Cyber-attacks are serious business. In 2017’s NotPetya ransomware attack, Merck, a pharmaceutical giant, lost $870 million; Maersk, the Danish shipping magnate, lost about $300 million; and the British National Health System suffered a loss of about $116 million. Also in 2017, a data breach cost credit bureau Equifax about $4 billion. And in March 2019, Hydro, one of the world’s biggest aluminium producers, switched from automated and digital to manual operations because of a cyber-attack.
Cyber-crimes today pose the same risk as fire or robbery. They can destroy a company and its reputation just as a fire can destroy a building. With the number of cyber-crimes increasing constantly, the question is no longer whether companies will get attacked, but when and how. As organisations try to protect themselves against cyber-attacks, there is significant opportunity for insurance companies.
The cyber-insurance market is relatively new, but experiencing exponential growth. PwC estimated the global cyber-insurance market will grow to $7.5 billion by 2020. The U.S. market is most mature, and Europe is trying to catch up. Baloise, a Swiss insurance company, is attempting to offer cyber-risk protection for small to mid-size customers, but their work is still in the early stages.
Cyber-risk is complicated. Considering the complexity of cyber-risks, insurers need to consider many challenges:
- Lack of historical data and proven models
- Rapidly evolving threats
- Evolving technological landscape
- Complex regulations
- Accurate information on the client’s assets and security practices
- Limited capability to quantify cyber-risk
Insurers have an abundance of data on traffic accidents, which is used to calculate risks and draft premiums. That is not the case with cyber-risk. Even if you take data from the past 5 to 10 years, it’s hard to calculate anything because the risks from even a year ago can be completely different from today’s risks.
Another challenge is how to develop the cyber-insurance product. What are you insuring? An application? The reputation of the company? The money that might be stolen? The cost of recovering from a cyber-attack? And how do you evaluate the strengths of the company’s current IT protection?
What about claims? When a client gets hacked, insurers need to find the right way to validate that the damage is covered by the insurance policy. This means the insurance company will need to have the right IT know-how to determine whether the customer did everything to prevent an attack. In the event of actually covered damages, insurers need to figure out a smart way to handle the claim. A balancing act is needed. On one hand insurers have to improve the customer’s security system and close “the door” used to access the system to prevent future cyber-attacks. On the other hand, this improvement must be as minimal as possible, to avoid a situation where customers start using the insurance to modernise and improve their IT system.
It’s important that insurers understand that in today’s rapidly changing threat landscape, it’s essential to understand the cyber-risks, their probability and the ability to mitigate them. Collaborating with IT security experts, who understand these threats, is essential.
Tips on cyber-risk insurance
- Insurers should try to handle insurance premiums for cyber-risk with their existing security expertise, used to protect their own company. Then they should invest in improving their IT systems.
- Hire people with strong digital skills, who understand cyber-threats and can draft premiums. Insurance companies will need a team that can assess potential customers regarding their current cyber-risk exposure. Due to the constant changes in cyber-threats, it might even be necessary to re-evaluate this risk exposure at regular intervals (e.g., when a policy is up for renewal) to ensure that premiums are calculated correctly in line with the covered risk.
- Fast response is a must. A team must respond as soon as an attack happens, so as to assess and contain the damage. And it needs to have sufficient capabilities to respond to multiple attacks at once, since it is likely that a major cyber-attack will affect multiple customers at the same time. So, scalability of the response force is very important.
- Cyber-risk insurance is complex, but insurers can partner with IT companies to make things easier. IT companies have operation centres working 24×7 and can help detect problems and potential attacks in any part of the world at any time. They also already have the right people to respond to cyber-attacks, as providing forensic and remediation services is part of their existing business model. So, the question is: Do insurers want to build or buy this digital team?
Use the market potential
In a time when there is market saturation in the insurance industry, identifying emerging trends is key to survival. Insurers that dive deep and understand the complexity of cyber-insurance will be in a position to develop it into a profitable and sustainable line of business.