They say that insurance is a product that is not sold bought – and as a result, we often spend a lot of time on the buying side: the risk landscape for potential customers, their coverage gaps, their service preferences … their apathy even. But with cyber insurance, buyers strongly embrace the need for protection, recognizing risk transfer as a key lever in the overall fight against cybercriminals.
But few companies are actually buying cyber insurance right now. When cyber insurers go into what we in our previous post called a “hard market within a hard market”, the protection costs reach unsurpassed levels, which makes it unaffordable for all but the largest players.
So as the buying side adopts an increasingly mature attitude, it is the sales side that remains unprepared, and we have not yet seen a mass market product that insurance companies can afford to write at the price of most customers. Today̵7;s post looks at some of the reasons for this disruption between buyers and sellers, which go back to the very nature of cyber risks: risks that share many, but not all, characteristics of NatCat risks.
How smaller companies woke up to their cybersecurity risk
Let’s start with the buying side and how cyber insurance went from exotic beasts to routine board stuff. After all, cyber-politics is hardly new, having been in circulation in one form or another for about 20 years. So why the recent entry into the mainstream?
What has changed is that we have reached a turning point when it comes to technology introduction. Although large companies have had large IT footprints for decades, this has not always been true for small and medium-sized enterprises (SMEs). Nowadays, however, most companies are digital first, all the way down to individual traders, and many have further embraced teleworking and cloud computing. Cyber risk now affects everyone in all sectors, and it affects them on a daily basis.
We can follow the expansion of the cyber conversation through some basic media analysis. The graphic below from Factiva – based on its archive of newspapers, newscasts, industry publications, magazines and reports – shows the increase in unique articles referring to “cyber insurance”, from almost zero in 2012 to ~ 4,000 / year 2020. That figure is set at more than doubled in 2021. A similar path can be traced for mentions of SMB cybersecurity.
Source: Factiva (figures for 2021 represent a proportional adjustment of figures from September 2021)
The constant noise of cyber security and cyber insurance has brought many new buyers to the table with risks that need to be covered: from ransomware attacks and cyber-related business outages to social engineering and data breaches.
With the dynamic buying side to see, we now turn to the sales side.
What we find here is really an ongoing struggle to provide affordable products that are suitable for the purpose. Or in other words: the insurance companies have not been as successful in increasing supply in the mass market as they have been in increasing demand in the mass market.
These sales problems are divided into two broad categories, partly at the level of individual policies and risks, and partly at the portfolio level. Let’s look at both.
Clean up bad cyber risks and bad cyber policies
The most obvious problem for insurers from all this incoming cyber demand is that many emerging companies, many of them small and medium-sized enterprises, are fundamentally bad risks.
The reasons for this are simple. SMEs tend to use less robust systems to begin with and have probably only made limited investments in cybersecurity. In addition, technological development is increasing the attack area for hackers, as more and more systems, devices and teleworkers are added to the company’s network, some small and medium-sized companies – with their lack of internal legal expertise, cyber and risk expertise, codified policies and staff training – are poor equipped for.
These risk factors are combined to raise the price floor for SMB cyber insurance, in much the same way that less secure drivers on average get higher engine prices. But help is at hand.
Just as drivers can see that their risks – and thus premiums – are reduced through safety features in the car and telematics, much can be done up front to improve the cyber risk profile for small businesses.
This ranges from implementing basic cyber security hygiene, such as regular staff training and dual factor authentication, to ordering specific cyber defense software. By printing high-risk practices out of policies and encouraging good behavior, insurance companies can reduce cyber risks, reduce wear and tear losses and make small businesses more insurable. Lower base premiums should follow.
To first understand companies’ vulnerabilities – and secondly to address them – insurers will need to make extensive use of the broader cybersecurity ecosystem. This is already happening, with over 80% of sales side players (including insurers, brokers and agents) now using third-party technology providers when choosing cyber risk, especially for risk scanning, according to a recent survey by PartnerRe and Advisen.
How do you primarily use third-party providers under cyber guarantees?
Cyber Insurance – Market View; PartnerRe and Advisen, 2021
The ability to improve individual risks will certainly improve over time as insurance companies, brokers and cyber providers collect more and more data. And standardized cyber policies can be pruned to conform to best risk management practices as they emerge and evolve. But in order for the cyber line to be able to completely overcome its problems, changes are also required at portfolio level.
Unnatural Disasters – Why Cyber Remains a Portfolio Challenge
Cyber comes with the possibility of oversized losses at portfolio level – due to the potential for major cyber attacks to affect many policyholders at the same time. For this reason, cyber insurance companies need access to abundant capital, and it is not surprising that the industry has relied heavily on reinsurance.
This is not a problem in itself, as capital has hardly been thin for commercial insurance companies in recent years. The problem for cyber reinsurers is not really a volume of capital but rather capital efficiency. We see this if we compare cyber with other big loss lines like NatCat.
Natural disaster reinsurers can write off a lot of risks from their capital pool because the chances of that pool being wiped out can be kept low through diversification. This is possible because natural disasters follow predictable annual and seasonal patterns, which means you can create balanced portfolios. Large risk aggregations occur, as different segments of your book get massive hits. But no collection is large enough to take down your entire book.
Or in other words: it’s not cat season everywhere at once.
But cyberspace knows no seasons. No matter how much you diversify your customer base – by insuring customers in both hemispheres and across continents – the systemic risk remains significant, with the potential to affect a critical mass of policyholders at the same time. A hurricane in the Gulf of Mexico does not spread to other parts of the world like a virus. Ransomware attacks do that. They are certainly catastrophic, but there is nothing natural about them.
The net result is that reinsurers must hold a disproportionate amount of capital for the cyber risks they write – and then higher interest rates are required for the line to cover its capital cost. Higher reinsurance rates lead to higher prices in the primary markets, which in turn means a higher price floor for cyber customers.
In practice, the cyber risk – especially the threat of mega-aggregation – is still somewhat understood. So where capacity has been allocated, it has tended to be somewhat speculative in nature, which explains why the market is dominated by a handful of large reinsurers.
This combination – a little reinsurance pool and a lot of speculation – exposes cyber insurance to serious corrections, as a single player’s whims, such as withdrawing from the line, can significantly affect the total market capacity and thus the market interest rate. In addition to already high prices, volatility will further hamper insurers when it comes to building a stable base of cyber customers – with the versatile potential to stop innovation in the line.
So there we have it: the cyber sales problem. Prices are high for various reasons, some front-end, others back-end – and a variety of front-end and back-end solutions will be required to bring them down, something we will explore in our next post.
Ultimately, market experience will reveal where risk transfer solutions are most at home, as well as how to make them affordable. For this reason, insurers may be better served by a step-by-step approach to cyber risk – to observe at a safe distance without being swept away. Over time, this “unnatural catastrophe” may not seem so unnatural after all. For more information, download our recently released cyber insurance report. If you want to discuss any of the ideas in this series (or report), do not hesitate to contact us.
Get the latest insurance industry insights, news and research straight to your inbox.
Disclaimer: This content is provided for general information purposes only and is not intended to be used in consultation with our professional advisors.