Cyber Insurance Industry- Disruptions Ahoy !!

Quick introduction

A couple of weeks back I had the pleasure of attending the Cyber Security Conference, and got an opportunity to discuss the state of "defensive options" for CIOs and CISOs with a number of professional colleagues, and one of the topics that came up repeatedly was around the challenges of viable risk-acceptance instruments like insurance, similar to what's available in other parts of business operations. We discussed a number of options, and I shared some of my non-conventional views around the trends that I see in this field.  I was immediately challenged to speak/ write on the topic, and that got me thinking, and this blog is a result of that.

 The objective of this blog is twofold.  It will give a quick primer on the challenges around insuring for cyber insurance, and the reasons why both the industry as well as insurers are struggling to find common ground around policies, and "acceptable premia" that works for both parties.  I will also gaze into my "personal crystal ball" into the future disruptions that I foresee are coming, and how it will change life for both traditional insurance companies and the industry (better? worse? complicated?). 

Evolution of insurance industry and how its falling apart in the case of Cyber Insurance

The insurance industry, especially the non-life commercial lines, has grown tremendously over the past hundred years.  Every disaster,  war and large business disruptions have seen greater acceptance and understanding of the value of insurance as a product, and has led to greater penetration and spread of the industry.  OECD data shows that in 2017, OECD countries spend 8.9% of their GDP on insurance.  The cyber insurance industry is also showing strong growth.  A KPMG study showed a buoyant cyber insurance market that is expected to USD 20 Billion in premium by 2025.  However, dark clouds loom in the horizon, partly caused by pricing  issues and in a related way, caused by supply-side challenges.  Let's look at some of the key ones

(a) Insurers are struggling to understand, size and price cyber risk accurately   

 Cyber risks have kind of exploded into the commercial insurance industry.  The magnitude of incidents, its monetized value on firms in terms of lost business, disrupted services, cost of credit monitoring of impacted customers, regulatory fines is well documented in the media.  This is even before we consider the civil lawsuits that are still underway in different courts and may result in more liability.  Unlike catastrophe insurance, most insurance companies (and their clients) lack adequate knowledge, and often, adequate data, to model the risks.  Even the models that are in place are "young and evolving" and consequently, even for firms with no prior experience of cyber claims, the premia may vary widely from year to year, as more compromises and larger damages work their way into these "models".   In global enterprises, broad cyber incidents don’t remain contained in one geography and quickly spreads to other dependent players in its supply chain.  NotPetya is a good example of how fast the contagion can spread across industries and ecosystems, to complicate matters further,  the distinction between IT/ cyber and "physical" parts of the business is fast vanishing as more production assets get connected to the internet and IOT devices get capabilities to "actuate" mechanical parts. 

"UK regulator's stress tests concluded that for some firms, potential risk of loss from cyber events are comparable to major natural catastrophes in US"

 Regulators are taking notice, concerned about the insurance exposure to cyber risks, impact on its capital buffer and ability to withstand large claims.  Bank of England's Prudential Regulation Authority has noted considerable level of exposure of insurance companies from "non-affirmative" cyber risks.  Starting from Jan 2020, Lloyds will require all first-party policies to clearly specify whether cyber risks are "affirmed" viz. included or "excluded" in the policy.  Either way, companies should probably expect premium costs to rise.   

(b) Firms are struggling to project premium costs and justify it in light of recent adverse experiences

 The impact of these developments appear to be continued volatility in premium costs for covering cyber risks and a general environment of uncertainty on whether specific event classes are covered, and a confidence that the claims will be honored in case of eventuality.   A few firms like Mondelez realized this to their shock when Zurich Insurance rejected their claims for business disruptions and losses from NotPetya in 2017 taking refuge on a rare kind of exclusion called "war exclusions"- something rarely used outside of damage from actual armed conflict.  To my knowledge the legal dispute is still going on, but it is easy to imagine the doubt of discomfort of CFOs and Chief Risk Officers in buying the sales pitches of cyber insurance brokerages and insurers and the attitude that sees cyber insurance as an unavoidable cost that needs to be minimized, as opposed to a valuable risk management tool that is an integral part of the organization's strategy. 

What is insurance, really? And where are the disruptors?

An environment of fractured trust, demand-supply imbalance and a growing market size seem to have all the hallmark of an industry that is ripe for "disruption" but some innovator with the right tools and a high level of risk appetite. The question is, who are the likely contenders?   To understand that, we need to look at the most basic elements of an insurance, and look at it from an innovator's point-of-view that ignores history and regulatory tradition.

