The COVID-19 pandemic forced almost all organizations to accelerate their digital transformation plans amid a boom in e-commerce demand. Insurers have reacted by diversifying into products relevant to the ever-growing concerns surrounding cyber risk. Sept. 02, 2020
This report does not constitute a rating action
Manuel AdamFrankfurtmanuel.adam@spglobal.com
The COVID-19 pandemic has changed the ways we shop, learn, and work with important implications for cyber risk. E-commerce is booming, brick-and-mortar retailers are shifting to digital platforms, and schools and offices have adopted online classes and home working. For organizations this has meant re-thinking digitalization strategies and doubling-down on information technology (IT) spending, cloud capacity, and infrastructure to boost bandwidth, ensure business continuity, and retain customers.
We believe these digitalization trends are here to stay and will inevitably lead to a higher likelihood of cyber incidents, as companies increase their digital footprint or enter the space for the first time.
Even prior to the COVID-19 pandemic, cyber risk was the top peril for organizations globally, according to the Allianz Risk Barometer Survey in January 2020. The same survey ranked it 15th back in 2013.
High-profile incidents such as ransomware attacks WannaCry in May 2017 and NotPetya in 2016 and 2017 have materially increased awareness of cyber threats, with estimated global damage of up to $4 billion and $10 billion, respectively. These cyber incidents demonstrated the huge accumulation risk and potential for large interrelated losses given the spread of ransomware across the globe. Ransomware attacks, where a specific malware (such as a Trojan) locks down entire computer networks and bad actors threaten to publish victims' data or perpetually block access unless a ransom payment is made, are increasing in frequency and severity.
Even prior to the COVID-19 pandemic, cyber risk was the top peril for organizations globally
The increasing sophistication of cyber attacks is also undeniable. For example, Advanced Persistent Threats (ADPs)--a targeted attack where a cyber hacker gains access to a system with the goal of stealing data or disrupting a network and remains undetected for an extended period--are on the rise. These attacks are usually intended to steal intellectual property and sensitive data for political or economic gains.
Another increasingly popular avenue of attack is social engineering, where cyber attackers manipulate individuals into divulging sensitive information. In July 2020, Twitter became the victim of a coordinated social engineering attack that targeted employees with access to sensitive internal administrative systems. The accounts of famous faces including former U.S. President Barack Obama, Amazon founder Jeff Bezos, Tesla CEO Elon Musk, and rapper Kanye West were compromised and pushed out tweets asking millions of followers to send money to a Bitcoin address as a community donation. Many followers were deceived and sent Bitcoin payments expecting a double return that never arrived.
On top of costs related to a cyber attack itself, companies face a potential fine if they are found to have not fully complied with regulation, for example, by not promoting a culture of data protection and proactively reporting data breaches. The implementation of the General Data Protection Regulation (GDPR) means organizations are facing higher penalties for data breaches, with EU regulators levying fines of up to 4% of an organization's annual global revenue or €20 million, whichever is larger, if they infringe on users' privacy.
The pace of digitalization and data interconnectivity will only increase, driven by trends such as the Internet of Things, social media, fifth generation mobile networks, and Industry 4.0. This means cyber security, cloud, and data protection must be organizations' highest priorities to cope with sophisticated new cyber threats. In this context, we think increasingly more companies will consider cyber insurance to complement wider cyber risk-management strategies.
In most developed global markets, cyber insurance will become one of the key growth areas for insurers in the next decade, partly because many larger lines of business, such as motor and property, are highly saturated. However, market penetration has remained relatively low, despite the area being among the largest risks for organizations globally. The estimated yearly economic costs of cyber crime already exceed $700 billion, but insured cyber losses are still very small at below $5 billion.
In comparison, total economic losses from natural and man-made disasters in 2019 totaled about $140 billion, with $56 billion insured, according to Swiss Re. This indicates the untapped potential of the cyber insurance market.
Currently, commercial and private cyber insurance premiums total about $5 billion, and we expect this to increase 20%-30% per year on average in the near future. A key avenue for growth will be small and midsize enterprises (SMEs), which have a considerable untapped demand for cyber insurance. In the U.S., cyber insurance growth rates for SMEs were more than double those for other industry segments in 2018 and 2019. In our view, this is an important development that will gradually improve the risk diversification of insurers' exposure.
More broadly, cyber insurance market growth will depend on how insurers tackle associated challenges.
We believe there are a number of reasons why there is such a huge gap between economic losses associated with cyber attacks and the size of the cyber insurance market (see chart 2).
A key challenge for insurers is accumulation risk. The accumulation of claims within a cyber insurance portfolio can expose an insurer to high financial losses. A severe natural catastrophe can also affect many countries, but is limited to a certain region. Cyber risks are not limited by geography and can easily spread across the globe in a few seconds. As proven by attacks like NotPetya and WannaCry, there is significant accumulation potential due to increasing digital interconnectivity and interfaces along multiple supply chains.
Uncertainties regarding cyber insurance coverage can arise from nonaffirmative silent cyber risks, which are neither explicitly included nor excluded within insurance policies. As a result, legal disputes can arise and, consequently, unexpected cyber claims, which are not yet priced in the insurance premium. We have seen insurers improve their handling of this area in 2019 and 2020 following regulatory requests to screen their portfolios for silent cyber risks. Insurers have also developed more robust analytical tools and they are gradually transforming silent cyber to affirmative cyber risks using clear and transparent inclusions or exclusions, which we regard as a positive sign. Still, we see a broad disparity between insurance companies taking silent cyber risks very seriously in their underwriting strategies and those with less ambitious silent cyber strategies. Going forward, insurers will need to focus on identifying, quantifying, and modeling silent cyber risks across their portfolios and in their new business to control and minimize the overall accumulation risk and expand sustainably and profitably.
