Big claim could kick-start cyber-risk market

Published in The Royal Gazette, Bermuda

Cyber-risk insurance has the potential to create a new market and revenue stream for the insurance and reinsurance industry.  And it may eventually become a stand-alone single peril class, something many underwriters would like to see happen.

Those were a few of the thoughts expressed by a panel of captive market and cybersecurity experts.  And what emerged during the discussion was a picture of a growing market that is profitable but has yet to undergo the litmus test of a major claim.

“A lot of underwriters would like to see it take off as a single peril, creating a whole new market and revenue stream,” said Peter Muller, Chief Executive Officer of Aon Risk Solutions, but he said the soft market conditions mean it will not happen as quickly as it might.

He was one of the three-strong panel that examined the topic of cyber-risk and liability insurance.

From orbiting satellites having their courses changed by hackers, to office secretaries unwittingly opening e-mail attachments carrying disruptive malware, cyber-risk covers a broad spectrum of potential risk and potential levels.

While it is a hot area of concern, the low adoption level of cyber-risk coverage among captives seems paradoxical.

Speaking at last week’s Bermuda Captive Conference, held at the Fairmont Southampton, Mr Muller said that 18 months ago only one per cent of his company’s book had put cyber-risk insurance into their captives. By December that had risen to 2.5 per cent.

As a percentage the increase is impressive, but it remains a relatively low adoption rate. Part of the reason is that some companies take the option of excess coverage or reinsurance for their cyber coverage, rather than put it in their captive.

“The ones that are putting it into their captive are incubating the risk to see how it will perform. That helps them make decisions going forward about how much they retain or transfer over time,” said Mr Muller.

A lack of data and clients struggling to identify risk and quantify it, coupled with the ever-changing nature of cyber-risk, are further reasons for the current low adoption rates.

There are about 60 carriers globally that now offer cyber-risk liability. That is an upswing from the handful that were doing so in the mid-2000s.

High-profile incidents, such as the massive data breach at retail chain Target in 2013, have focused attention on the risks.

John Masters, an underwriter with AIG in Bermuda, believes the Target incident was the turning point for cyberliability.

“It was not just the breach and the number of customers it affected, it was Target’s post-breach reaction, both from an incident response perspective, and notification of their customers,” he said, noting that the disseminating of information was not the ‘best in class’.

Target suffered a stock drop, and the following year its CEO and other leading individuals stepped down.

“That put cybersecurity squarely on the radar of the C-suite and the board of directors of a number of companies.”

Further breaches affecting healthcare companies, tech firm Sony and the Panamanian law firm Mossack Fonseca this year have led to an uptick in companies buying cyberliability insurance.

Referring to a PwC market report, Mr Masters said $2 billion of gross written premiums related to cyber-risk coverage was written in 2014, and that is projected to increase to $7.5 billion by 2020.

Panel moderator Chris Maiato, a principal with EY, had earlier described the layers of cyber-risk, ranging from youngsters meddling with computer scripts, to criminal gangs, corporate espionage and state-sponsored attacks.

The third panellist, cybersecurity expert Larikus Scott, a partner with KRyS Global, pointed out that insider threats are the number one issue. In some cases it can be a malicious attack by a disgruntled employee, but it can just as readily be a secretary or CEO clicking on something in an e-mail that unleashes malware onto their computer and into the company’s system.

“Everyday people make mistakes and don’t have the training or take proper care,” he said. Smart companies ensure they have training programmes for security awareness, and hold them more than once a year, he said.

Computer networks can be compromised with surprising ease. Washington DC-based Mr Scott said it was probably possible to go out and get the wifi code for every restaurant in Bermuda. “I’m sure they might have other wifi, but some of them might not. I would not access public wifi with my mobile phone, because I’m a cybersecurity expert,” he warned.

It can be a costly lesson for a company that ignores cyber-risk until it suffers a breach. AIG’s Mr Masters said much of the expense would be driven by “first-party responding costs, forensic investigation costs, PR firm costs, legal advice costs; those sometimes add up into the tens of millions of dollars for a large organisation.”

Looking to the future, moderator Mr Maiato said: “There’s a huge opportunity for captives to get more involved in underwriting cyberliability risk.”

Meanwhile, Mr Scott said cybersecurity was evolving, but hackers appear to be one step ahead. He said it is time to move away from some of the traditional ways of doing things, such as the username and password combination that is almost universally adopted as a security gateway. That approach is now dangerously obsolete in the face of sophisticated cyberattackers, he said.

“The Chinese move our satellites when they go over their intelligence bases. And the way they were able to do it was because we were still using usernames and passwords.”

Mr Scott mentioned fingerprint access technology as a possible more secure solution.

Most companies view business interruption as their number one cyberliability risk concern, while associated property damage and bodily injury are bottom of the list as they believe these are covered under existing insurance programmes.

But change will come. Mr Mullen said: “Wherever there is a gap, captives step in. What will change the market is a claim, a great big claim.”

Referring to the scenario of a large damage claim, including property and bodily damage resulting from a cyber-risk liability, he said: “There have been stories of hackers taking control of entertainment systems in cars and planes. If you end up having a massive loss, that will definitely change underwriting attitude to what is either in or out of policies — and change the market.”