Although cyber risk premiums have expanded sizably in recent years with loss ratios that compare favorably to other product lines, the danger of accumulation risks is a key concern for the market, according to a study released by insurance industry think tank The Geneva Association.
The study, titled “Advancing Accumulation Risk Management in Cyber Insurance,” identifies three prerequisites to a sustainable cyber insurance market:
- Customers and insurers must facilitate resilience at the source of risk for the principles of insurability to apply.
- Insurers must be able to achieve an acceptable return on capital.
- Insurance markets need to be able to withstand shocks from extreme events, which means absorbing accumulation risk.
The concern about accumulation risk is widely held across the industry and is the reason the Geneva Association report is focusing on the market’s ability to withstand extreme events, said Anna Maria D’Hulster, secretary general of The Geneva Association (GA), in a forward to the report.
“Expanding the boundaries of insurability is not new for insurers. However, cyber risks are taking us into uncharted territory,” she added. “Both exposures and threats have distinct characteristics, which give rise to unprecedented challenges.”
“These challenges require that insurers strengthen their core underwriting capabilities, in particular exposure measurement, claims assessment, and accumulation modelling,” the study said.
The report went on to highlight four cyber accumulation risk challenges:
- A single large event or a series of consecutive events may make affirmative cyber insurance unprofitable. (The report explained that insurers provide affirmative coverage in standalone and package policies).
- Insurers and reinsurers (for which risk accumulation may be more pronounced than for primary insurers) could underestimate non- affirmative cyber exposure leading to n unplanned shock from a major event. The report explained that non-affirmative cyber exposure occurs when a cyber attack causes major losses by triggering coverages in other classes.[Editor’s note: Insurers face non-affirmative, or silent cyber exposures, when they offer all-risk policies and other liability insurance policies that have not excluded cyber risks.]
- Data are of insufficient quality, are incomplete and/or lack the necessary consistency for more advanced modeling techniques.
- Governments fail to provide frameworks for the sharing of large-scale cyber- terrorism-induced losses.
The study said there are many market consequences if risks from these challenges materialize.
“Insurers and reinsurers could withdraw from the market after unacceptably high losses and fear of repeat events,” the study continued, noting that such losses also could stall the growth of the small alternative capital market and prevent insurers from accessing needed capacity.
In addition, re/insurers could introduce tighter policy terms and increase the number of exclusions and/or make buy-backs prohibitively expensive, the GA study said.
“The lack of confidence in advanced model outputs could stifle growth if models are deemed to be too blunt for insurers to extend portfolios or offer higher coverage levels,” which could result in a further constraint on the amount of coverage available for larger enterprises and leave the market for small and medium enterprises underdeveloped.
“A large event may also trigger regulatory intervention with the risk for insurers having to provide cover with uneconomic terms and rates,” GA said.
In response, GA said, insurers have formulated several approaches:
- Developing data analytics that analyze the characteris- tics of cyber risk as well as data protocols that combine company information with digital risk indicators.
- Novel approaches to analyzing the risk “footprint” and corresponding threats affecting the size.
- Forward-looking threat assessments including external expert inputs.
- Mapping cloud-related interconnectivity and digital supply chains, and using machine learning to assess the relationship between claims frequency and multi-exposures.
“Of equal importance is the need to maintain underwriting discipline. Cyber risk is not unique in this respect. Historically, many property-casualty classes have suffered when underwriting standards slipped or when prices failed to adequately reflect the cost of risk,” the study said.
Was this article valuable?
Here are more articles you may enjoy.