Advisen: What do you see as the greatest cyber risks today?
Matthew Hogg: There is no one answer to this question. Each company could and should have its own view on what its greatest risks are in its jurisdiction and in the course of doing its business. It’s easy to be swept along by media coverage of the large events that cause large losses, but companies should be considering what resonates with their own business.
From Liberty Specialty Markets’ viewpoint – and as an underwriter in the London market – one of the greatest challenges we face is how to remain innovative as a market and to focus on broadening cover for cyber risks whilst obtaining the information required to make qualified decisions.
London is an innovative market and we consider ourselves one of the thought leaders in this space. Liberty Specialty Markets was one of the first carriers to respond to coverage requirements by removing terrorism exclusions and to provide reputational cover. At Liberty Specialty Markets, we are focusing on first party cover, including the potential to insure property damage.
A lot of the cyber insurance market has spun out of tech E&O markets, whose underwriting skills, reinsurance support and commercial expectations derive from the liability piece – but liability is only one element of cyber risks.
We need to be very focused on responding to the needs of our insureds and providing cover for all areas of cyber exposure.
Advisen: What will be the greatest threats in 5 years’ time?
Matthew Hogg: Of course, the external threat horizon – especially in the realms of technology and regulation – will continue to move and the cyber market will continue to play catch-up with our empirical data as new threats emerge.
But concentrating on internal, insurance market issues, I do feel that there are some current exposures that have not yet come to light that could hurt people.
Are we as a cyber market fully cognisant of the right pricing and structure of programmes and all the risk exposures that might trigger insurance policies?
As the cyber insurance market becomes more sophisticated and as the regulators of the insurance market become more sophisticated, the Realistic Disaster Scenarios (RDS) imposed on insurers might become more stringent and demanding than currently.
This will, in part, drive more collaboration between the various insurance lines of business. Insurers should be ascertaining what underwriting skills are needed to produce a robust, comprehensive cyber product that can be well underwritten and well understood. Some of those skill sets will reside in the cyber market, and some in the casualty and property markets.
Combining those skills to provide a solid offering should be more important than price.
Advisen: Is the insurance industry doing enough to adequately address these risks?
Matthew Hogg: It is important to stress that collaboration between the different insurance ‘silos’ or classes of business is imperative for the cyber market to move forward.
This is definitely an industry concern, not just a cyber industry concern. The whole industry will have to work together better to create products in a sustainable fashion.
Of course, it’s easy to plant flags. The cyber market could make a land-grab to offer casualty and property-type exposures under the cyber policy, but shouldn’t other lines of business be underwriting the risks that they have deep experience of covering?
Who writes which sections of a cyber policy should be decided by how efficiently they can write the business and how well they can underwrite it. At Liberty Specialty Markets, for example, we are looking at where we can pool our cyber expertise across traditional business lines, to justify writing this class and also to guarantee that we can underwrite it sustainably.
Another area that insurers will have to grapple with, as their portfolios mature and reach a critical mass, is aggregation of risks.
We are working with external parties to improve and fine tune what our overall exposure might be to certain business process outsourcers – what proportion of an SME book might be using a particular cloud provider, for example.
Advisen: What keeps you awake at night?
Matthew Hogg: I worry about memory loss… Not mine, but the market’s. The insurance market has a short-term memory.
If the cyber market enjoys 2-4 years of not being badly burnt, outside capacity providers behave as if it will always perform that way. So new markets are coming in all the time, with slightly different maturity curves and risk appetites for this business.
I’m concerned that the market is moving at a speed it should really be uncomfortable with.
One other problem with short-term memory is that the quality of information in this class could deteriorate.
At Liberty Specialty Markets we’re holding on to how we think cyber risk should be underwritten and the information we think we need to do that.
I’m concerned that the market may get ahead of us if we’re slower out of the door because we feel we’ve put more consideration into how we’re going to sustain a book of cyber and privacy insurance whilst maintaining our position as one of the market leaders.
Advisen: In your opinion, what is the single most important cyber risk development in the past 12 months?
Matthew Hogg: I’d like to stretch that to 2, if I may…
The most immediate is the breaches in the US retail industry in 2013. These have had the most impact on how the cyber insurance market operates and represent the closest thing we’ve had to a hardening cyber market.
Markets have dropped out of writing primary retail industry business, or are reassessing pricing. The spate of retail data breaches has also increased insurance uptake and moved much more business across to the UK from US.
In terms of the bigger picture, the last 12 months has seen government, regulatory and standards bodies combine in both the US and UK to develop the first steps towards a coordinated risk management approach to cyber risk.
This has not been seen before and corporate expectations of how to perform are being set right now.
Approaches like the NIST framework in the US and the ‘cyber hygiene’ framework drafts in the UK will ultimately drive the cyber insurance market through a greater appreciation of cyber exposures in corporations.
Even if it doesn’t immediately and directly change the way SMEs approach cyber risk, change will be driven down the supply chain from larger organizations.