A look at the market for cyber insurance

By Kate McCaffery, published on April 27, 2021, 10:44 a.m.

Cyberrisks HISCOX S&P

Would-be cyber insurers, those that would provide coverage for the cyber risks that companies face, have a puzzle to unravel first: A significant opportunity exists, but the market is fragmented, the uptake of stand-alone cyber coverage polices remains patchy, and silent cyber risks are growing in a way that some say will threaten companies if they are not addressed appropriately, and soon.

“The numbers that have paid a ransom following a malware infection are chilling.” - Gareth Wharton

According to international specialty insurer Hiscox Ltd., more than half of the firms it surveyed for the Hiscox Cyber Readiness Report 2020 said they rely on more general coverage, presumably with cyber added on, to mitigate the risks posed by cyber criminals and human error. “This is a conundrum. Almost certainly they would all have cover for fire and theft, yet the report suggests they are 15 times more likely to have a cyber incident,” writes Hiscox cyber CEO, Gareth Wharton. “While the number of firms reporting a breach is down, the cost and intensity of criminal activity in this area appear markedly higher. The numbers that have paid a ransom following a malware infection are chilling.”

A growing risk for insurers

S&P Global Ratings says this reliance on general coverage is a significant and growing risk for some insurers.

“The cyber insurance market is underdeveloped, and cyber cover is often tacked onto existing liability or property insurance policies that were not originally intended to cover cyber risk,” say authors of the S&P report, Cyber Risk In A New Era: Let’s Not Be Quiet About Insurers’ Exposure To Silent Cyber.

They say the cyber insurance market has huge growth potential, but insurers lack the products to appropriately meet expected future demand. “Cyber cover is often bundled into existing property or liability insurance policies. In some cases the policies do not explicitly include or exclude cyber cover at all. This gives rise to “silent cyber” or the risk to insurers of losses from cyber-related claims on policies that weren’t intended to cover cyber risk.” They add that such add-on coverage often does not include a comprehensive list of perils. “Such situations can result in intense debates when it come to claims,” they write. “Debates and lawsuits delay critical payouts and impede the sustainable development of a cyber insurance market.”

A more centralized approach to data collection and research

Rather than muddy the water with bundled coverage, the report suggests that a stand-alone cyber line of business will reduce the risk to companies by giving insurers greater control over the risk of claims accumulating within their cyber insurance portfolio and allow a more centralized approach to data collection and research. This is crucial, they say, as the highly dynamic nature of cyber risk can complicate the calculation of adequate premiums. They also say a stand-alone business gives management more opportunity to devote attention to cyber concerns.

Cyber business has the potential to drive industry growth, they say, but add that the take-up of stand-alone cyber insurance is hampered by the fact that policyholders already feel that they have cyber cover within their existing insurance policies. “This makes it difficult for brokers and agents to sell stand-alone cyber cover, and could seem to strengthen the rationale for insurers to embed such cover in existing policies,” they write. “In our view, a severe cyber event that affects several lines of business at once could pose a systemic threat to insurers.”

Thanks to our advertisers

Previous in this report Companies more susceptible to cyber risks

Next in this report Mitigating risk: Suggestions from experts for improving cyber security

Menu

Sign in

Cyber threat