Cyber Insurance - Share Data To Overcome The Pricing Challenge
Driven by both regulatory frameworks evolution and cybercrime expansion, cyber risk is a fast-growing area of concern. Companies from all industries are learning to include cyber risk in their risk management framework, by depicting their risk profile, assessing their risk appetite and looking for corresponding risk transfer solutions. As a result, a demand surge is being observed regarding cyber insurance products, which insurers are struggling to price. However, different initiatives might enable the insurance industry to overcome that challenge.
Let’s take a few steps back.
Demand for cyber insurance is on the rise
Over the past few months cyberattacks have been booming, with ever-increasing complexity, impacts and weight of APAC as the origin point:
- In January 2015, SWIFT codes and passwords were stolen from Banco Del Austro Ecuador. The company suffered a USD 12m loss, out of which only USD 2.8m were recovered. Track of the money was lost after its transfer by Wells Fargo to banks in Hong Kong.
- In December 2015, five million customer accounts – including the profiles of more than 200,000 children – were broken into from VTech’s Learning Lodge app store database, which was a wake-up call for Hong Kong industries.
- In February 2016, more than USD 100m was stolen from the Bangladesh Bank and wired to the Philippines, where there are gaps in record-keeping to trace money. Only USD 20m could be recovered.
- In October, hackers attacked Taobao by using Alibaba’s Cloud to brute-force passwords such as 12345678, qwertyuiop or 淘宝网 and compromises 20m accounts. It took months to detect the attack but the hackers have since been caught.
In light of the increasing criminal activity, a large number of Asian regulators have been addressing or refining the regulatory framework around cybersecurity for all industries over the past two years. Hong Kong, Singapore, Japan, Vietnam and South Korea are a few examples.
On top of greater digitization making data and operations more vulnerable to malicious hacking attempts, the evolving regulatory landscape has led to increased awareness and interest in cyber insurance, for companies from all industries to insure themselves against data breaches and network disruptions.
Insurers struggle to offer insurance policies
The biggest challenge for insurers is that cyber risk is unlike other risks as:
- There is limited publicly available data on the scale and financial impact of attack;
- Threats are rapidly changing and proliferating, together with the fact that breaches can remain undetected for several months or years, creating the possibility of accumulated and compounded future losses.
While underwriters can estimate the cost of systems remediation with reasonable certainty, there isn’t enough historical data to gauge further losses resulting from brand impairment or compensation to customers, suppliers, litigation fees, investigation costs, etc. This is further exacerbated due to the fact that firms are not keen to reveal details concerning security breaches.
As a result, there are concerns about both the concentrations of cyber risks and the ability of insurers to withstand what could become a rapid sequence of high loss events.
"Cyber risk is “the only risk that keeps me awake at night”"
As there is little available data, insurance companies will naturally tend to price the risk high and to offer limited coverage. Moreover, the rash of hacking attacks over the past two years has prompted insurers to massively increase cyber premiums for some companies, leaving firms that are perceived to be a high risk scrambling for cover. Even if the price of cyber coverage varies widely, depending on the strength of a company's security, the overall pricing trend is sharply up.
Insurers should take advantage of data sharing initiatives
In the space of collecting and sharing data, different initiatives have been emerging over the past months, following the impulsion of emerging regulations or of insurance stakeholders themselves. Some discrepancies exist but two key principles are shared:
- Data is anonymized;
- Data is not shared with the public.
For companies exposed to cyber risk, the benefits of having this right are manifold as it would definitely help assessing their risk profile and defining their risk appetite. For insurance companies, gaining access to such database would have different upsides:
- Refine pricing: better assess the probability and impact of certain types of cyber-attacks, allowing actuaries to more confidently price premiums.
- Enhance underwriting: limit the phenomenon of adverse selection by identifying security requirements and conditions for clients that would drive the underwriting process (e.g. identification of profitable pools, definition of exclusions clauses, etc.).
As a consequence, the rise of regulations towards cyber-attacks data sharing is a strong opportunity for insurance companies. It will be up to the profession to be able to gain access to existing initiatives, or to join forces to replicate them. As an outcome, insurance companies might propose specialized services (e.g. pre-breach and post-breach). There will be a demand surge from the insurance industry regarding cybersecurity profiles and insurers will be on the lookout to buy cybersecurity start-ups, especially the ones developing risk profile assessment tools that can bring more transparency to the market.
Cyber insurance will play a key role in any company’s risk appetite strategy. However, the extent to which data sharing and risk knowledge breakthroughs will help fighting cyber threats is yet to be seen.
Read more about cybersecurity in Hong Kong through Sia Partners’ interview with Dr. Frank Tong – Chief Executive Officer and Dr. Duncan Wong – Vice President, Financial Technologies of the government-funded Applied Science and Technology Research Institute (ASTRI) and through our CIO Advisory blog.
HKMA Cybersecurity Fortification Initiative
 On the flip side, one could definitely foresee more litigation over the forthcoming years.