Caution is the watchword for insurers getting into the cyber insurance marketplace, according to a recent report from Standard & Poor’s, due to the difficulty in underwriting and pricing the risk. The slow growth in availability isn’t necessarily a problem, S&P added.
“Even insurers with a larger market share are guarded enough to use low limits and a whole slew of exclusions (such as excluding damages resulting from data handled by an external contractor), which we believe is sensible. The need for risk-averse underwriting is heightened considering the lack of actuarial data, potential systemic consequences, loss creep, and clash risk,” noted the ratings firm. The market might appear to involve up to 50 insurers, but the biggest players number five — American International Group Inc., ACE Ltd., Chubb Corp., Zurich Insurance Co. Ltd., and Beazley Group Ltd.
The “prudence” means that S&P sees no indication that cyber insurance losses could affect insurers’ financial strength. Disciplined underwriting should preserve insurers’ balance sheets for the future, but S&P added, “However, we could take rating actions if we start to see insurers with excessive growth, poor underwriting standards, or insufficient risk management.”
The market, as estimated by Lloyd’s of London now includes $2.5 billion in premiums, growing from less than $1 billion in 2012.
“This is a small sum considering $496.6 billion of total U.S. net premiums were written in 2014. Cyber represents a huge area of opportunity, as some analysts project the cyber insurance market growing to as large as $10 billion during the next five to 10 years, which we believe is possible given the public’s increased awareness of the need for protection,” said S&P.
The industry has made some effort to begin modeling cyber risk, a practice that S&P said it does not quite trust for this risk.
“Reliable actuarial data are also not available. Metrics for cyber risk, such as the number of attacks, number of successful attacks, data encryption-related metrics, security features, and lessons learned from actual losses, are also in the early stages. We believe that probabilistic models pose high levels of uncertainty, mostly because of the unpredictable human behaviors associated with cyber attacks. Therefore, we are cautious of any insurer that places too much emphasis on modeling cyber risk for pricing or exposure-management purposes,” said the firm. Additional challenges come in when organizations show reluctance to transparently disclose the occurrence of a breach.
“Cyber attacks could also be stealthy in nature and may not be detected for a long time. This has been particularly problematic for insurers with some first-time buyers that are unaware that their IT systems have already been compromised. Another concern is the potential for systemic risk. This is evident in contingent business interruption claims as organizations depend on third parties such as their Internet service providers, cloud providers, backup data centers, and software providers, who could inadvertently cause business interruption or privacy violations,” said S&P. The firm predicted that stand-alone cyber insurance would grow to focus more on pre-loss mitigation standards and services.