What is insurable risk? That’s the key question being explored by international insurance industry think tank, Geneva Association, is a new report on the cyber insurance market.
There are many challenges to insuring cyber risk, the report states, “especially due to a lack of data and modelling approaches, the risk of change, and incalculable accumulation risks.” Additional challenges to insuring cyber risk include information asymmetry, resulting in adverse selection and moral hazards, and coverage limits in the market.
According to a recent CyberScoop article, a lack of actuarial data could have profound consequences after Fitch’s recent warning that it will downgrade credit ratings of “insurance companies that write standalone cyber policies too aggressively, because of the high uncertainty this line of business contains.”
Fortunately, the future is looking bright for the cyber market in the insurance industry and governments have many opportunities to promote it. As the market grows, risk pools become larger and more data will become available. Additionally, increased capacity and more competition will inevitably push prices down and result in more uniform terminology, standardization and pre-coverage risk assessment. The report also recommended that industry and governments collaborate on public-private partnerships when collecting data for cyber incident repositories. Lastly, many experts believe that pre-coverage screening and reporting requirements could alleviate adverse selection effects.
Deputy Secretary General of the Geneva Association and editor of the report, Dr. Fabian Sommerrock commented, “We are very pleased to publish this report which provides an insight into the current level of understanding about cyber risk and cyber risk insurance …This report has been provided to increase understanding of the risk and support the insurance industry’s role in mitigating and managing it for the benefit of individuals, institutions and governments alike.”
The NAIC’s cybersecurity task force released its third and final draft of the NAIC cybersecurity model law in August, which was hoped to be considered for approval. However, “stakeholder feedback made it clear that additional work needed to be done to reach consensus on the draft,” according to Rhode Island Superintendent of Banking and Insurance Elizabeth Dwyer, a member of the task force.
With General John Kelly appointed as Secretary of Homeland Security, Trump’s administration promises to put border security as its top priority. This means that other priorities, especially cybersecurity, could take a back seat at DHS. Current Secretary Jeh Johnson warns the new administration against losing focus on cybersecurity and calls for it to continue as “a top priority on a bipartisan basis.”
Cyence, an economic risk modeling platform for cyber risk, debuted its product last September and since then, has received much attention in the insurance industry. Carrier Management Editor Mark Hollmer had the opportunity to sit down with Cyence Co-Founder and CEO Arvind Parthasarathi to discuss how their cyber analytics platform will allow the insurance industry to look at cyber risk in an entirely new way – in “dollars and probabilities.”
With cybercrime only increasing and traditional network security premiums becoming obsolete, the cyber insurance market is a huge, untapped opportunity for insurers and reinsurers. Mandatory legislation on cybersecurity in several U.S. states has led to more mature and better cyber liability insurance policies. PWC forecasts that annual gross of premiums will increase from $2.5 billion in 2015 to $14 billion by 2022.
The Presidential Commission on Enhancing National Cybersecurity issued a 100-page report with 16 urgent recommendations on ways that President-elect Trump can improve the nation’s cybersecurity, particularly in his first 100 days of office. Main points include creating a cyber nutritional label to help consumers shop wisely and establishing an international cybersecurity ambassador.
Blockchain offers a secure approach to storing sensitive information and performing functions, suitable for exposed environments that demand high cybersecurity. Its use of sequential hashing, cryptography and decentralized structure, which all took decades of research and refining, make it virtually impossible for any outside party to “unilaterally alter data on the ledger.” Bitcoin was the first application of blockchain, launching in 2009.
The National Institute of Standards and Technology (NIST) has released a set of guidelines “aimed at helping researchers better understand the Internet of Things (IoT) and its security challenges.”
Inside the beltway and around the nation this week there has been zero escape from prognostications on what a Trump administration means for every issue imaginable. So, we’ll pile on…what about cyber? Well, we, at The Council, expect cybersecurity to be a significant issue. That statement seems obvious but the Republican platform actually includes a section advocating for “a free market for cyber insurance and makes clear that users have a self-defense right to deal with hackers as they see fit.” While the latter part has many nervous, we could see cybersecurity (and insurance) garner more oxygen than expected in the first 100 days (especially given the highly publicized hackings ahead of the election). On the surface, the President-elect’s cybersecurity stance doesn’t seem to vary much from President Obama’s policies. However, his pro-national security and law enforcement approach to cybersecurity is different and Trump will have to delicately balance between business interests and national security.
As we look to our parochial areas of interest, we are well positioned to effectively represent Council members as things heat up on the hill in 2017. Sen. John Thune is a major cyber player as chairman of the Senate Commerce Committee and we look forward to continuing to work with him on issues stemming from critical infrastructure cybersecurity. The Council supports a single standard for breach notification, and we believe good legislative opportunities will develop there. Lots to unfold so stay tuned. We will skip next week because of the holiday but will be back after. On behalf of The Council, we wish everyone a wonderful Thanksgiving.
For years the insurance industry has invested in incentive programs to help reduce risk and prevent claims. For example, health insurers may lower premiums to encourage good lifestyle choices just as carriers may offer discounts when homeowners install smoke detectors and security systems. A recent Information-Management article explains that these incentives are a win-win for policyholders, who can invest their saved money on a safer home or healthier lifestyle, and for the insurance company, due to a reduction in claims. If discount incentives are proven to reduce risk, theoretically an organization with the latest cybersecurity technologies and proper cybersecurity polices will claim after a cyber-attack or data breach.
Although the cyber insurance market is beginning to gain traction, the industry is still young and many organizations are not taking cyber-threats seriously, despite brokers’ encouragement to purchase cyber insurance as a stand-alone policy. While a cybersecurity incentive policy would theoretically reduce cyber-risk, there are several reasons why carriers have been slow to adopt such policies. For one, cyber insurance is not regulated the same way auto and home insurance is – policies vary drastically and prices are not standardized. Additionally, an organization with the best cybersecurity is still susceptible to a breach due to employee negligence. How can one guarantee an organization is keeping up with best cybersecurity practices? Nonetheless, as the market matures, discount incentives could serve and a motivation to purchase a cyber policy as well as increasing an organization’s cybersecurity posture on the front-end.