Amid profitability and growth potential, cyber insurers are facing new risk exposures — and not just from hackers.
Warren Buffett, chairman of Berkshire Hathaway, Inc., keeps cyber insurance to a minimum in his company’s book of business. “I don’t think we or anybody else really knows what they’re doing when writing cyber [insurance],” Buffett said during the company’s annual meeting in May.1 He forecasts that every year offers a two percent chance of a super catastrophe costing $400 billion or more in insured losses, and cyberrisk is a contributing factor to this estimate.
Evan Greenberg, the CEO of Chubb Ltd., sees cyber insurance quite differently.2 Last year, his company surpassed American Insurance Group, Inc., in overall direct written premium to become the nation’s largest writer of cyber insurance.3
For the estimated 170 insurers that offer cyber insurance, accepting the risk has generally appeared worthwhile. “Cyber insurance, to date, has been reasonably profitable,” says Gerry Glombicki, a cyber insurance analyst with Fitch Ratings. Further, in 2017, direct written premium and policy counts grew, while loss expenses and premium prices declined.
While cyberrisk and the possibility of a “cybergeddon” always loom large among insurers and their policyholders, carriers are facing growing exposures beyond criminal activity. These include the growth of “silent” cyberrisk affecting traditional insurers, inadequately priced contingent business interruption (BI) coverage, and new laws and regulations. At the same time, there are more tools available than ever to help insurers with everything from underwriting to aggregation modeling.
The Market
Cyber stand-alone and package direct written premiums combined rose 37 percent to $1.9 billion from 2016 to 2017, according to “U.S. Cyber Insurance Market Share and Performance,” released by Fitch Ratings in May 2018. The report is based on the 2017 data reported to the National Association of Insurance Commissioners (NAIC) in the “Cybersecurity and Identity Theft Insurance Coverage” supplement to the Annual Statement.
The cyber insurance line was also quite profitable in 2017. Aon Benfield (Aon) estimates the combined ratio at 61.4 percent, with a direct incurred industry loss ratio of 32.4 percent and an expense ratio of 29.0 percent, according to its July 2018 report, “US Cyber Market Update.”
While cyberrisk and the possibility of a “cybergeddon” always loom large among insurers and their policyholders, carriers are facing growing exposures beyond criminal activity.
Despite its current profitability, cyber insurance requires a cautious approach, warns Alex Krutov, president of Navigation Advisors, LLC. “Cyberrisk has a significant catastrophic component that may not yet have shown itself, making cyber insurance appear more profitable than it actually is,” he observes.
For now, the results are favorable. Also, using the NAIC supplement, Aon reports declines in frequency and severity from 2016 to 2017. The major cause of the loss ratio decline was a 37.6 percent drop in claim severity, according to the brokerage firm, which calculates the cost per claim as having fallen from $90,865 in 2016 to $56,688 in 2017. Jon Laux, Aon’s head of cyber analytics, says that there are a couple ways to consider claims frequency. When looking at raw numbers, insurers collectively saw total claim counts rise 55 percent to 9,224 in 2017, up from 5,952 in 2016. However, because insurers’ total number of policies went up 67 percent to 3.46 million in 2017 from 2.07 million the prior year, insurers saw their frequency rate decline by 7.4 percent on a per policy basis.
Headline-making cyberattacks reveal how criminal behavior and attack targets are changing, driving customers to seek more expansive coverage. The WannaCry ransomware attack shut down about 400,000 computers worldwide last year … The NotPetya attack … led to significant losses for … Merck & Co. and FedEx.
There was also an 18.3 percent drop in premium per policy from 2016 to 2017, Aon reports, noting that the decrease was not due to rate changes but to outsized growth in package cyber policies, which generally cater to small businesses and have lower average premiums.
Meanwhile, the nation’s largest cyber insurers, ranked by direct market share, are Chubb Limited (17 percent), American International Group, Inc. (12 percent), and XL Group Ltd. (10 percent), Fitch reports. A.M. Best’s May 2018 report, “Cyber Insurance Market Sees Steady Growth but Still Awaiting a Real Growth Spurt,” indicates a similar ranking, though stand-alone and packaged policies are developing differently. (See “Stand-alone vs. Packaged Cyber Coverage.”)
