Cyber crime is predicted to cost the world $8 trillion in 2023 and grow by 15% annually to $10.5 trillion in 2025, according to Cybersecurity Ventures. A BlackBerry and Corvus Insurance study found that a majority of businesses in North America are either uninsured or underinsured against cyber threats.
Cyber insurance has become a critical requirement for companies and organizations as rising cybercrimes lead to major financial losses and overall disruption. Greater demand for insurers to underwrite the risk has produced significant increases in premiums over the past few years. The Council of Insurance Agents & Brokers reports that the rate of increases, while still double-digit, is moderating after peaking at 34% quarter over quarter in Q4 2021. Cyber insurance premiums in Q4 2022 were up 15% quarter over quarter.
Insurers continue to see significant demand for cyber insurance despite the rise in premiums and difficulty in obtaining adequate coverage. Given the relative adolescence of cyber insurance, the nature of the underwriting and financial makeup will likely evolve.
Captives and reinsurance vs. cyber crime
Self-insurance, or “captives,” is one pathway companies are considering in response to higher cyber insurance premiums. By choosing to take on their own insurance, companies can pay less in premiums. The major benefit of captives is flexibility, the freedom to customize the policy and tailor the terms and conditions to fit business needs.
At the same time, cyber insurers are considering reinsurance to manage their own risk, making it easier for insurers to underwrite cyber because of the safety net reinsurance provides. Reinsurance gives insurers the ability to take on more policyholders. Additionally, reinsurance can protect against large catastrophic events and stabilize loss. Despite these advantages, it is necessary to consider the high price point for reinsurance coverage. And reinsurance offers protection only when the risk is properly evaluated.
Ultimately, what insurers are interested in is how to transform their cyber insurance underwriting. With cyber, it is vital to have a clear picture of the risks to properly evaluate and determine the vulnerability to cyberattacks and data breaches since different sectors vary in their exposure to catastrophic events. Their customers must follow best practices, such as the use of dual-factor authentication and frequent employee cyber training to show their commitment to reducing vulnerabilities.
Looking inwardly, insurance companies seem confident in their ability to protect themselves from a cyberattack. A KPMG Insurance Outlook survey found that 74% of insurance executives believe their company is adequately equipped to protect customer data, privacy, and assets from a cyberattack. Regardless, 54% cited cybersecurity risk as the greatest threat to their company’s growth over the next three years.
Opportunities and challenges
In the present landscape, plenty of opportunities and challenges lie ahead for insurance companies interested in underwriting cyber insurance policies. Cyber insurance offers an opportunity for insurers to grow their books of business, create additional streams of revenue and access a new customer base. U.S. domiciled insurers writing standalone cyber insurance products reported about $3.2 billion in direct written premiums in 2021, and those writing cyber insurance as part of a package policy reported roughly $1.7 billion in direct written premiums, according to a report from the National Association of Insurance Commissioners.
Moreover, insurance companies are becoming creative and taking new holistic approaches to their cyber insurance offerings, broadening their services by launching cyber risk management programs that offer a spectrum of cybersecurity services for their customers. Programs may include data backup and recovery, multi-factor authentication, data breach response planning and more.
However, cyber insurance companies also face multiple challenges. First, new competitors are collaborating with technologically advanced startups to help underwrite businesses. A new generation of hybrid cyber insurance startups approach cyber insurance differently from traditional insurers by building cybersecurity monitoring and protection platforms on top of the insurance they provide. Cyber insurance startups have built automated and technology-enabled platforms to assess risk and tailor insurance services and coverage.
The second challenge is the lack of certainty in assessing cyber risk, which makes it difficult to write policies that moderate overall risk. Cybercriminals are constantly finding new ways to exploit vulnerabilities in technology, which makes it difficult for businesses to stay ahead of the threat. Insurance underwriters must be incredibly cautious when examining a company’s risk and security measures. Insurtech companies are a step ahead in this area because of their ability to use digital transformation to efficiently analyze security risks, build personalized products and provide customizable offerings to customers. Traditional insurers are building their digital capabilities, but only some have reached parity with insurtech companies.
The third hurdle is finding employees who are equipped to conduct underwriting, an overall challenge for the insurance industry. The Institutes Griffith Insurance Education Foundation reports a 40%–50% shortage of underwriting talent in North America.
Artificial intelligence may offer an opportunity to address cyber insurance as part of AI’s industrywide impact. For example, in underwriting and risk management, AI can significantly affect risk analysis and monitoring. AI techniques can make the underwriting process more efficient and enable insurers to offer customers coverage and pricing more specific to their unique needs.
What this means for the future
The U.S. cyber insurance market is anticipated to maintain premium growth and underwriting results through 2023, says Fitch Ratings. However, recent profits and competition will likely moderate pricing further this year.
The cyber insurance market will also be influenced by the aftereffects of the COVID-19 pandemic, which transformed the workplace. Remote work and the increased number of employees using work laptops at home have increased the potential risk of cyber and ransom attacks, making it crucial for companies to purchase cyber insurance and cybersecurity programs that include training on how to avoid threats.
As technology continues to advance, electric vehicles, autonomous vehicles and artificial intelligence encompass what the future will become, opening the door to new opportunities for cyber insurance. A recent KPMG Global Auto Executive Survey revealed that 61% of U.S. auto executives believe that AV ride-hailing or delivery service will be commercially available in major U.S. cities by 2030.
With the possible rise in AVs, auto insurers must think about the cybersecurity risk they present. Who owns the technology in self-driving cars, and what are the ramifications if cyberattacks cause accidents? Given forecasts, it’s evident that cyber insurance should be top of mind for insurers to prepare for and protect consumers from the impact of potential cyberattacks.
With the constantly evolving threat of cyberattacks, insurers will continue to be challenged to provide effective underwriting that meets demand. Today’s underwriting covers four areas:
- First-party cyber insurance covers the direct costs associated with a cyberattack, such as the cost of investigating the breach, notifying customers and restoring data.
- Third-party cyber insurance covers the costs associated with a third-party claim against a business, such as a lawsuit or regulatory fine.
- Cyber liability insurance covers the costs associated with a data breach or other cyber incident, including legal fees and regulatory fines.
- Cyber extortion insurance covers the costs associated with a cyber extortion attempt, such as a ransomware attack.
Businesses invest in cybersecurity along a bell curve. On one side, businesses that haven’t focused as much as they should on their cyber security may be less likely to receive coverage. On the other side, businesses that have heavily invested in security measures are less likely to need coverage. In the middle are companies that have invested in cybersecurity, though not quite enough to be able to go without insurance. They are the most likely candidates for coverage.
When determining a company’s cyber risk, insurers currently use their own questionnaires. Insurers should consider analyzing the type of questions they ask companies to determine if the proper questions are being asked and if they are placing appropriate value on the steps companies have taken. Responses that are accurate at first may become outdated. To maintain up-to-date information, insurers may want to consider real-time monitoring of a business’s cybersecurity to understand the status of its protection and the steps it has taken to protect itself.
Cyber insurers should consider whether their current or planned processes and technologies will contribute to making coverage more available at a more optimal premium for both the insurer and the insured. This will provide more effective risk management as a result. If insurers are not considering this, now is the time for them to evaluate their current state and objective and develop a strategy that will lead to a better cyber insurance model.
Ed Chanda is KPMG US National Insurance Sector leader. He may be contacted at ed. [email protected].
© Entire contents copyright 2023 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.