Cyber insurance- questions without many answers

image

TLDR When we last met it was agreed that cyber risk and cyber insurance are under-emphasized concepts in the SME insurance and InsurTech worlds, and discussion was had on the ‘underground’ nature of cyber attacks and associated non-publicity of cyber events.

It’s Ok to raise awareness and prompt discussion (and there was much of that after the article was posted), but does that move the issue forward in a practical way? 

If a penetration test identifies vulnerabilities, what then?  If the owner of an SME wants to protect her firm from potential actions of a rogue employee, the next step after installing solid tech is…?  And when you call your broker and ask for the most comprehensive cyber cover, what will his answer be and how can you know if it’s the correct answer?

After the 6/14 Daily Fintech  article posted I received an inquiry from Jay Weintraub  of InsureTech Connect ;  he posed two pretty good points/questions:

  • The big question regarding insurance and cyber is not, “are we focused enough around this space”, but is, “what happens if insurance gets it wrong?”
    • “A cyber security disaster could be the next major ‘hurricane’, but unlike a hurricane which you can somewhat see coming to a single geography, a cyber breach is the equivalent of 1000 earthquakes happening simultaneously in places that don’t have fault lines- it’s a beast you can’t see coming, with unknown reach, so its imperative that we identify ways to mitigate the effects of that risk.”
  • A role of insurance is to help businesses when there is risk- that includes cyber security.
    • “Insuretechs and incumbents are well-positioned to help, but in the rush to protect businesses, they have to make sure they are not setting themselves up for catastrophic failure in the future. Cyber is simply too new and in some respects the factors that contribute to the losses are so varied that the legitimate question is, “have they modeled this correctly?” As of now the answer is that we don’t yet know.”

It could be said cyber insurance carriers don’t know enough to ask what we don’t know- the risks are new, evolving daily, and the direct and indirect costs of cyber events are being defined as you read this article.  Predicting the costs of risk hinges on adequate pools of data- experiential, financial, valuation, etc.; however, what is really known of cyber risk data?  The biggest consumers of cyber risk data seemingly are the companies whose primary role is protecting consumers/businesses from risk- virus protection companies like Symantec, McAfee, Webroot, or Kaspersky (among other peer companies), but are those companies proxies for cyber insurance?  Not so much- read the user license agreement and see what lengths those firms go to (or don’t) to provide post-cyber occurrence indemnification.  Symantec has taken some steps towards insurance through partnering directly with the data analytics firm CyberCube that serves as a SaaS platform for insurers and underwriters, but not as insurer.

If the risk detection/protection firms haven’t branched into cyber cover, why not?  Yes, it’s a different sort of distribution needed, and more breadth of coverage, but if demand is there from customers, does the InsurTech world not see opportunity in cyber?  AM Best reports that U.S. cyber insurance premiums have grown aggressively in the past few years- $2 billion in 2018 from a level of $ 996 million in 2015.  50% growth and billions in premiums.  The rating firm also notes that the number of claims grew to 10 million in 2018.  That’s a lot of customer needs.  Money and customers- opportunity, for InsurTech and unfortunately for the bad guys.

The answers aren’t clear but some of the points to consider are:

  • Cyber cover includes preparation (know the risk), prevention (antivirus, penetration tests, training), response, and repairs
  • Availability- there are larger carriers who have products for those who are interested, e.g., Chubb, AXA and AIG. Are these carriers accessible to SMEs?
  • There are many SMEs who see the typical business owner’s policy as sufficient, or choose to consider minimal liability cover as being adequate.
  • There’s not much public awareness of cyber occurrences- many who experience an event keep the trouble quiet. There needs to be more focus on the issue such as in Australia, where reporting an occurrence is mandatory.
  • The pool of available data is shallow, inhibiting the effectiveness of risk rating, suggesting premiums will be set higher to manage the carrier’s incomplete knowledge of the risk.
  • Large cyber occurrences are analogous to more traditional catastrophes- except they will cross far more regulated jurisdictions.
  • Cyber risk crosses the line of data security, and will have collateral effects with laws/regs like GDPR and HIPPA.
  • Cyber cover can accommodate products from parametric, indemnity, and reinsurance covers- response, repair, and cat.
  • Is cyber an opportunity area for virtual IoT-based insurance? Cyber monitoring as severity managers?

Those are just some of the thoughts that came to mind- much smarter persons have already considered these and others, which makes it surprising that cyber insurance is not more mainstream.

A parting thought for an article that raised way more questions than it answered- what of a person’s or company’s reputation, or brand in the wake of a cyber event?  Is that a recoverable risk?

I reached out to Ben Baker, a personal brand expert, marketing consultant, and radio host for cyber crime/risk perspective.

“Let’s not kid ourselves,” replied Ben, “cyber-crime, whether it is extortion or malicious attack, is a brand problem. Not only is the reputation of the attacked company at stake, but there is added potential harm if it affects the vendors and clients of the business attacked.

The gut reaction by vendors or clients is probably not, “how horrible is it that you were attacked” but rather, “how could you as a brand be so careless with my information?”  Cybercrime, when disclosed, can lead to huge trust issues in the attacked brand mishandled, and unfortunately, most companies do mishandle communicating through a crisis. “

Ben’s words suggest the cyber insurance discussion comes full circle, not only does a lack of urgency/information inhibit acquisition of cyber cover, but it ultimately can affect parts of an SMEs business that may be unrecoverable- reputation.

Patrick Kelahan is a CX, engineering & insurance professional, working with Insurers, Attorneys & Owners. He also serves the insurance and Fintech world as the ‘Insurance Elephant’.

I have no positions or commercial relationships with the companies or people mentioned. I am not receiving compensation for this post.

Subscribe by email to join the other Fintech leaders who read our research daily to stay ahead of the curve. Check out our advisory services (how we pay for this free original research).