Aon has looked at this issue, and has found it hard to pin down.

“It is clear there have been instances of this happening, where cyber criminals have made reference to the target’s insurance documentation, but this only really points to the need for strong risk management,” she says. “The attack vectors themselves haven’t changed, it is about addressing the issues that leave businesses exposed to attack.”

“It is very difficult to substantiate the claim that businesses might be more at risk if they have cyber coverage, but if there is an impact, it is likely to be very marginal,” agrees Davis. “Ultimately every business—every person even—is a target, so businesses should act accordingly and focus on their cyber hygiene. Businesses should not be sharing details of their cyber policies publicly, but nor should they be sharing any personal data.”

Cyber is still spoken of as an example of emerging risk, and a relatively new line of coverage, but it is older than is often realised.

“Cyber has been around for more than 20 years in some form,” says Mulligan. “It arose from tech errors and omissions (E&O). Coverage has evolved as the tools available to quantify the risk have improved and the industry has pulled in more information beyond just industry losses.”

The sense that cyber seems younger than it is, is more than just an illusion. Cyber has taken longer to mature than other lines of coverage because of the nature of the risk, which is constantly evolving and expanding, says Davis.

“If the risk were relatively static, like some other risks that businesses insure, the cyber industry would definitely feel more mature,” she says. “In a risk environment as dynamic as cyber, 20 years doesn’t feel like such a long time.”

She cites a quote from Dan Glaser, the president and chief executive officer of Marsh McLennan, who described cyber as “a race without a finish line”. She adds: “As the cyber threat continues to evolve, the industry may still feel relatively young in another 20 years.”

Youthful as it can seem, the cyber market is definitely growing, and many—although by no means most—businesses are turning to the insurance market for protection. According to National Association of Insurance Commissioners (NAIC) the cyber market is around $3.15 billion, so it is still very small compared to the property and casualty market. Modelled systemic cyber events could exceed the amount of capital available in this market, Eskins says.

Losses continue to exceed the amount of capital available in this market, he adds.

Marsh data show only around 47 percent of US organisations have cyber coverage. The figure is higher in the US than elsewhere in the world.

“Insurance and risk transfer are very much part of the culture and vocabulary of the US market, which is generally more litigious than other parts of the world, meaning businesses are more likely to be sued for a data breach in the US,” says Eskins.

“Liability insurance has been an effective way to manage the financial impacts of such a risk.”

If less than half of US businesses have cyber coverage, there is a significant protection gap. The fact the US is ahead of the rest of the world is little consolation. The problem is even worse than it looks: many of the businesses that do have coverage don’t purchase adequate limit, says Davis. “There is a really wide protection gap problem here,” she says.

The proportion of businesses buying cyber coverage has been steadily increasing, however, and looks set to continue to do so. Clients are also becoming increasingly familiar with what the cyber offering includes, which is not only a payment to compensate for a loss, but also pre and post event services, including advice on maximising cyber hygiene and legal support to help with litigation issues, particularly around lost data.

These factors that point to increasing demand for cyber are partially offset, however, by the increasing cost of coverage as the market hardens. While prices have risen steeply across many coverage lines in recent years, cyber has seen among the steepest increases, especially in 2021.

According to Marsh data, cyber lines saw average rate increases of around 3.5 percent in Q1 2021, making it one of the most challenged insurance markets for this period.

“We saw the cost of capital rises on other lines such as casualty, property and D&O over the last 18 months—24 months, and as such, the price increases in cyber this year, when combined with increases on other lines has caused considerable consternation for many businesses,” says Eskins.

“Increasing costs may weigh on the number of businesses buying cyber but it is not the only driver,” says Davis. “We have had a number of years where the cyber market was very soft and that didn’t lead to a surge of demand.

“Price seems to be more of a driver for the amount of coverage a business buys, rather than whether it buys the cover in the first place.”

The other driver affecting the market is the reduction in coverage being offered. “The market has been looking at the terms and conditions associated with cyber and other policies since the NotPetya cyber event,” says Eskins.

“There was a recognition that if that event had cost the industry the $10 billion in economic losses estimated, it could have collapsed cyber as a product line—although not the insurers themselves, and this, in part, started to encourage much greater scrutiny of underwriting controls.”

These two factors—the increasing cost of cyber coverage, and the tightening of terms and conditions—have made captives a more attractive proposition for cyber insurance.

“While the cost of cyber insurance has been increasing it is still reasonably priced in absolute terms—it generally remains economically efficient as a risk transfer mechanism,” says Eskins. “It is not at a price where self-insurance is the only choice, but it is certainly at a level where a captive is part of the discussion.”

Of the approximately 1,500 captives that Marsh works with, there was a 127 percent increase in the number writing cyber. Around 5 percent of captives managed by Marsh now write cyber coverage.

“Captives in the healthcare, financial services and retail and manufacturing sectors saw the biggest increases in cyber coverage but the trend is evident in all sectors to some extent,” says Michael Serricchio, managing director at Marsh Captive Solutions.

“A number of factors are driving this trend but there is no doubt in my mind that the increasing cost of cyber cover in the commercial market is the single biggest driver.”

Captives operate with some specific advantages in the cyber market.

“For commercial insurers the ubiquity of software and interconnectedness of supply chains and business in general, combined with a lack of historical data and the fact technology risk is embedded in all lines of insurance, in part, makes cyber risk complex to accurately model,” says Eskins. “But for a captive with a single client this is a far smaller issue.”

Meanwhile, captives are increasingly confident about branching out into new coverage lines.

“Captives traditionally focused on lines such as workers’ comp, auto and general liability, but in recent years cyber has definitely come to be considered more as part of the conversation, especially as boards of directors have started to think more about this risk,” says Aidan Kelly, director of risk finance and captive consulting at Aon.

“Execution is still lagging behind intent a little in this area, but there is growth, whether that is retention or primary first layer, excess placement or quota share agreements.”

Serricchio agrees, comparing the growth of cyber among captives to its increasing activity in other lines, such as terrorism, where captives have seen growth as a way to access TRIA. “Very few captives have traditionally written cover for environmental and pandemic risks, but these are also areas where captives are coming to life,” he says.

Serricchio admits that cyber can feel like a very different—even unique—kind of risk, but insists it is no different from other lines of coverage that captives are comfortable with.

“Captive owners should look at the limits, benchmarks and loss expectations in exactly the same way they would for any risk,” he says.

“Cyber is less frequent and more severe than some other risk coverages but it can certainly be modelled,” agrees Kelly. “It can be understood, quantified and funded via a captive, which can use the reinsurance market to lay off excess risk. Managing cyber risk via a captive is eminently sensible.”

Ironically, the increasing number of cyber attacks is helping the market, at least in some ways. “There is so much ransomware out there now but one silver lining is it means there is more data available now, which is good for actuaries,” explains Kelly.

“More cyber events are being analysed which is helping the industry to understand this evolving threat. This makes attacks easier to predict, making it easier to write cover via a captive.”