You own a house. It burns down. Your insurer only pays out 15% of the loss.
That’s a serious case of under insurance. You’d wonder why you bothered with insurance in the first place. In reality, massive under-insurance is very rare for conventional property fire losses. But what about cyber insurance? In 2017, the total global economic loss from cyber attacks was $1.5tn according to Cambridge University Centre for Risk Studies. But only 15% of that was insured.
I chaired a panel on cyber at the Insurtech Rising conference in September. Sarah Stephens from JLT and Eelco Ouwerkerk from Aon represented the brokers. Andrew Martin from Dyanrisk and Sidd Gavirneni from Zeguro, the two cyber start-ups. I asked them why we are seeing such a shortfall. Are companies not interested in buying or is the insurance market failing to deliver the necessary protection for cyber today? And is this an opportunity for Insurtech start-ups to step in?
High demand, but not the highest priority
We’ll hit $4bn in cyber insurance premium by end of this year. Allianz has predicted this growing to $20bn by 2025. And most industry commentators believe 30% – 40% annual growth will continue for the next few years.
A line of business growing at over 30% per year, with combined ratios around 60% at a time when insurers are struggling to find new sources of income is not to be sniffed at. And the risks are getting bigger. My panellists had no problem in rattling off new threats to be concerned with as we look ahead to 2019. Crypto currency hacks, increasing use of cloud, ransomware, GDPR, greater connectivity through sensors, driverless cars, even blockchain itself could be vulnerable. Each technical innovation represents a new threat vector. Cyber insurance is growing, but so is the gap between the economic and insured loss.
The demand is there, but there are a lot of competing priorities. Today’s premium spend represents less than 0.1% of the $4.8tn global property & casualty market. Let’s try to put that in context. If the ratio of premium between cyber and all other insurance was the same as the ratio of time spent thinking about cyber and other types of risk, how long would a Risk Manager allocate to cyber risk? Even someone thinking about insurance all day, every day for a full working year would spend less than seven minutes a month on cyber.
It’s not because we are unaware of the risks. Cyber is one of the few classes of insurance that can affect everyone. The NotPetya virus attack, launched in June 2017, had caused $2.7bn of insured loss by May 2018 according to PCS, and losses continues to rise. That makes it the sixth largest catastrophe loss in 2017, a year with major hurricane and wildfire losses. Yet the NotPetya event is rarely mentioned as an insurance catastrophe, and appears to have had no impact on availability of cover or terms. Rates are even reported to be declining significantly this year.
Large corporates are motivated buyers. They have an appetite for far greater coverage than limits that cap out at $500m. Less than 40% of SMEs in the US and UK had cyber insurance at the end of 2017, but that is far greater penetration than five years ago. The insurance market has an excess of capital to deploy. As the tools evolve, insurance limits will increase. Greater limits, mean more premium, which in turn creates more revenue to justify higher fees for licensing new cyber tools. Everyone wins. Maybe.
Growing cyber insurance coverage is core to the strategy of many of the largest insurers.
Cyber risk has been available since at least 2004. Some of the major insurers have had an appetite for providing cyber cover for a decade or more. AIG is the largest writer, with over 20% of the market. Chubb, Axis, XLCatlin and Lloyd’s insurer Beazley entered the market early and continue to increase their exposure to cyber insurance. Munich Re has declared that it wants to write 10% of the cyber insurance market by 2020 (when they estimate premium will be $8 - $10bn). All of these companies are partnering with established experts in cyber risk, and start-ups, buying third party analytics and data. Some, such as Munich Re, also offer their underwriting capacity to MGAs specialising in cyber.
The major brokers are building up their own skills too. Aon acquired Stroz Friedberg in 2016. Both Guy Carpenter and JLT announced relationships earlier this year with cyber modelling company and Symantec spin off CyberCube. Not every major insurer is a cyber enthusiast. Swiss Re CEO Christian Mumenthaler declared earlier this month that the company would stay underweight in its cyber coverage. But most insurers are realising they need to be active in this market. According to Fitch, 75 insurers wrote over US$1 million each of annual cyber premiums last year.
But are the analytics keeping up?
Despite the existence of cyber analytic tools, part of problem is that demand for insurance is constrained by the extent to which even the most credible tools can measure and manage the risk. Insurers are rightly cautious, and some sceptical, as to the extent to which data and analytics can be used to price cyber insurance. The inherent uncertainties of any model are compounded by a risk that is rapidly evolving, driven by motivated “threat actors” continually probing for weaknesses.
The biggest barrier to growth is the ability to be able to confidently diversify cyber insurance exposures. Most insurers, and all reinsurers, are able to offer conventional insurance at scale because they expect losses to come from only a small part of their portfolio. Notwithstanding the occasional wildfire, fire risks tend to be spread out in time and geography and losses are largely predicable year to year. Natural catastrophes such as hurricanes or floods can create unpredictable and large local concentrations of loss, but are limited to well-known regions. Major losses can be offset with reinsurance.
