However, for the cyber insurance market to become truly sustainable, an influx of capacity is sorely needed

By Editor Katie Scott

According to the Bank of England’s Systemic risk survey for 2022’s H2, published in October 2022, cyber attacks remain the most cited risk to the UK financial system across the 65 respondents that participated in the biannual survey.

More than half (56%) of these respondents identified a cyber attack as the most challenging systemic risk to manage within their firm if it were to occur, second only to inflation (61%). Over a third (37%) of respondents felt that a cyber attack was the systemic risk most likely to take place.

Katie Scott_bw_path

Katie Scott

When respondents were asked which systemic risk would have the greatest impact on the UK financial system if it were to materialise, 74% said a cyber attack – putting this risk in pole position.

These figures show that UK companies are increasingly nervous about the threat of cyber attacks, meaning that the sustainability and development of the cyber insurance market is vital if organisational demands are to be met.

However, demand is worryingly outpacing supply, according to speakers at credit rating agency S&P Global Rating’s virtual Cyber risk seminar, held on 26 October 2022.

Manuel Adam, associate director of insurance ratings at S&P Global Ratings, explained that “the biggest risk to the sustainable development of the cyber insurance market is that capacity remains constrained”.

He said: “The cyber insurance market remains the fastest growing subsector of the insurance industry.

“The demand for cyber insurance remains on a very high level and the supply is not matching the high demand as capacity from reinsurers and the capital market, for example in the form of insurance-linked securities, is still lacking.”

This is despite the fact that S&P Global Ratings is “observing new insurers and new MGAs entering the market, having innovative and data driven approaches in underwriting cyber risks”.

Continuing to set the scene for virtual attendees, Adam noted that in order to “sustain long-term profitability”, many cyber insurers “have restructured their cyber insurance offerings by not only increasing rates, but also cautiously expanding in this area and concentrating on risk selection and differentiation as well as policy terms”.

He felt this has particularly been the case in the past two years as the “pandemic years were characterised by high ransomware claims”.

“Some insurers even reduced or cut payout limits, especially where contracts included business interruption or ransomware components,” he added.

Adam believes the sustainability of the cyber insurance market rests on more closely linking underwriting with cyber security risk management.

He explained: “It is more important than ever that the insurance industry focuses on strong underwriting that could lead to incorporating more security standards and linking improvements in customer security levels to pricing consideration for businesses, to reward policyholders with better cyber security risk management, where a lower frequency and severity of cyber claims is expected.

“Cyber insurance is only one element of cyber risk management and will never be able to remove cyber risks entirely and is no replacement for good security practices.

“But, cyber insurance can be one important pillar of a comprehensive cyber security management framework and could be an opportunity for the insurance industry to position itself as a problem solver.”

Challenges to consider

The cyber insurance market continues to be a challenging one, despite the fact it has “grown quite significantly in the last three years”, noted fellow seminar panellist Sharon Haran, vice-president for Europe at downtime insurance provider Parametrix Insurance.

For example, Haran observed rate increases for this line of business of 100% last year, while 2022’s rate rises are currently sitting around the 30% to 40% mark, he said.

Although this uptick may be unpopular with customers and impact product penetration across UK businesses, Haran added that these rate increases do “make a lot of sense” because it reflects the true nature of cyber risks today.

Adam again flagged the role of risk management here. He noted: “There are some signs recently that the cyber insurance market premium development is beginning to settle as potential policyholders understand the growing importance of programmes of cyber risk management. This gets reflected in the insurers’ underwriting.”

An increasingly prominent risk within the cyber insurance market that can fall outside the control of cyber insureds, however, is the failure of third party supplier systems, especially those that are cloud-based, continued Haran.

He added that these incidents could be “far reaching”, particularly as “robust” cloud architecture was often “costly” to implement.

Adam, meanwhile, highlighted the unique position insurers occupy when it comes to cyber insurance and cyber attacks. He said that typically, organisations that use a lot of personal data are often targeted by hackers, meaning that cyber insurers themselves face operational risks as potential victims of cyber attacks.

Furthermore, cyber attacks are not constrained by the same geographical boundaries that rule natural disasters, so losses can escalate rapidly and reach lofty heights, he added.

Improving market sustainability

Alongside tying cyber insurance and risk management more closely together, both Adam and Haran had suggestions on how the sustainability of the cyber insurance market could be improved.

Adam emphasised the importance of insurers being able to tap into a specific ecosystem of both internal and external experts, to support the management and underwriting of cyber risks.

Haran agreed, confirming that the insurance and technology sectors must work closer together and collaborate because an integrated approach is the only long-term solution, in his opinion.

He added that there is a distinct lack of awareness around cyber insurance outside of the US that needs to be addressed with education. Plus, he feels that cyber insurance needs to be simplified because it can currently be difficult to understand.

Haran pointed to parametric products that clearly define claims settlements as a possible option here.

Cyber insurance is clearly an area of opportunity for brokers and insurers – these risks are not going anywhere, meaning demand for this product is only going to increase as customer awareness over the cost of cyber attacks improves.

However, the fact that cyber attacks are still evolving does indicate that insurers and brokers have to stay on their toes if they wish to keep ahead of impending threats and advise on successful risk management approaches. Brokers’ role as risk managers here is also important because it can help drive down costs for their clients - this is especially important during the current cost of living crisis.

There’s certainly more work for the industry to do around cyber insurance.

Are there new types of cyber attacks the industry needs to be aware of?

Speaking on an earlier panel during the seminar event, Paul Alvarez, cyber risk expert at S&P Global Ratings, noted that double extortion is becoming more common.

This is where cyber criminals ask for money, the targeted firm refuses, so the criminals then threaten to publish stolen information unless they receive the stated ransom.

Martin Whitworth, another of S&P Global Ratings’ cyber risk experts, added that misinformation was also increasingly being used as

cyber attack (5)

part of “blended” cyber attacks, to distract potential victims with incorrect information.

Insurers may be targets for cyber attacks, but what about brokers?

Anna Loshkareva, senior vice-president of advance cyber defence at professional services company Booz Allen Hamilton, explained that although manufacturing and healthcare firms remain the primary targets of cyber attacks, firms going through M&A could also present a ripe opportunity for cyber criminals.

This is because during the M&A process, employees may be under increased pressure to complete not only their usual workload, but additional tasks related to the upcoming merger – especially if the firms want to hit a specific time frame or ensure the deal gets over the line.

With broker consolidation and M&A being so rife in the broker market of late, this is where brokers – in particular – may have to be more watchful around the threat of cyber attacks.