Headlines generating attacks show that cyber threats are becoming sophisticated and aggressive. However, one needs to understand that you cannot be 100% secure. In this context, many organisations have come to the realisation that a cyber-attack or breach is inevitable; it's not a question of ‘if’ it happens, but ‘when’.
Over the past couple of years, I have shared various insights on cyber threats and how Boards should prioritise cyber threat on their executive agendas.
By developing a sound cyber risk management approach, organisations can implement a number of risk measures to keep cyber risks at an acceptable level. Furthermore, the ever-evolving cyber risk landscape is driving interests in cyber insurance as one complementary element to transfer some of the risks associated with cyber incidents to their insurance provider.
Businesses across all sectors are beginning to recognise the importance of cyber insurance in today’s increasingly complex and high risk digital landscape. In turn, many insurers and reinsurers are looking to take advantage of this offering as they see a rare opportunity to secure high margins in an otherwise soft market. Yet, many others are still wary of cyber risks, but, for how long can they remain on the side-lines?
Cyber insurance is a potentially huge, but still largely untapped opportunity for insurers and reinsurers. Cyber insurance could soon become a necessity and insurers that are unwilling to embrace it, risk losing out on other businesses if cyber coverage does not form part of their offering. It is estimated that annual gross written premiums for cyber insurance are set to grow from around $2.5 billion today to $7.5 billion by the end of the decade.
With the threats constantly shifting and little historic data to rely on, many insurers are wary of raising their cyber cover limits. Yet, the market won’t achieve its growth potential unless insurers are prepared to offer increased protection for their clients. And it isn’t just higher limits that businesses want, but also the ability to protect their reputation by preventing attacks and, if not, mitigate any damage.
The challenge for insurers and reinsurers is to develop risk evaluation, risk pricing and risk transfer structures and capabilities to put cyber insurance on a sustainable footing.
It is estimated that annual gross written premiums for cyber insurance are set to grow from around $2.5 billion today to $7.5 billion by the end of the decade.
Part of the challenge is that cyber risk isn’t like any other risk insurers and reinsurers have ever had to underwrite. There is limited publicly available data on the scale and financial impact of attacks. The difficulties created by the minimal data are heightened by the speed with which the threats are evolving and proliferating.
While underwriters can estimate the likely cost of systems remediation with reasonable certainty, there simply isn’t enough historical data to gauge losses resulting from brand impairment or compensation to customers, suppliers or other stakeholders.
Insurers and reinsurers are charging high prices for cyber insurance relative to other types of liability coverage to cushion some of this uncertainty. They are also seeking to put a ceiling on their potential losses through restrictive limits, exclusions and conditions. However, many clients are starting to question the real value that these cyber policies offer, and their relevance to their business coverage.
Rather than simply relying on blanket policy restrictions to control exposures, insurers and reinsurers should make coverage conditional on regular risk assessments being carried out of the organisation’s operations and the actions they take in response to the issues identified in these exercises.
The depth of the assessment would reflect the risks within the client’s industry sector and enable insurer and reinsurers define coverage limits based on the quantification of cyber risk to demonstrate the marginal financial and potential reputational benefit of additional investment in cyber security.
Reinsurers, insurers and independent professional firms specialized in cybersecurity and privacy are today working together to craft cyber insurance products with relevant risk evaluation models, built around reliable data and effective scenario analysis. This implies that insurers need to work closely with their clients and professional firms to identify their crown jewels and protect what matters most. This typically includes assessment on how client identify, prevent, detect, respond and recover from cyber incidents.
Digital transformation shifts from threat to opportunity. Click here to start reading.
In Mauritius, cyber insurance as a product is yet to find its place amongst various other available insurance products in the local market. Boards are realising the need for safeguards against the most damaging cyber-attacks. Today, creating a right balance between organisations, reinsurance and insurance providers is pivotal for growth in cyber insurance and build confidence in a client’s business.
Looking further ahead, the market will eventually reach the maturity needed to price more accurately and hence reduce the need for a premium cushion. The key questions include how long this will take and whether it could be accelerated? If the industry takes too long, there is a risk that a disruptor could move in and corner the market by aggressively cutting prices or offering much more favorable terms.
Partner, PwC Mauritius
Tel: +230 404 5015