Cyber crosses all boundaries. In today’s highly connected world corporate and country boundaries offer few barriers to a determined and malicious assailant. The largest cyber writers understand the risk for potential contagion across their books. They are amongst the biggest supporters of the new tools and analytics that help understand and manage their cyber risk accumulation.
What about Insurtech?
Insurer, investor or start-up - everyone today is looking for the products that have the potential to achieve breakout growth. Established insurers want new solutions to new problems, investment funds are under pressure to deploy their capital. A handful of new companies are emerging, either to offer insurers cyber analytics, or to sell cyber insurance themselves. Some want to do both. But is this sufficient?
The SME sector is becoming fertile ground for MGAs and brokers starting up, or refocusing their offerings. But with such a huge, untapped market, (85% of loss not insured) why aren’t cyber start-ups dominating the Insurtech scene by now? The number of Insurtech companies offering credible analytics for cyber seems disproportionately small relative to the opportunity and growth potential. Do we really need another start-up offering insurance for flight cancellation, bicycle insurance or mobile phone damage?
Whilst the opportunity for Insurtech start-ups is clear, this is a tough area to succeed in. Building an industrial strength cyber model is hard. Convincing an insurer to make multi-million dollar bets on the basis of what the model says is even more difficult. Not everyone is going to be a winner. Some of the companies emerging in this space are already struggling to make sustainable commercial progress. Cyber risk modeller Cyence, roared out from stealth mode fuelled by $40M of VC funding in September 2016 and was acquired by Guidewire a year later for $265 million. Today the company appears to be struggling to deliver on its early promises, with rumours of clients returning the product and changes in key personnel.
The silent threat
The market for cyber is not just growing vertically. There is the potential for major horizontal growth too. Cyber risks affect the mainstream insurance markets and this gives another source of threat, but also opportunity.
Most of the focus on cyber insurance has been on the affirmative cover – situations where cyber is explicitly written, often as a result of being excluded from conventional contracts. Losses can also come from ” silent cyber”, the damage to physical assets triggered by an attack that would be covered under a conventional policy where cyber exclusions are not explicit. Silent cyber losses could be massive. In 2015 The Cambridge Risk Centre worked with Lloyd’s to model a power shutdown of the US North East caused by an attack on power generators. They estimated a minimum of $243bn economic loss and $24bn in insured loss.
In the current market conditions cyber can be difficult to exclude from more traditional coverage such as property fire policies, or may just be overlooked. So far, there have been only a handful of small reported losses attributed to silent cyber. But now regulators are starting to ask companies to account for how they manage their silent cyber exposures. It’s on the future list of product features for some of the existing models. Helping companies addressing regulatory demands is an area worth exploring for start-ups in any industry.
But ultimately, we don’t yet care enough
We all know cyber risk exists. Intuitively we understand an attack on our technology could be bad for us. Yet despite the level of reported losses, few of us have personally, or professionally, experienced a disabling attack. The well-publicised attacks on large, familiar corporations, including most recently, British Airways, have mostly affected only single companies. Data breach has been by far the most common type of loss. No one company has yet been completely locked out of its computer systems. WannaCry and NotPetya were unusual in targeting multiple organisations, with far more aggressive attacks that disabled systems, but on a very localised basis.
So most of us under-estimate both the risk (how likely), and the severity (how bad) of a cyber attack in our own lives. We are not as diligent as we should be in managing our passwords or implementing basic cyber hygiene. We too spend less than seven minutes a month thinking about our cyber risk.
This lack of deep fear about the cyber threat (some may call it complacency) goes further than increasing our own vulnerabilities. It also the reason we have more start-ups offering new ways to underwrite bicycles than we do companies with credible analytics for cyber.
Rationally we know the risk exists and could be debilitating. Emotionally, our lack of personal experience means that cyber remains “interesting” but not “compelling” either as an investment or start-up choice.
So let’s not beat-up the incumbents again. Insurance has a slow pulse rate. Change is geared around an annual cycle of renewals. It evolves, but slowly. Insurers want to write more cyber risk, but not blindly. The growth of the market relies on the tools to measure and manage the risk. The emergence of a new breed of technology companies, such as CyberCube, that combine deep domain knowledge in cyber analytics, with an understanding of insurance and catastrophe modelling is setting the standard for new entrants.
Managing cyber risk will become an increasingly important part of our lives. It’s not easy and there are few short cuts but there are still plenty of opportunities to get involved helping to manage, measure and insure the risk. When (not if) a true cyber mega-catastrophe does happen attitudes will change rapidly. Those already in the market whether as investors, start-ups or forward thinking insurers will be best positioned to meet the urgent need for increased risk mitigation and insurance.