View this article online: https://www.insurancejournal.com/magazines/mag-closingquote/2016/10/03/427816.htm
Cyber security is a rapidly growing area of concern for executives across the world. The costs that can arise from a cyber breach can be catastrophic to a business. As a result, the cyber insurance market has ballooned over the past 10 years, as organizations are now recognizing that they are living in a “when” not an “if” scenario for facing a cyber or data breach.
According to a Net Diligence Study in 2014, the average cyber insurance claim payout was $733,109. This includes costs for crisis communication and legal expenses, in addition to the corrective and restorative measures. Beyond the technical challenges, the reputational risk exposure can be irrecoverable.
From cyber hacks at large retailers, to hacking information of government databases, the need for protection is clear. We know that cyber risk is not slowing down or going away any time soon, but as a risk management professional in the insurance industry, it is hard not to observe that we seem to be on the verge of a “cyber bubble.”
Since the first cyber insurance policy was placed in 1997, the market has rapidly evolved; however, it is still in its infancy. Coupled with a rate of cyber attacks much greater than could have been anticipated, insurers have certainly mispriced the risk in failing to account for the level of losses they will be forced to pay out in the coming years.
In insurance and risk management, generally actuarial teams price risks based on past loss data and historical performance. As a new class of risk emerges, the lack of backward looking data makes pricing these risks difficult. Additionally, even the so-called experts in the industry are not able to fully understand how to prevent cyber breaches.
As the need for cyber insurance grows, more organizations are purchasing policies, where capital injections to the cyber insurance industry are outpacing losses being paid out. As the pace of losses occurring increases the capital being charged will not be sufficient to cover these high claim costs.
As a result, insurance carriers will be forced to re-price their policies and some will exit the cyber insurance market entirely, leaving organizations scrambling to secure a solution to protect them at a time when they are facing financial and reputational losses from these rapidly occurring breaches.
The growth of cyber attacks and underestimating of losses in the insurance market closely resembles what happened in the long-term care insurance market. This “bubble” was profiled by Forbes in 2012, when insurers did not anticipate as high a rate or dollar value of losses for which they would be responsible when they first went to market. As a result, they could not continue offering policies for the prices they set. Many firms, including big name carriers like John Hancock and MetLife, exited the long-term care insurance market altogether due to the downward strains this put on their balance sheets. Carriers that remained in the industry were forced to re-price the risks, which left individuals footing a higher bill for the same, or in some cases less coverage.
As more institutions get hacked, more losses will come in, and consequently it looks from the surface that the cyber insurance market will greatly change.