Risky Business
Cyber insurance grows and develops in a continual state of flux. “Cyberrisk is not only growing in magnitude but is changing and evolving, and these changes shift risk exposures and create new ones,” says Krutov, who started the Casualty Actuarial Society’s Cyber Risk Task Force four years ago.
The longstanding cyberrisk is still quite disconcerting as well. “The old risks do not necessarily go away, but they might be shifting in terms of prominence,” says Ben Goodman, president of 4A Security & Compliance, which offers a cyber analytics platform and cyberrisk management services to insurance carriers and their customers.
And of course, there are the new risks. Headline-making cyberattacks reveal how criminal behavior and attack targets are changing, driving customers to seek more expansive coverage. The WannaCry ransomware attack shut down about 400,000 computers worldwide last year, affecting the operations of hospitals, auto manufacturers, government agencies and other organizations around the world.4 The NotPetya attack, designed to disrupt business operations in the Ukraine, led to significant losses for Fortune 100 companies Merck & Co. and FedEx.5
Criminals and their wares are getting smarter, even deploying artificial intelligence to evade detection. “This year, cryptojacking, or secretly installing cryptocurrency mining software on people’s computers, has become a popular way for criminals to make money, effectively stealing your computer processing power and electricity,” Goodman says.
The perpetrators of last year’s Equifax breach carefully bypassed cybersecurity defenses, invaded a single webserver, accessed the company’s network and created hidden command-and-control tunnels to retrieve the personal data of 145 million Americans, according to a study by Vectra called, “Could an Equifax-sized data breach happen again?” Despite impressive efforts to protect the data, the breach lasted 78 days, the June study reports.6
Attack vulnerability is also on the rise. For example, internet of things applications and gadgets are vulnerable to intrusion at each point of connection, says Pascal Millaire, CEO of CyberCube, a cyberrisk analytics firm that deploys Symantec data for insurance applications.7
Attacks against internet of things devices rose 600 percent from 2016 to 2017, according to Symantec’s “Internet Security Threat Report” released in March.8 “We are really only just beginning to see the losses, damages and risks from what we are incorporating in our lives, especially with the emergence of the internet of things,” Millaire observes.
Mobile apps that control internet of things mechanisms do not always use security measures or provide encrypted firmware updates, he explains. “There is a rush to market, but security is an afterthought.”
Other Exposures
Insurers are also facing other growing exposures. “Silent” cyberrisk affects traditional insurance lines not designed to cover cyber losses. Like cyber coverage in general, silent cyberrisk has a lot to do with the specific language of individual policies and how they are interpreted. “It is a much bigger concern to many insurers than the risk on their stand-alone cyber portfolio,” Laux says.
Insurance professionals believe the potential impact is becoming a growing issue, according to a survey by Willis Re. For property coverage, about half of the 750 industry practitioners surveyed last year anticipate one cyber loss or fewer for every 100 non-cyber losses in 2018, according to its report, “Silent Cyber Risk Outlook,” released in September 2017. For example, more than 75 percent of those representing auto liability and workers’ compensation estimated silent cyber claims at a rate of one or fewer per hundred.
The degree of perceived risk also varied greatly among industries. For liability coverage, the top three industry categories with the estimated likelihood of 50 percent or more additional claims were information technology (IT)/utilities/telecom, financial services and retail/hospitality. For property coverage, financial services and IT/utilities/telecom also topped the list, followed by hospitals/medical facilities/life sciences.
Accounting for the cyber peril in traditional policies is not a mere bookkeeping issue. If the loss ratio for a book of property coverage was 60 percent excluding cyber losses, but silent cyber losses followed the same severity distribution, the exposure could raise the loss ratio to between 60.6 percent and 64.6 percent, according to the report, depending on the assumptions used to make inferences from survey responses. These responses, however, predate WannaCry, NotPetya and other attacks, which could change participant perceptions. A new report is expected for release in September 2018.
Another burgeoning source of exposure is the rising popularity of contingent BI insurance, which covers losses when network-dependent operations stop due to cyberattacks. “What concerns me is we are not seeing insurers pricing for cyber business interruption coverage when they are issuing policies,” Laux says.
Of course, offering new coverage and hedging bets on pricing adequacy is nothing new. Cyber insurance’s growth and development has depended on insurers’ agility to respond quickly to market demands. Not surprisingly, actuaries express concern when the sale happens before they can reasonably price it.
