Standard & Poor’s predicts a major jump in demand for cyber insurance in the coming years, with interest initially outstripping supply. U.S. insurers will respond gradually, however, entering the market with caution, allowing for breathing room to develop knowledge and experience about the fast-evolving risk, the rating entity found in a new report.
Insurers remain hesitant to embrace cyber risk quickly because it is “fast moving, impossible to predict, and difficult to understand and model, but change can be immense,” S&P noted.
Another concern: aggregation risk and clash with other policies.
Standard & Poor’s outlined these and other insurance related cyber trends/concerns in its newly-released report: “Looking Before They Leap: U.S. Insurers Dip Their Toes In The Cyber-Risk Pool.”
Specifically, the S&P report says that cyber insurance demand will grow significantly in just the next few years “as management teams utilize both offensive and defensive capabilities,” and perception of cyber risk and its financial costs grows due to increasing media coverage.
What’s more, attacks will increase in both frequency and sophistication as losses grow. Lloyd’s estimates that there are around $400 billion in annual losses due to cyber hackings, only a small number are insured, S&P said.
With that in mind, cyber insurance is gaining more promotion and regulators are encouraging companies to buy it to help manage their risks and minimize the cost of a breach. Cyber breaches can damage an organization’s reputation, and that could also spur the growth of the cyber insurance market. More regulations passed in response to recent hackings should also trigger interest in cyber coverage, according to the report.
“Cyber insurance is a sellers’ market, unlike more developed/traditional business lines,” Standard & Poor’s said.
At the same time, however, insurers aren’t exactly jumping in “with both feet,” Standard & Poor’s explained in its report, noting a number of reasons.
“Due to the changing nature of technology and hacking strategies, insurers don’t have an accurate loss history,” Standard & Poor’s noted in the report. “For example, companies that may have used one software platform might switch to another software and hardware platform that has different network access points and vulnerabilities.”
Standard & Poor’s said that insurers face added challenge with companies increasingly moving “critical IT functions” to third party vendors, a move that leaves companies heavily dependent on those vendors’ information security standards.
“Whereas traditional liability products may use revenue and industry as particularly important drivers of risk assessment, it is much more difficult to determine a company’s ability to defend itself from a very determined hacker” as a result, the Standard & Poor’s report said.
Standard & Poor’s said insurers are wary about aggregation risk, which can happen when a hacker drops a bug into widely used software that ends up hitting many different policyholders. Clash is also at issue – where a cyber attack can affect multiple coverages within a single policy, such as crime, medical malpractice and D&O, according to the report.
As Standard & Poor’s points out, these issues haven’t stopped insurers from exploring cyber coverage. Rather, they have worked to mitigate factors such as aggregation risk and clash by offering line sizes that are relatively small, with around $25,00 for the average small company and as much as $5 million to $25 million for larger companies.
Coverage for large companies can also be stacked to reach higher capacities, Standard & Poor’s said. Also helping: many primary insurers have started offering cyber protection “with substantial support from reinsurance partners,” the ratings entity said.
“There are more than 20 reinsurers currently writing cyber business to some degree and given current soft pricing conditions, the appetite to assume cyber risk might grow,” S&P said. But those same reinsurers are also worried about risks including cyber modeling and aggregation risk, according to the report.
With these risks in mind, S&P said it does expect cyber insurance capacity to increase as experience in the sector grows. But new players will “enter the market prudently,” according to the report, “through low limits, exclusions, and access to reinsurance support.”
Source: Standard & Poor’s