“Cyber-insurance is the Next Big Thing”, the Deputy CISO of a telecoms company stressed earnestly at a recent threat intelligence forum. “Companies in the USA almost all have it. Soon, everyone will realise that they need cyber-insurance”
The market echoes his enthusiasm. This month XL Catlin’s UK operations announced the extension of its casualty insurance offering to include a cyber-solution. It’s available to a range of industry sectors and has a limit of £5 million ($6.7 million). Corvus Holdings has gone a step further and is offering “ongoing IT security scanning and scoring” as part of their new Smart cyber insurance. The policy will create a risk score for each account to assess coverage for “contingent business interruption…social engineering attacks, ransomware, reputational loss and multimedia liability”.
Like many things, dressing up with the prefix ‘cyber’ has given traditional insurance a dusting of glamour. But those riding the bandwagon should be wary of the potholes.
A 2017 Deloitte report on ‘Demystifying Cyber Insurance Coverage’ warned of a market that was “promising” but “problematic”. A year later, and research by Womble Bond Dickinson suggests that that cyber-cover can be a challenging sell and that take-up is “slow”. Cyber-risk can be confusingly spread across multiple coverages and policies lack standardisation. And without clear metrics “particularly smaller companies…still have some way to go in terms of measuring and quantifying their cyber liabilities”, James Tuplin, Head of Cyber & Technology at XL Catlin, explains, adding that “this is preventing many…from transferring the risk to the insurance market”. It’s worth noting that, despite the telecoms CISO’s zeal, only about 55% of Fortune 500 companies have cybersecurity insurance.
Even the insurers are feeling unsure. The dearth of historical data (perpetuated by reluctance of companies to disclose when they’ve been hacked) and the continuing evolution of cyber-attacks, means that underwriting and pricing exposures is a challenge. Insurance companies are racked with aggregation loss insecurity. “If tomorrow a website host…is hacked” worries one “what if they’re unable to service their clients? All those who have their websites on that platform might not be able to do online business while the third-party server is offline”.
So is the hype of cyber-insurance a bubble waiting to burst? Not necessarily. The answer may be strength in numbers: a new trend is seeing insurers couple with security ratings firms to harvest the data they need to create policies. AXA recently announced a partnership with SecurityScorecard to provide their underwriters with risk ratings and insights into their clients’ security posture. This is unlikely to be the last of such cooperatives, with agency Bitsights also publicly making the case for insurers working with security ratings. Service providers could even be insurers’ next potential client pool. When Crowdstrike became one of the first vendors to offer a breach protection warranty, they took out a policy with AIG to protect their own financial risk.
These partnerships could help the “stabilisation of the value of cyber-loss”, as an Allianz board member describes it. And while he doesn’t predict a huge spike in vertical growth, there will be some horizontal growth as previously uninsured businesses start to seek cyber coverage.
Slow and steady, as the saying goes. Cyber-insurance may not end up being the Next Big Thing. But, done right, it could be the next best thing for business.