Insurers ready for European cyber boom

The looming introduction of new data breach regulations in Europe is set to boost demand for cyber insurance, offering insurers and reinsurers a potential growth market at a time of stagnating demand.

Many believe that insurers that have already gained experience grappling with this potentially tricky risk in the more developed US market will be best placed for capturing the potential growth in this fledgling market.

The US is the most developed market for cyber insurance in the world. One of the main drivers behind its growth has been the introduction of regulations including the introduction of mandatory disclosure laws for data breaches.

Kevin Kalinich, global cyber practice leader with Aon Risk Solutions, says the creation of this database allowed for a better understanding of the protection needs of companies. In addition, there has been more litigation around claims testing some of the early cyber policies in the US, which has also helped develop the market.

Now, Europe has the opportunity to catch up with the US.

“The mandatory disclosure laws being introduced under the European privacy directive, the General Data Protection Regulation (GDPR), which comes into effect in 2018, is much stronger, with much more significant ramifications than any US law,” says Kalinich.

GDPR will replace Directive 95/46/EC and will be directly applicable in all EU member states from 25 May 2018 without the need for implementing national legislation. It sets standards for data protection not only for companies within the EU but also for those outside the EU which are offering goods or services to EU data subjects. GDPR will carry fines of up to 4 percent of annual turnover for the mishandling of data breaches and stipulates that data breaches have to be reported within 72 hours.

“Breaches are going to become more complex and more expensive for organisations,” says Paul Bantick, senior underwriter at Lloyd’s.

“As that happens, insurance will become more and more in demand because it can help with both of those elements. You are going to see in 2017 an uptick in demand in Europe followed by another surge in 2018. Cyber insurance is going to become a standard purchase,” Bantick predicts.

The cyber insurance segment offers insurers in Europe an opportunity to grow their business in an otherwise soft, low growth market. “Cyber is the biggest insurable risk that the industry will have to meet,” says Huw Evans, director general of the Association of British Insurers (ABI).

Global and growing

Global gross written premiums for cyber insurance are expected to reach $10 billion in 2020 compared with less than $2 billion in 2014, according to data compiled by Aon. The US is likely to continue delivering the lion’s share of global volumes, but Europe is expected to contribute significant growth. To get there, however, insurers will have to do a lot of development work.

“In Europe, cyber insurance is a newer exposure and an emerging risk in policy that people are probably starting to grapple with for the first time,” Bantick says.

“In Europe there’s a huge amount of education to undergo. Insureds need educating not only on what cyber insurance is and how it can benefit an organisation but also on what the exposures are, where the gaps are,” he says.

To successfully compete in this segment, insurers require access to some element of cyber history data in order to be able to price their products accurately. But historic data is scarce in Europe.

“In Europe we don’t have much long-term data with which to understand where the real claims costs come from. Also, we don’t entirely know the likely impact of the threats, as they continually evolve,” says Graeme King, senior underwriter at Allianz Global Corporate and Specialty.

In the US, data breaches have been recorded in clearing houses for several years, showing the type of organisation affected and the type of breach it has been subject to. Consumer education non-profit Privacy Rights Clearinghouse, for example, has aggregated data since 2005.

“If there were legislation changes in Europe that required companies to report to a central body the details of cyber attacks that would suddenly and very quickly open up an enormous body of cyber attack data which would be extremely valuable to everyone concerned,” King says.

The ABI is aware of the challenge the current lack of information on cyber risk is causing insurers in Europe. The trade association has urged the UK government to create a central database of cyber incidents with anonymised data covering business interruption costs, ransom demands, privacy breach claims and damage to IT systems, and to make the data accessible to insurers.

“The more information that is available about a particular risk, the more likely it is that the market insuring that risk is going to grow because the risk can be priced more accurately and insurers are more likely to offer cover,” says Malcolm Tarling, the ABI’s chief media relations officer.

The need for data

A problem that may arise for insurers entering the cyber market is that they will be unlikely to have access to vital historic data on costs and claims, as their peers won’t want to share this valuable data with competitors.

“Reliable cyber data mostly exists in individual insurance companies who have had a broad experience of the US cyber market. Unless you are an international insurance company where you can call upon your internal resources to share that data then it’s going to be very hard for insurance companies outside the US to gain the benefit of that knowledge,” King says.

He urges insurers in Europe to build up expertise and their own databases as quickly as possible, although he admits this strategy may turn out to be a difficult one.

