Ciara Izuchukwu explores how recent world events have impacted and accelerated the hardening of the cyber insurance market
The internet is an integral part of any business, regardless of the industry you operate in. The shift to a virtual work environment for many people, and the rise in value that data can hold for its users, have forced companies to revisit their management of this increasing source of risk. There is no such thing as ‘fully secure’ in cyberspace, so companies are having to navigate the controls they have in place to mitigate and protect themselves from a cyber-incident.
Cyber risk is a complex problem for actuaries to help clients manage. It has innumerable causes and is tough to define, and there is often no single right answer. However, this does not mean it can’t be modelled and managed profitably by insurers and reinsurers. According to MarketsandMarkets, the cyber insurance sector is projected to grow from US$7.8bn in 2020 to US$20.4bn by 2025, with an annual growth rate of 21.2%. Typically, cyber insurance covers a company’s liability for a data breach involving sensitive customer information, such as social security numbers, credit card numbers, account numbers, driver’s licence numbers and health records.
As in any new insurance market, there have been teething issues. Insurers and policyholders must adjust to the constantly evolving dynamics and increasing range of cyber threats. Not only has the price of coverage surged, but the cyber insurance business model is rapidly evolving, too. With ransomware attacks on the rise, the cost of data breaches, and the constantly shifting regulatory landscape, some security experts are concerned about the sustainability of the cyber insurance market. Reinsurance of cyber insurance mitigates the risks by distributing the risk among several insurers and increasing the overall coverage pool.
The pandemic and the rapid shift to virtual working increased cyber claims frequency, and their amounts. This is apparent in the fact that 47% of individuals fall for a phishing scam while working from home. Cyber attackers saw the pandemic as an opportunity to step up their activities by exploiting the vulnerability of home workers and capitalising on people’s interest in news about COVID-19, for example, by using malicious fake pandemic-related websites.
Political uncertainty serves as a hotbed for increased cybercrimes and, unsurprisingly, cyberattacks on businesses and government agencies have increased since the Russian invasion of Ukraine. This will be of concern to policyholders and insurers due to the increased risk of ‘spill-over’ cyberattacks.
One notorious Russian cyberattack was the NotPetya attack against the Ukrainian government in June 2017, delivered through a mock ransomware virus. This wiped data from computers belonging to banks, energy firms, senior government officials and an airport, affecting computer systems across the globe and costing billions in damages.
Cyber insurance is a key risk management tool. However, as the industry and the attacks evolve, insurance companies must take another look at the scope of the cover they offer and the terms and conditions they give to policyholders. Insurers now incur significant legal costs in clarifying cyber-policy phrasing and addressing ‘silent cyber’ issues through wording that explicitly includes or excludes certain cyber events. Traditional ‘acts of war’ exclusion clauses are drawing scrutiny due to spill-over effects from cyberattacks, so insurance companies need to look at cyber risks in a new way if they are to continue to meet the needs of the policyholder while offering a realistic product that meets minimum profit requirements.
Governments and regulators know that this area needs greater resources and effort allocated to it in order to manage the risks that companies are exposed to.
In late 2021, the UK’s National Cyber Security Centre and Financial Conduct Authority told large organisations to bolster their cyber defences, and in Europe the European Central Bank asked banks to strengthen their ‘cyber hygiene’.
Cyber insurance is still in its early days, and enterprises will require different coverage to what they have had in the past. As demand grows, rising premiums are forcing companies to implement better cyber hygiene; by itself, insurance is not a suitable or sustainable mitigation for cyber risk.
Ciara Izuchukwu is student editor