Furthermore, calculating an appropriate price for cyber insurance is more difficult than other lines of business, given the very dynamic nature of cyber risks and increasing sophistication of cyber crime. In the U.S., so far the largest and most advanced cyber insurance market with about a 70% share of the global market, profitability is still high, with a combined ratio (loss and expense) of 67% on average over 2017-2019, according to AON. These market-leading profit levels are backed by an uncertainty premium, but we expect margins to narrow over time. In less developed cyber insurance markets, like Europe and Asia, it is still too early to comment on profitability but we observe insurers also applying high uncertainty premiums when entering the market to build more robust data on potential cyber losses. However, historical data can't always predict future cyber risk development. This makes underwriting cyber insurance more sophisticated than conventional insurance cover, with the insurer heavily relying on modelling and scenario calculations, as well as qualitative judgement. Given these challenges, cyber insurers have cautiously expanded their coverage but the approach will need to evolve to support demand growth at a reasonable economic cost.
We also see a lack of transparency and rigidity from the insurance market, which is not entirely accommodating customer demands. Among them, uncertainties around coverage elements, given non-uniform definitions of cyber risks and inconsistent terms and conditions, since cyber is often bundled in liability or property lines of business. In some instances, we also see exclusions for certain industries, such as critical infrastructure or financial service companies, and certain claims, including fake president fraud (where criminals impersonate a company leader and order an emergency bank transfer) or cyber extortion payments. In addition, some insurers offer a maximum payout, which is viewed as inadequate insurance protection in the event of a cyber incident. This could lead customers to query the benefits of a cyber policy. The lack of cyber risk awareness and difficulty in highlighting the need for spending when the company hasn’t been attacked, especially among SMEs, are other growth constraints.
In our view, cyber risk awareness has increased rapidly, spurred by organizations’ reliance on data and IT systems and further accelerated by the COVID-19 pandemic. Demand rises when cyber incidents get media attention and an increasing number of organizations are starting to see cyber as a severe risk. As a result, investment in cyber risk management, including cyber insurance coverage, is rising.
Cyber insurers can also act as an orchestrator by building an ecosystem of internal and external expertise to prevent cyber claims
For insurers, this demand means huge opportunities but also large risks. In particular, they need to understand the complexity and dynamics of cyber insurance to successfully and efficiently provide coverage.
Cyber incidents and data breaches have become a part of daily life. The threat is evolving dynamically, creating a constant battle between attackers and defenders finding and exploiting (or patching) system flaws. However, whether, or to what extent, an attack becomes a cyber insurance claim depends upon the cyber risk-management framework. Many claims arise because a cyber security strategy was absent or not sufficient to withstand an attack.
For companies, a cyber incident can lead to, among other outcomes, business interruption, ransom payments, a drop in reputation, and a potential fine from the regulator. This can mean several adverse consequences as companies rebuild databases and take care of reputational and operational damage.
In our view, cyber insurance needs to offer more than just pure compensation for a potentially significant financial loss. Insurers can provide additional value by providing assistance services and helping policyholders better handle cyber risks. This would provide a key benefit to the policyholder, enable insurers to differentiate themselves from competitors, and help reduce the frequency and severity of cyber claims. More efficient cyber prevention and sophisticated management in a claims scenario heavily correlate with a lower claim cost and are therefore also a key advantage for an insurer.
We believe cyber insurers can also act as an orchestrator by building an ecosystem of internal and external expertise to prevent cyber claims, or investigate any attacks for a policyholder quickly.
This includes comprehensive IT expertise and services associated with prevention measures, crisis management, and data recovery. Transparent and proper legal and crisis communication is also key to avoid or minimize regulatory fines, third-party legal claims, and reputational damage.
The cyber insurance market is to a large extent still dependent on third-party cybersecurity companies and law firms to provide these services, but larger insurers have already started to build-up expertise and hired IT experts from renowned cybersecurity firms.
By building this ecosystem, cyber insurance providers can bring significant added value to the insured party and play an important role in improving cyber resilience. We believe the digitalization boost linked to the COVID-19 pandemic will allow insurers to develop comprehensive cyber risk-management strategies together with policyholders. Insurers should also take up the role of educating policyholders about cyber risks to further enhance awareness.
However, if insurers only focus on compensation for claims, we see less potential to develop a sustainable and profitable cyber insurance market in the mid-to-long term.
On the one hand, cyber risk can be an operational risk for insurers, given the huge amount of sensitive data they handle. We could change our assessment of an insurer's governance framework if we observe insufficient cyber risk management, including a potential inability to identify and detect cyber risks, a lack of prevention measures, and an inadequate cyber claim response strategy.
On the other hand, cyber insurance providers can be exposed to cyber risks in the form of a first- and third-party written cyber coverage, cyber coverage packed into another policy (affirmative cyber risks), and implicit silent cyber coverage (nonaffirmative cyber risks).
We believe that the coming decade will be a game changer for the cyber insurance industry if insurers can tackle the associated challenges. In particular, the accumulation risk we consider in our risk exposure assessment could increase significantly due to the complex and dynamic risks providers are exposed to. To successfully write cyber insurance on a larger scale and generate profitable long-term growth, insurers need to create an ecosystem combining internal and external expertise and providing the best benefits to policyholders.
Should an insurer aggressively expand in the cyber market without proper expertise it could change our risk exposure assessment, especially if we believe this higher cyber exposure could lead to capital and earnings volatility. That said, building a strong ecosystem early on may lay the foundation for an improved competitive position and higher profitability. Therefore, we will closely monitor rated insurers' expansion in this area and how they deal with the challenges and potential large interrelated losses associated with cyber insurance.