Cyber insurance risks profitability decline

Cyber insurance is currently seen as one of the few growth segments in re/insurance, attracting market players perceiving it as profitable business and looking to gather data to base future underwriting on.

But profitability may quickly decline as the risks remain unclear, capacity expands and higher risk organisations buy cyber insurance as a way of reducing their risk exposure, warns Darren Wray, CEO of Fifth Step, an IT consultancy firm focused on the re/insurance sector.

Global gross written premiums for cyber insurance are expected to reach $10 billion in 2020 compared with less than $2 billion in 2014, according to data compiled by Aon. The US is likely to continue delivering the lion’s share of global volumes, but Europe is expected to contribute significant growth.

“Some of the bigger players are being cautious in underwriting cyber risk as they try to select the right risks,” Wray said.
“Others are pushing for underwriting as they want to build up a database and expect it to be a profitable business,” he explained.

“The cyber risk business is understood as little by underwriters as the cat business was in the early 2000s because the availability of data isn’t there,” he said.

While the cyber line of business is currently profitable, it might be storing up challenges in the future because of the risks that are being written now and the shape of what they’ll become in six months’ time when someone comes up with a new ransomware which sweeps through a number of businesses or even sectors, Wray warned.

“The strategy of insurers at the moment is often to underwrite cyber risk to obtain data which will enable the organisation to improve future underwriting, and the mentality is that when the claim comes through they’ll look at whether it is a legitimate claim or whether they’ll contest it,” he suggested.

Data on cyber risk is scarce, particularly in Europe, where the market is less developed than in the US, but historical data might not be particularly helpful to predict future risks anyway.

“Cyber attacks evolve at a far faster rate than many other risks that insurers are used to,” Wray said.

For example, new forms of ransomware are emerging all the time. “It has evolved from something very specialist to something that is now targeting hospitals and other organisations as well as individuals. Cyber is a human-led risk and it is therefore less predictable than for example nat cat,” he said.

Nevertheless, insurers could do more to mitigate the risk for their clients and for themselves.

“Insurance gets paid out to help an organisation to recover from a cyber attack, but very few insurers are asking and talking about incident response plans and making sure that these are in place at their clients’ companies,” Wray said.

“This is an area which would reduce the exposure of an insurance company and help the insured to minimise their exposure if they were hacked and help the organisation to recover more quickly,” he suggested.