In the case of contingent BI, however, charging little or no premium for additional coverage arguably makes being competitive a higher priority than collecting enough money for potential losses. Contingent BI has the potential to be a major exposure for insurers and the insurance industry as a whole if a cyberattack causes massive business shutdowns on a large scale.
Incidences that have already taken place provide clues into what could occur, Millaire explains. “What we have seen is really a precursor to cat losses that will originate from a single point of failure, and some losses to date have really started to prove that.”
Just consider the headline-making incidents that stopped multibillion-dollar, household-name companies in their tracks. Customer demand for contingent BI coverage, Goodman says, reached a tipping point after the 2016 cyberattack on Dyn, the internet domain name system provider. The attack effectively knocked hundreds of top websites off the internet, including major news organizations such as CNN and Fox News and e-commerce sites and website-dependent companies such as Amazon, Twitter, Yelp and Zillow. “It was also yet another example of hidden cyber aggregation risk, where a single point of failure could potentially generate losses across multiple insureds,” he adds.
And catastrophic risk, Millaire says, is “the thing that is most concerning to our clients.”
Better Solutions
Cyber insurers are discovering and applying tools to anticipate risk potential by capturing cybersecurity and other client data at both the policyholder and aggregated portfolio levels. The approach is gaining ground because past claim data has limited value for pricing cyber insurance.
Originally developed for cybersecurity professionals, cybersecurity scores rate a company’s security posture using a variety of metrics, such as promptness of patching software applications and whether the company’s leaked credentials are for sale on the dark web, Laux explains. “Together, these metrics provide a snapshot of the company’s cyberhygiene, and unlike the typical insurer’s underwriting application, these ratings are updated on an ongoing basis throughout the year,” he adds.
“There’s no question that the market for cyberrisk quantification is growing,” says Goodman, who assembled a catalog of the tools for the CAS Cyberrisk Task Force and a global cyberrisk quantification network at the World Economic Forum.
Several vendors are marketing cybersecurity or risk scores to insurers. And like in any emerging market, it can be difficult to distinguish whether a tool is unique or if the vendors employ different terms to describe similar wares or approaches. BitSight Technologies has been offering cybersecurity scores for years. Envelop Risk offers a score to identify cyberrisk by policyholder and industry sector, and SecurityScorecard, chosen by AXA Partners, will help the insurer set premiums. Besides Ben Goodman’s and Pascal Millaire’s companies, FICO, AIR Worldwide and others are also in the mix.
The scores can help with the underwriting and risk selection process in multiple ways and across entire portfolios. Besides providing extra insight beyond policy forms and interviews for the underwriting process, some security or risk scoring services allow an insurer to identify noninvasively which specific policyholders use a particular cloud server and to monitor their exposure to potential aggregations, Laux says. For example, because so many businesses are cloud-dependent for their operations, cyber insurers are particularly concerned by the risk of a prolonged outage with a major cloud service provider. “Using this information, modeling companies can then go a step further to estimate the potential damages to these policyholders from a cloud outage,” he says.
Laux observes that insurers also are realizing that gauging a company’s cybersecurity health should go beyond renewal time. He adds that some insurers are deploying security or risk scoring tools that monitor every 24 hours because it “informs a continuously changing picture of the security health of the company.”
This daily monitoring also reveals the cadence of how quickly a company installs security patches, one key indicator of a company’s cybersecurity commitment, he says. Laux cites a Ponemon Institute survey that reveals 57 percent of breaches are due to unpatched but known vulnerabilities.9
Laux also cautions that cybersecurity scores are not a panacea. Detectors can miss so-called zero-day bugs, which have no patch when first discovered. Additionally, cybersecurity or risk scores are more difficult to obtain for small businesses, which may not have a significant web presence. That’s a key issue since industry observers see the greatest market growth among small- to medium-sized companies.
Beyond risk scores, some vendors offer to quantify and predict risk potential of a cybergeddon. Incidences that have already taken place provide clues into what could occur, Millaire explains. “What we have seen is really a precursor to cat losses that will originate from a single point of failure, and some losses to date have really started to prove that,” he says, adding that CyberCube has identified more than 1,000 such potential points that could lead to catastrophic cyber events.
Such past events, he offers, include attacks on cloud, email, web and domain name service providers, as well as on content management, payroll and marketing automation systems. The true costs of these attacks include many difficult-to-measure factors that add up quickly. “For Merck, as an example, the NotPetya attack amounted to lost time and losses that could exceed one billion dollars,” Millaire says.
