Business interruption will boost cyber growth

In the US, the most developed market for cyber insurance in the world, growth in the past decade has been driven by privacy issues, triggered by regulation forcing companies to report data breaches.

Businesses were facing significant costs when they had to figure out what happened when for example a laptop was lost, how many different states and regulators they had to notify, Robert Parisi, managing director and cyber product leader at Marsh says.

“Suddenly they had an incredible interest in looking for ways to take all the cost associated with the privacy breach off their balance sheet and back on to an insurance product,” Parisi explains.

So far therefore, cyber insurance was mostly of interest to companies that were holding large amounts of client data.

“Growth in the US really started with technology, financial institutions, healthcare and retail companies,” says Toby Merrill, division senior vice president, global cyber risk practice at Chubb.

“But maturity and market penetration has grown significantly for many of those industries,” he adds.

From an estimated $2.5 billion in cyber insurance premium written in 2014, some 90 percent was purchased by US companies, according to a PwC study Reaping the dividends of cyber resilience.

Strong demand

Nevertheless, demand for cyber insurance in the US remains strong. Standalone cyber insurance purchases among US-based Marsh clients increased 27 percent year on year in 2015, from 32 percent in 2014. There are still retailers, healthcare and financial institutions buying into cyber insurance, but the greatest acceleration in demand is now coming from non-consumer-based businesses from the industrial sector, power and utility and manufacturing, Parisi says.

The reason for this is the increasing automation of industrial processes and the growing vulnerability to a potential cyber attack that comes with it.

“If you are a manufacturer, your supply tends to be automated, your manufacturing process is automated, your distribution process is automated, your inventory, everything is controlled by computers or technology,” Parisi says.

In case of a cyber attack, a manufacturing company may therefore have the same loss of revenue, extra expense and financial liability as it would have if there were a flood, fire or some physical peril, except it is not going to get coverage for that because it wasn’t a physical peril, he explains.Cyber insurance sales to Marsh clients in the manufacturing industry jumped 63 percent in 2015 compared to 2014, according to a March 2016 report. This compares to 28 percent in the financial institutions sector or 30 percent in the retail/wholesale sector.

“Companies are recognising that they have an operational risk associated with technology that’s not picked up under a traditional property or casualty programme,” Parisi says. As a consequence, “we’re seeing very aggressive rates and some really intense competition” for clients in non-privacy or non-consumer-driven industries, Parisi explains.

“Internet-connected devices are going to create a lot more awareness in the manufacturing area,” Merrill says. “I definitely agree that a lot of future growth is going to come from non-retail businesses,” he adds, saying that Chubb is already seeing such demand increasing with large US clients.

Looking abroad

Internationally, where cyber insurance is not as prevalent as in the US, business interruption is turning into a major driver for demand. Companies in Asia, Africa and Europe are starting to look at cyber insurance as a way of addressing operational risk in a similar way they look at general liability, property or workers’ compensation insurance, Parisi says.

Cyber markets outside the US have so far failed to follow the US growth path driven by privacy-related issues, but are now waking up to the potential costs related to business interruption.

“The area of cyber receiving the greatest amount of focus by companies outside the US is first party business interruption; data breach is still a secondary focus since many countries don’t yet have the notification laws that the US has in place,” Merrill says.

As all aspects of a company’s operation come under scrutiny and are checked regarding coverage, the take-up rate and the evolution of the coverage into Europe, Asia and Africa starts to accelerate, Parisi says.

“Over the next years you will start to see cyber insurance having the same penetration into Europe and then Asia as you have in the US,” he predicts.

This may represent an opportunity particularly for insurers with US operations as they have more experience and historical data to rely on when growing their cyber business.

“The business interruption and extra expense data seems to be becoming more useful, and this is where we are focusing more outside the US. That can include the supply chain, the distribution chain, the partner chain, the customer chain,” says Kevin Kalinich, global cyber practice leader with Aon Risk Solutions.

The focus on business interruption makes it easier for insurers to expand internationally than when the cover revolves around privacy issues because it is not affected by the legal environment. Growth in business interruption is blind to jurisdiction, as loss of revenues has nothing to do with the litigation climate, Parisi explains.

Boost in Europe

In Europe the cyber insurance market is likely to get an additional boost from new data privacy regulation to be introduced in 2018.

“The mandatory disclosure laws being introduced under the European privacy directive, the General Data Protection Regulation (GDPR), which comes into effect in 2018, are much stronger, with much more significant ramifications than any US law,” says Kalinich.

GDPR will replace Directive 95/46/EC and will be directly applicable in all EU member states from May 25, 2018. It sets standards for data protection not only for companies within the EU but also for those outside the EU which are offering goods or services to EU data subjects. GDPR will carry fines of up to 4 percent of annual turnover for the mishandling of data breaches and stipulates that data breaches have to be reported within 72 hours.

“Breaches are going to become more complex and more expensive for organisations,” says Paul Bantick, senior underwriter at Lloyd’s.

“As that happens, insurance will become more and more in demand because it can help with both of those elements. In 2017 there will be an uptick in demand in Europe followed by another surge in 2018. Cyber insurance is going to become a standard purchase,” Bantick predicts.

“In the last year we’ve seen an uptick in cyber insurance growth in Europe and a lot of that has to do with the EU passing the latest directive,” Merrill says. “Generally, interest in cyber insurance starts with larger clients with $1 billion of revenue and above, then it expands to the middle market and then down to small and medium-sized enterprises,” he notes.

As seen in the US, regulation is a major driver for cyber insurance demand. “It’s the shot of caffeine that gets the market going,” Parisi says. However, it is not the only driver: “We have these incredible ups and downs in the market; you have a huge spike every time there is a breach and people run to buy coverage,” he explains.

Global gross written premiums for cyber insurance are expected to reach $10 billion in 2020 compared with less than $2 billion in 2014, according to data compiled by Aon. Much of that growth is set to come from the US.

“We are still in growth mode in the US,” Parisi says, suggesting that also here the market has not reached maturity yet. But several of the policies have been tested in coverage litigation in the federal court and there is now a consistent body of laws and the segment can be described as “close to mature”, he explains.

“They are not nearly as long in the tooth as property or casualty or workers’ compensation, but they are getting there,” he says.

Others such as Kalinich classify the US cyber insurance market as already mature in retail, healthcare, hospitality and financial institutions.

Outside the US the cyber segment may have a longer way to go. Globally it’s not yet comparable to the development level of property/casualty, auto or workers’ liability markets, Merrill says. But this may change as cyber insurance turns into a staple.

“I think we will get there because there aren’t many companies that are not using the internet to run their business,” he notes.