 At its essence, an insurance is a contract between many customers (individuals and companies) who want to hedge against a risk (e.g. fire, earthquake, loss of ship in high seas) and someone with capital who is willing to bet that such misfortune is unlikely, and even if it comes to pass, it will not happen at the same time to all its paying customers.  Over years of regular receipt of fees (premium, as much as the market can bear), there will be at best very few occurrences when the insurer will actually have to pay out.   This has historically advantaged insurers with (i) lots of data and insights (e.g. Lloyds with their shipping registry) (ii) lot of capital to withstand shocks (iii) diversified based of insured customers that minimized any adverse event (e.g. Hurricanes) from impacting a large part of their portfolio of policyholders- read that as an intelligent risk appetite.

"Is capital the only value traditional insurance companies bring to the cyber insurance discussion? Is that enough to retain that place in the table?" 

Now let's extrapolate this concept to the world of cyber risk.  Its clear that other than (increasingly stressed) capital base, traditional insurers have no competitive advantage in the world of cyber insurance.  Firstly, insurance companies do not have good quality primary, near real-time data of the sort that made Lloyds a legend in marine insurance.  They are completely dependent on partnerships with niche technology players like BitSight and FireEye for these insights. Their models are still based on point-in-time "assessments" by professional services firms which get redundant half-way through the policy term. Secondly, most traditional insurance companies are still developing the models necessary measure and price these risks- something that regulators like UK's PRA has already acknowledged.  Can we stretch our imagination and think of players who fulfill all three criteria and are well placed to provide better cyber risk than the traditional insurance companies?  I think there are.

Admittedly, this table is simplistic, ignores many other players, dimensions of competitive advantage and a detailed analysis of their individual strengths and "stack coverage" can be a detailed article by itself.  But the implications are clear.  The large technology companies are uniquely positioned to disrupt the cyber insurance market should they choose to step into it.  A periodic insurance "premium" covering a range end-points and services- both for loss of business as well as service disruption and billed as operating cost along with all other cloud/ online services will probably be the easiest way to administer it.  This model also has the advantages of scaling the premium up / or down depending on the level of consumption of cloud services or activation of end-points, instead of paying a block premium to the traditional insurer. It also has the advantages of "disintermediating the brokers" and driving down premium further. 

This idea is not as far-fetched as it seems.  The insurance industry has already started raising alarms on Amazon's  ambitions in insurance.  And they are probably right to.  Amazon and Apple present existential threats to existing players in Health and Home insurance, but that's another topic for another day.  Its sufficient to say that cyber risk insurance is a field too important to ignore, and the risks are too high for it to be left to "evolve" it its historical pace. And it will probably not be long before new players come marching in.

What can the CIOs and Chief Risk Officers look forward to?

 In my opinion, CIOs and CROs should probably expect things to get worse for some time, before it gets better.  Threats and incidents will rise, but premia will rise at a rate higher than that, as insurers price in their negative claim experiences.  Reinsurers will get more discerning about the books they buy, and capital cushions of insurers will probably come under increasing stress from more outbreaks of global scale. Businesses will have to improve their security posture for the sake of business resiliency and have to use every instrument in their arsenal to reduce the cost of insurance coverage.  But, as I postulate in this article, the disruption in this segment of the insurance industry is inevitable, its just a matter of when , not if. 

Disclaimer, references and citations

 All opinions are personal, and I do NOT have insider knowledge on insurance plans of any of the corporations mentioned in this article.

(1) OECD insurance statistics - https://data.oecd.org/insurance/insurance-spending.htm#indicator-chart

(2) Cyber Insurance, How Insurers Can Unlock the Opportunity - https://assets.kpmg/content/dam/kpmg/za/pdf/2017/12/17383MC-cyber-insurance.pdf

(3) Prudential Regulatory Authority,  Underwriting Cyber Risks - https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/letter/2019/cyber-underwriting-risk-follow-up-survey-results

(4) New York Times- Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong- https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html

(5) Professional Services Firms Beware: Just Because You Haven't Suffered A Data Breach Doesn't Mean You Won't Be Sued – And the Worst Part, There May Not Be Coverage- https://www.mondaq.com/unitedstates/x/575630/Insurance/Professional+Services+Firms+Beware+Just+Because+You+Havent

(6) Fireeye.com :  Cyber Risk Insurance Partners-  https://www.fireeye.com/partners/strategic-technology-partners/cyber-risk-insurance/cyber-risk-insurance-partners.html

(7) Measuring the scale of Amazon’s threat to the insurance industry- https://www.insurancebusinessmag.com/us/news/technology/measuring-the-scale-of-amazons-threat-to-the-insurance-industry-116810.aspx

(8) Cyber Insurance in India- Data Security Council India- https://www.dsci.in/sites/default/files/documents/resource_centre/Cyber%20Insurance%20In%20India.pdf