“Cyber aggregation models are like hurricane models, which require exposures, hazards and vulnerabilities,” says Laux. The hazards continue to change, “but exposure and vulnerability are things we can generally get our arms around,” he says, explaining that the most commonly exploited software vulnerabilities are more than 10 years old.
Krutov says many insurers remain justifiably cautious about using cybersecurity or risk-scoring tools in both pricing and enterprise risk management. “The catastrophic risk component of cyber insurance portfolios can be nondiversifiable in traditional ways and, to the degree possible, actuaries should explicitly consider it in their analysis,” he observes. While acknowledging their potential usefulness, Krutov believes the existing risk scoring tools do not solve the difficulty actuaries still have with proper risk-based pricing or cyberrisk aggregation management.
Conclusion
The main constant in cyberrisk and insurance is change. The cyber insurance market continues to grow along with new risks, vulnerabilities and exposures. As a line that appears to be profitable, the competition for business is stiff. This not only pressures insurers to charge lower prices, but also to offer coverage, such as contingent BI, at little or no cost.
As lawmakers and regulators institute measures to protect consumer data privacy, insurers will feel the effect. Moreover, while cybersecurity tools are becoming more sophisticated, cybercriminals are exploiting artificial intelligence and other means to evade detection.
Glombicki of Fitch Ratings sums up understanding cyberrisk and insurance quite well: “The biggest thing that I have learned is it is a big market and nobody knows everything and, if they do, they are not saying it.”
Stand-alone vs. Packaged Cyber Coverage
Since stand-alone and package policies approach covering cyber incidents differently, their individual growth and development differ.
Stand-alone polices increased by about eight percent to $992 million in direct written premium (DWP) between 2016 and 2017, with 103,212 policies in force in 2017, according to “U.S. Cyber Insurance Market Share and Performance,” released by Fitch Ratings in May. The report is based on the National Association of Insurance Commissioners’ (NAIC) “Cybersecurity and Identity Theft Insurance Coverage Supplement” for 2017.
Meanwhile, the loss ratio for stand-alone policies declined to 35 percent in 2017, down from 43 percent the prior year, Fitch reports. In its July report, “US Cyber Market Update,” Aon Benfield estimates a 35.4 percent loss ratio based on NAIC figures and a 27.1 percent expense ratio to reach a combined ratio of 62.5 percent for the stand-alone segment of cyber insurance.
Using NAIC figures, A.M. Best notes that stand-alone claims represented 43.7 percent of all cyber claims in 2017 in its report “Cyber Insurance Market Sees Steady Growth but Still Awaiting a Real Growth Spurt,” released in May. The average closed claim with payment, including defense and cost containment, was $188,525 for stand-alone polices with 28.4 percent of closed claims receiving payment, according to the A.M. Best report.
Package policies tell a different story. The expansion of cyber package sales, which increased by 99 percent in 2017 to $864 million direct written premium, drives the overall growth in cyber insurance, Fitch reports. There were approximately 3.3 million package cyber policies in force in 2017, up from 2 million the year before, according to Fitch.
However, A.M. Best counts an increase from 1.9 million policies in 2016 to 2.5 million in 2017, noting that many insurers have expanded their commercial package policies (CPPs) and business owners policies (BOPs) by adding cyber endorsements. Further, about half of those package policies do not feature occurrence triggers. Both Fitch and A.M. Best caution that the actual number of policies could be lower due to reporting differences by insurers.
A.M. Best also notes a 32 percent decline in stand-alone policies. Among other potential reasons, the decline is likely because cyber endorsements for CPPs and BOPs are less expensive than stand-alone policies, which contain more definitive coverage language.
Aon calculates direct incurred losses at 28.8 percent of premium and adds in an expense ratio of 31.5 percent to reach an estimated combined ratio of 60.3 percent for package coverages. Claim information for package policies was not specified in the NAIC supplement.
Laws, Regulations to Affect Cyber Insurance
New laws and regulations will widen the expanse of insurer exposure to liability, experts say.
The European Union’s (EU) General Data Protection Regulation (GDPR), which became effective in May 2018, will affect insurers in multiple ways, sources say. “Cyber has been the Wild West for 15 to 20 years, and now Europe is the unexplored frontier again with this new regulation,” says Keith Daniels, JD, CIPP/U.S., who helped Lloyds of London develop its first cyber liability insurance policy nearly 20 years ago.
