Unnatural cat: Why cyber insurance coverage has a sell-side downside
They say insurance is a product that is sold, not bought – and that’s why we often focus a lot on the buyer side: the risk landscape of potential customers, their coverage gaps, their service preferences … even their apathy. With cyber insurance, however, buyers are strongly recognizing the need for coverage and recognizing risk transfer as a key lever in the overall fight against cyber criminals.
But few companies are buying cyber insurance right now. As cyber underwriters enter what we referred to as “hard market within hard market” in our previous post, the cost of protection reaches unprecedented levels, making it unaffordable for all but the largest players.
As the buy side adopts an increasingly mature stance, the seller side remains unprepared, and we are yet to see a mass market product that insurers can afford at the price of most customers. Today’s post looks at some of the reasons for this segregation between buyers and sellers, stemming from the nature of cyber risk itself: risks that many, but by no means all, characteristics of NatCat risk share.
How smaller businesses became aware of their cybersecurity risk
Let’s start with the buy-side and how cyber insurance evolved from an exotic beast to a routine topic in boardrooms. After all, cyber policies are hardly new as they have been in circulation in one form or another for around 20 years. So why the recent entry into the mainstream?
What has changed is that we have reached a tipping point in technology adoption. While large companies have had large IT footprints for decades, this has not always been the case for small and medium-sized enterprises (SMBs). Today, however, most businesses are digital-first, right down to sole proprietorship, and many have embraced remote work and cloud computing as well. Cyber risks affect everyone in all sectors today, on a daily basis.
We can track the expansion of cyber conversation with some basic media analysis. The following chart from Factiva – based on its archive of newspapers, news agencies, industry publications, magazines, and reports – shows the increase in unique articles related to “cyber insurance” from nearly zero in 2012 to ~ 4,000 per year in 2020. That number is 2021 will more than double. A similar development can be seen when mentioning SME cybersecurity.
Click / tap to view a larger image.
Source: Factiva (2021 figures represent a proportional adjustment of the figures as of September 2021)
The growing talk of cybersecurity and cyber insurance has brought many new buyers to the table with risks to cover, from ransomware attacks and cyber-related business interruptions to social engineering and data breaches.
Since the dynamics of the buyer side can be clearly seen, we now turn to the seller side.
What we find here is really a constant battle for affordable, functional products. In other words, insurers are not as successful in increasing mass market supply as they are in growing mass market demand.
These sell-side problems can be divided into two broad categories, partly at the level of individual policies and risks, and partly at the portfolio level. Let’s look at both of them.
Cyber insurance is now at a turning point and poised for rapid growth. Find out more in our latest report Cyber Insurance: A Profitable Path to Growth.
Cleaning up bad cyber risks and bad cyber guidelines
The most obvious problem for insurers with all of this new cyber demand is that many newly awakened businesses, many of them SMEs, are inherently bad risks.
The reasons for this are simple. SMBs tend to run less robust systems initially and have likely made limited investments in cybersecurity. In addition, technical developments increase the attack surface for hackers as more and more systems, devices and remote workers are added to corporate networks, something that SMBs – with their lack of internal legal, cyber and risk expertise, codified guidelines and employee training – are poorly equipped .
These risk factors combine to raise the price floor for SME cyber insurance, similar to how less safe drivers get higher car prices on average. But help is in sight.
Just as drivers can reduce their risk – and thus their premiums – through safety functions and telematics in the car, a lot can be done at the front end to improve the cyber risk profile of small companies.
This ranges from the implementation of basic cybersecurity hygiene, such as regular employee training and two-factor authentication, to the specification of special cyber defense software. By eliminating risky practices from policies and creating incentives for good behavior, insurers can reduce cyber risks, reduce attrition, and make small businesses more insurable. Lower basic premiums should follow.
First, to understand business vulnerabilities – and second, to address them – insurers need to fully tap into the broader cybersecurity ecosystem. This is already the case as over 80% of sell-side players (including underwriters, brokers, and agents) use third-party technology when selecting cyber risk, especially for risk scanning, according to a recent survey by PartnerRe and Advisen .
How do you primarily use third party providers for cyber underwriting?
Click / tap to view a larger image.
Cyber Insurance – The Market View; PartnerRe and Advisen, 2021
The ability to improve individual risks will certainly improve over time as insurers, brokers, and cyber vendors collect more and more data. And standard cyber policies can be cropped to align with risk management best practices as they emerge and evolve. However, in order for the cyber line to completely overcome its problems, changes are also required at the portfolio level.
Unnatural Disasters – Why Cyber Remains a Portfolio Challenge
Cyber harbors the possibility of oversized losses at the portfolio level due to the potential for large-scale cyberattacks to hit many policyholders at the same time. For this reason, cyber insurers need access to abundant capital, and it is not surprising that the business relies heavily on reinsurance.
This in itself is not a problem, because capital has hardly been sown thinly for commercial insurers in recent years. The problem for cyber reinsurers is actually not capital volume, but capital efficiency. We see this when we compare Cyber to other major loss lines like NatCat.
Natural catastrophe reinsurers can write off a lot of risk from their capital pool because diversification can keep the likelihood of destruction of this pool low. This is possible because natural disasters follow predictable annual and seasonal patterns so you can create balanced portfolios. There are large aggregations of risk as different segments of your book take massive hits. But no aggregation is big enough to destroy your entire book.
In other words: It is not cat season everywhere at the same time.
But cyberspace has no seasons. No matter how much you diversify your customer base – by insuring clients in both hemispheres and on every continent – the systemic risk remains substantial and can affect a critical mass of policyholders at the same time. A hurricane in the Gulf of Mexico does not spread to other parts of the world like a virus. Ransomware attacks do it. They are certainly catastrophic, but there is nothing natural about them.
The result: reinsurers have to hold a disproportionately large amount of equity capital for the cyber risks they have written – and higher rates are then required to cover the segment’s cost of capital. Higher reinsurance rates lead to higher rates in the primary markets, which in turn means a higher price floor for cyber customers.
In practice, cyber risk – especially the threat posed by mega-aggregations – is still poorly understood. So the allocation of capacity was rather speculative, which explains why the market is dominated by a handful of large reinsurers.
This combination – little reinsurance pool and a lot of speculation – exposes cyber insurances to serious corrections, since the whims of a single player, for example leaving the network, can have a significant impact on the overall market capacity and thus the market price. In addition to the already high prices, the volatility will make it even more difficult for underwriters to build a stable base of cyber customers – with extensive potential to prevent innovations in the line.
So there we have it: the cyber sell-side problem. Prices are high for a variety of reasons, some front-end, some back-end – and it takes a variety of front-end and back-end solutions to bring them down, which we’ll explore in our next post.
Ultimately, market experience will show where risk transfer solutions are best at home and how they can be made affordable. Because of this, a step-by-step approach to cyber risk can better serve insurers – by observing from a safe distance without getting carried away. Over time, this “unnatural catastrophe” may not seem so unnatural after all. For more information, please download our newly released Cyber Insurance Report. If you would like to discuss any of the ideas in this series (or report), please do not hesitate to contact us.
Get the latest insurance industry insights, news and research straight to your inbox.