While insurance against cyber risk represents a tremendous new business for the insurance industry, numerous problems with the insurability currently impede the development of the market,” according to a new report published by the Geneva Association.
The report, titled “Ten Key Questions on Cyber Risk and Cyber Risk Insurance,” said the main insurability problems are “the lack of data, risk of change, accumulation risk, loss sizes, availability of risk capital, and potential moral hazard problems.”
“[A]necdotally it is not only the challenge of insurability but also the demand for products that is hampering the market’s development,” said Anna Maria D’Hulster, secretary general of the Geneva Association, the Zurich-based insurance think tank.
“Either way, the successful development of a cyber risk insurance market is an important goal for the further development of society,” she commented.
In a discussion of cyber risks’ insurability problems, the report said, losses are difficult to measure because of a lack of data. “Moreover, even if there are data available, it is questionable whether or not historical data are a meaningful indicator for the future, due to the dynamic nature of cyber risks and thus the risk of change,” the report continued.
Adverse Selection and Moral Hazard
Another significant problem in cyber insurance is “information asymmetry,” as a result of adverse selection and moral hazard.
The report explained that companies that have experienced a serious cyber attack are more likely to buy insurance, which results in adverse selection.
“The insurers in the market try to alleviate adverse selection effects by screening (e.g. up-front audits), self-selection (e.g. questionnaires in the underwriting process), and signaling (e.g. certificates for IT-compliance),” the report explained.
Further, moral hazard occurs when there is a change of behavior after purchasing insurance. “One example is the insured’s lack of incentive to invest in self-protection measures … if full coverage is offered,” the report added.
While insurers use instruments such as screening (e.g. audit) and risk sharing (e.g. deductibles, cover limits) to reduce moral hazard, the GA report said, information asymmetries still pose a significant problem for the insurability of cyber risks.
“For instance, because of complex interrelations in modern IT systems, firms might be vulnerable to cyber risk even though they have invested in self-protection. Thus, the benefit of self-protection investments in one company highly depends on the investments in other, connected firms,” the report explained.
Coverage Limits, Exclusions
The development of a cyber insurance market is also being hindered by coverage limits, the report said, noting that policies tend to cover only limited maximum losses (US$10 to $500 million) and contain several exclusions, including those for self-inflicted losses, accessing unsecure websites, or terrorism.
Therefore, extreme scenarios – also known as “Cybergeddon” – cannot be covered well by existing insurance policies, the report emphasized. “Additionally, there might be indirect effects of cyber losses that cannot be measured and thus are not covered (e.g. reputational losses and their impact on stock prices).”
Policy complexity is another problematic aspect of coverage limits, GA continued. “Given the large number of exclusions and the dynamic nature of cyber risk, there is uncertainty about what the cyber policy actually covers. Worse yet, the policies in the market have no agreed-upon terminology, which makes the offerings very difficult to compare,” the report explained.
“While the cyber insurance market is currently in its early stages, as market development continues, the risk pools will become larger and more data will be available,” it said, noting that several new competitors have entered the market and more are planning to do so, which will increase insurance capacity, competition and push prices down.
“Additionally, it will lead to a more uniform terminology and standardization of products.”
Industry Standards
The report suggested that the industry should establish standards with regard to definitions, coverages and pre-coverage risk assessment, all of which will help to reduce some of the problems of insuring cyber risk.
In a section that asks what the insurance industry can do to prevent cyber risks and to support cyber insurance, the report suggested several remedies, including:
- The insurance industry should work together globally with other stakeholders in order to develop standards, common language, and good practices.
- The industry should establish anonymized data pools and develop re/insurance pools.
- Insurers should conduct scenario analysis, track technological development (cloud computing, Internet of Things, blockchain technology etc.), improve their own analytical skills, make their own IT more resilient, revise existing policies and develop new ones.
Governments’ Role
In a section covering the role of government in preventing cyber risks and supporting the growth of cyber insurance, the report suggested:
- Prevention: Tackle cyber crime by international collaboration, initiate global dialogues and conventions aimed at confining cyber wars, boost IT landscape resilience, support development of cyber databases and introduce reporting requirements and minimum standards for risk mitigation.
- Market development: Establish public-private partnership with government as insurer of last resort (governmental backstop for extreme scenarios); support the development of an anonymized data pool, and facilitate the development of traditional and alternative risk transfer mechanisms.
Report Methodology
The report compiles and analyses a database of 211 of the most significant industry reports and academic papers on cyber risk and cyber risk insurance.
Source: Geneva Association
*This story appeared previously in our sister publication Insurance Journal.