“Any resident of the EU can bring an action if they feel the company has not been properly dealing with their data,” says Daniels, and this can have an impact on U.S. companies. He and others believe it likely that customers will want additional cyber coverage to handle the greater liability potential from GDPR.
On the first day of GDPR enforcement, Facebook and Google were hit with lawsuits accusing the companies of coercing users into sharing personal data. The lawsuits seek to fine Facebook and Google 3.9 billion and 3.7 billion euro, respectively, which totals about $8.8 billion.10
New GDPR-related liability exposure is already showing itself. In Europe, there are now pending class-action-type lawsuits, and attorneys are running advertisements to collect names of potential victims, which is unusual in an otherwise non-litigious culture, Daniels explains.
GDPR also affects the underwriting process. This can be great for risk managers and actuaries hungry for more customer-specific information, but cumbersome for underwriters. Daniels says that insurers will need to develop new policy forms and application questions to ensure their policyholders are complying with GDPR to limit exposure potential.
GDPR has many requirements, and it is estimated that as many as 50 percent of companies in Europe were not GDPR-compliant as of the May 25 effective date. “The ability to be perfectly compliant as well remains questionable,” says Daniels, “especially for companies [that] maintain personal data on multiple systems, which may not be able to effectively communicate with each other.” One difficulty for some companies is the requirement to notify regulators of a known breach within 72 hours.
To manage risk potential, Daniels sees EU residents and regulators looking for gaps or noncompliance in areas such as:
- Anonymizing collected data to protect privacy.
- Safely handling data transfer across borders.
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance.
State Developments
State legislative initiatives are also moving toward greater protection of personal data, explains Alex Hageli, director of personal lines policy for the Property Casualty Insurers Association of America (PCI).
Approved by Gov. Jerry Brown in June, the California Consumer Privacy Act of 2018, like GDPR, further restricts how organizations can use consumer data and authorizes regulators to fine those that do not comply.11 There is some concern that insurers might be called upon to help pay fines for noncompliance, Hageli says. Not surprisingly, pushback on the new law is expected long before its effective date of January 1, 2020.12
“GDPR and the California initiative are changing the game,” Hageli observes, explaining that consumer control of data could potentially fundamentally impact how he feels companies like Facebook and Google make their billions of dollars: the unrestricted ability to collect as much consumer information as possible and monetize it.
“Other companies within the insurance ecosystem operate the same business model as do Facebook and Google,” Hageli says. “Credit reporting agencies operate in much the same way, as do certain insurance support organizations. These new laws have the potential to disrupt the underpinnings of that ecosystem,” he warns.
Hageli explains that other state laws are also broadening the definition of personal data to items such as user names and passwords, which increases the touch points for a breach notification. Connecticut is the first state to mandate that cyber-breached companies provide credit monitoring or identity theft protection to state residents who may be affected. Hageli says Pennsylvania and other states are considering whether to follow suit.
1 https://www.bloomberg.com/news/articles/2018-05-05/buffett-cautious-on-cyber-insurance-because-no-one-knows-risks
2 https://www.bloomberg.com/news/articles/2018-06-07/buffett-s-wrong-on-cyber-insurance-risk-chubb-s-greenberg-says
3 https://www.intelligentinsurer.com/news/chubb-overtakes-aig-xl-in-cyber-exposure-15384
4 https://www.straitstimes.com/world/organisations-hit-by-global-cyberattack
5 https://www.insurancebusinessmag.com/us/news/cyber/cyber-exposures-lead-to-magnified-risk-for-fortune-500-companies-104172.aspx
6 https://info.vectra.ai/hubfs/Vectra-Hidden-Tunnels-Report-052418.pdf
7 https://www.businesswire.com/news/home/20180322005344/en/CyberCube-Analytics-Emerges-Stealth-Mode-Providing-Inside-Out
8 https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf page 5
9 “Today’s State of Vulnerability Response: Patch Work Demands Attention,” April 2018. https://www.servicenow.com/company/media/press-room/servicenow-research-uncovers-security-patching-paradox.html
10 https://www.theverge.com/2018/5/25/17393766/facebook-google-gdpr-lawsuit-max-schrems-europe
11 https://www.itgovernanceusa.com/blog/californias-gdpr-like-privacy-law-passes-what-you-need-to-know/
12 https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
