We are witnessing a continuous increase in cyber – events. As a result, the Cyber Insurance market is hardening. Rates and deductibles are increasing, underwriting guidelines have strict. Even insurers are starting to sub-limit ransomware coverage and applying coinsurance provisions under ransomware coverage.
There are a few more things we should take under consideration which affect the cyber insurance industry:
- In Oct 2020 OFAC released a report stating that paying ransomware may result in violating sanctions regulations (you find the full report here: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf). This may lead insurers to exclude ransomware coverage, which in today's environment is the most valuable coverage.
- AmBest in the recent Best’s Market Segment Report, Cyber Insurance: Profitability Less Certain as New Risks Emerge, notes that growth has slowed significantly from 2016-2017 when direct premiums written grew by more than 30% annually, as the cyber threat landscape has expanded and the awareness of the risks has increased. According to the report, the frequency and severity of ransomware attacks have escalated, as have data breaches.
- Recently there are some voices stating that cyber isn't an insurable risk. Mainly due to lack of actuarial historical data, the Mens-rea that triggers the policy (malice compared to negligence), and the lack of capability of insurers to pay large claims.
However, there are a few more things we should understand before answering the question of this article;
What is Insurance?
Insurance is a means of protection from financial loss. It is a form of risk management primarily used to hedge against the risk of an uncertain loss.
For enterprises, insurance is a part of corporate finance and protects its balance sheet if an insured risk occurs.
Insurance isn't meant to prevent the insured risk to occur, however, it may assist in directing behaviors to reduce moral hazard.
The demand for Cyber Insurance
Cyber threat risk has become a consensus, therefore, there will always be a demand for cyber insurance among enterprises and their stakeholders. This demand is predicted to increase in the next 5 years ( see here from Statista https://www.statista.com/statistics/1190800/forecast-cyber-insurance-market-size/).
However, a cyber insurance policy alone is not enough. Insurers and brokers will need to provide their insureds with services assisting them in preventing cyber incidents (There are already some carriers that are providing such services https://www.coalitioninc.com/blog/preventing-breaches-how-coalition-helped-customers-get-ahead-of-ms-exchange-vulnerabilities).
Also, insurers should strict their underwriting guidelines making sure companies are addressing the risks internally properly before as a condition for coverage.
Ransomeware coverage and Sanctions
As to, ransomware coverage and sanctions exposure. There are recent discussions to pierce the anonymity of cryptocurrency transactions and that way to reduce ransoms. (you can read more about this here: https://www-cnbc-com.cdn.ampproject.org/c/s/www.cnbc.com/amp/2021/04/28/government-and-industry-push-bitcoin-regulation-to-fight-ransomware.htm). If occurs or any similar legislation the threat to violate sanctions regulations will probably drop dramatically.
- Actuarial Data – Insurance methods are in our world already from the 2nd and 3rd millennia BC. For example, Babylonians developed a system and practiced it by early Mediterian sailing Merchant. If a merchant received a loan to fund his shipment, he would pay the lender an additional sum in exchange for the lender's guarantee to cancel the loan should the shipment be stolen, or lost at sea. I don't think, there was any actuarial data back then to assess the risk. However, car insurance is still with us.
- Mens-Rea – Today there are Terror insurance, Crime insurance, and even Employee Dishonesty coverage within E&O policies. Therefore, suggesting that malice or intentional acts cannot be insured because it's hard to predict them doesn't adjust with today's reality and actuarial capabilities.
- Insurers' are not capable of paying large claims – That argument is partially correct. There is no Insurer today that can pay a $100M claim. However, you will never see one insurer taking all the risk by itself. These large programs are usually built by towers of excess layers, and on every layer (especially the primary ones) you will see a few carriers sharing the risk proportionally.
Cyber insurance is with us for about 20 years. In terms of insurance, this is still a new innovative product. We will see it developing and changing in near future. And it will stay with us. We can hope that insurers and brokers will Invest more in prevention services rather than increasing premiums or harming coverage.