“Until we all understand what this threat environment looks like and the true long-term cost to the insurance industry from cyber incidents, everyone is to some extent guessing and hoping that their model is sufficient not to lead to catastrophic losses. They may be educated guesses, but they are still guesses,” King says.

Lloyd’s is one organisation that can take advantage of its 10-years of experience operating in the US market to underwrite cyber insurance in Europe.

“In the US you have a vast amount of claims and policies that have responded to the biggest data breaches and cyber events in the world,” Bantick notes.

There have been “huge payments” in the US, and policies have responded to dealing with a cyber event and the response cost and the crisis management around that. Policies have also “robustly responded when litigation has followed,” he explains.

The gathered experience helps to develop products for the European market which provide the same intent and the same cover.

“The products that Lloyd’s has launched in Europe are similar and as broad, providing the same depth of cover as in the US,” he says.

Bantick expects that the coverage for reacting to and managing cyber events in Europe will respond in exactly the same way as in the US.

Regional differences

There are differences in the legal climate between European countries to consider and Lloyd’s is doing a a lot of adaptations in this regard when launching products in Europe to make sure “that we are dovetailing to the litigation and the legal climate of each country so that the policy responds to data breaches and cyber breaches exactly where it needs to,” Bantick says.

With the introduction of GDPR laws, requirements and constraints for organisations in Europe will differ significantly from the US, Bantick admits.

“But ultimately the policies are going to respond to that and will cover those costs. So whether or not you are responding to a crisis or a breach in the US, in Europe or in Asia, the policies are going to respond in the same way,” Bantick says.

Cyber insurance policies will have to be tested in European courts, creating some insecurity for underwriters.

“Because Europe is further behind the US in the maturity of this market we are to some extent looking to them for a lead, but we have our own competitive pressures in the UK and Europe which are creating a slightly different dynamic where boundaries are being pushed and new ideas and bespoke coverages are creeping into policies in a way that the more mature US market may consider too risky,” King says.

“As the threats and the whole way of assessing them become better understood, the market will increasingly converge on a uniform approach to assessing and quantifying cyber risk, but this takes time.”

As insurers in Europe are trying to find the right tack for underwriting cyber insurance, reinsurers are also keen to learn more about this growing segment to participate in its growth.

“Reinsurance companies, like all insurance businesses, are very keen to grow profitably. We are in a soft market, and this means that they have to be willing to look at all sorts of risks and consider a broader risk appetite in order to find sufficient opportunities to continue to grow,” King says.

“Reinsurers are looking to us for some evidence that our underwriting process is capable of identifying the good risks from the bad ones. They have to accept for the time being that how one determines a good risk from a bad risk is still somewhat subjective.

“Reinsurers are also aware that different insurance companies have different methodologies for working these things out and that they are all very much in a state of flux as we all learn more about cyber threats in the world and how to assess them,” King says.

Role of reinsurers

Meanwhile, in the background, reinsurers are not only waiting for insurers to develop their expertise—they are also actively trying to get a handle on this complex and evolving market.

“Our experts work together in close cooperation with clients, brokers and IT companies to develop coverage options tailored by individual client needs,” says Chris Storer, head of cyber solutions for Munich Re’s Corporate Insurance Partner.

“Such collaboration allows for a better understanding of the specific cyber risk profile of an individual client and for the development of bespoke solutions,” he says.

For reinsurers, the pressure when underwriting cyber risk in largely uncharted territory is arguably more risky than it is for insurers.

“Reinsurers are nervous about cyber risk,” King says. “If their insurance clients get it badly wrong, then they can get it very badly wrong.”

“In order to prevent such a scenario, Munich Re is applying strict accumulation controls to manage scenarios where we identify possible aggregation. We are constantly monitoring such controls, and proactively identifying new, emerging scenarios where aggregation could potentially develop in the future, also with the support of external technology providers,” Storer says.

What makes writing cyber risk particularly difficult is that the way clients use technology and data in their business operations is changing, Storer explains.

“It is extremely important that a close dialogue exists between insurers and their insureds to fully understand the unique risk landscape of an enterprise and its associated cyber risk,” he says.

The market is currently testing whether insurers should buy cyber-specific reinsurance or buy it as part of a much bigger purchase of their reinsurance, Bantick says.

“What you are seeing now is that a lot of the brokers are starting to work with insurers to see what approach is the best fit for them,” he explains.
Munich Re is convinced that the market and the market associations are capable of developing the cyber business in Europe, but regulation can support this development, as seen in the US.

“We would expect the forthcoming GDPR to accelerate buying and selling behaviour, in addition to providing more transparency over data breaches within the EU,” Storer says.