Growing pains and teenage tantrums: watching cyber risk come of age

As the cyber insurance market matures, it will need both standardisation and innovation to sustain its growth. But even those things won’t necessarily protect the market from some difficult times as the market develops.

Cyber insurance is still in its infancy—“just a baby”, according to one panellist on the latest session of the Re/insurance Lounge, but the market is growing up fast. According to recent analysis from S&P Global Ratings, commercial and private cyber insurance premiums total about $5 billion annually but are expected to grow 20 to 30 percent per year in the near future.

Even then, it will be some time before coverage is close to addressing the $700 billion economic cost from cyber crime alone. The COVID-19 pandemic has exacerbated the risk, with some labelling it as the largest-ever cybersecurity threat.

To discuss these issues and what needs to happen to see cyber insurance reach its potential, the Re/insurance Lounge, Intelligent Insurer’s online, on-demand platform for interviews and panel discussions brought together some of the industry’s leading players:

  • Simon Ashworth, chief analytical officer for insurance at S&P Global Ratings;
  • Louis Botticelli, senior director and US cyber product leader for small business and specialty lines insurer Markel Specialty;
  • Jasper Goring, cyber specialist broker at Gallagher Re; and
  • Michael Shen, head of cyber & technology for the London Market at global specialty re/insurer Canopius.

None on the panel doubted that cyber insurance would see strong growth in coming years. The real challenge there, said Goring, would be keeping up with demand.

“It’s a class of business that relies heavily on reinsurance,” he said. “The reinsurance community needs to continue to secure more retrocession capacity, and we need to encourage alternative capital to come to the market—all to keep pace with the demand for cyber coverage.

“That’s our biggest challenge to growth: meeting the demand for capacity.”

Expanding the coverage

At the same time, Goring agreed, there is a need for insurers to innovate to meet new challenges not covered by traditional cyber covers.

On one hand, existing cyber policies cover a broad range of perils. As Shen put it: “The standard cyber product provides first-party coverage, system restoration, business interruption, liability, crisis management, cyber extortion, ransomware, media liability. That’s a pretty significant suite of coverage, so let’s not suggest that this is an inadequate product.”

Moreover, it includes major areas of growth. Ransomware, particularly, is a key concern for Botticelli. “Ransomware as a service is a growth industry,” he warned.

“There are companies out there for whom ransomware is their product,” he said. “Everyone points to a cloud being the systemic issue, but this is the more systemic risk to my mind.

“As an industry we need to capture data to better understand where the overall exposures are throughout our books of business.”

“That’s our biggest challenge to growth: meeting the demand for capacity.”
Jasper Goring, Gallagher Re

On the other hand, there’s a clear need for innovation to cover emerging vulnerabilities such as physical risks from cyber attacks harnessing the internet of things (IoT).

The existing coverage of cyber products is still relatively focused, said Goring, and leaves plenty of scope to expand.

“As an industry we shouldn’t lose sight of the opportunity to innovate in other product lines and the broader sense of what cyber exposure might mean,” he said.

Botticelli agreed. “With the interconnectivity of companies and geographies and the devices used in the IoT—more than 40 billion devices within three years—it would be obtuse for the industry not to see it as a growth area,” he said.

Innovation, standardisation and reputation

To facilitate that growth, according to Shen, the standardisation that has already begun in traditional cyber policies must continue. That will then free up insurers and brokers to work closely with clients to put more innovative covers in place.

“We probably need to standardise the traditional side of the non-physical damage cyber so we can build at scale, and then sell the new cyber products,” he explained.

“You don’t create a substantial market without bringing in some standardisation, so that has to happen on a greater level.”

For insurers, that will create risks as cyber exposures on their books grow in size and scope. As cyber develops from infancy, insurers will have to be careful, said Ashworth.

“As it becomes a teenager, our biggest focus will be on the extent to the product line adds additional volatility to insurers balance sheets,” he explained.

There are also opportunities—and not just to write more premium. In identifying areas of risk and promoting mitigation, as well as providing coverage, insurers can help address the growing threat from cyber to a broad range of businesses, Ashworth pointed out.

“From a reputational perspective, that would be beneficial and might right some of the perceived wrongs of the past. The beauty from a cyber perspective is that it’s not plagued by the legacy issues insurers sometimes have to deal with,” he said.

“In some ways, they’re starting from a relatively clean slate.”

To view the full Re/insurance Lounge session, click here

Image courtesy of Shutterstock / solarseven

Sign up to the Intelligent Insurer newsletter

Take a trial subscription