Calls grow for cyber summit to work through buyer concerns

Risk management associations across the world and brokers have thrown their weight behind Ferma’s call for a COP-style cyber summit to boost market collaboration and thrash out buyer-side concerns over cover.

The moves comes amid growing frustration from buyers about the dwindling cover and capacity offered by the cyber insurance market, with more and more risk managers questioning whether it is worth taking out protection.

Ferma recently raised concerns that the cyber insurance market is “evolving in isolation from the industries that it insures”, and believes there is a real risk that the cover will simply lose its appeal if restrictions and exclusions continue to grow.

There is no doubt that the cyber market has been incredibly tough for buyers over the past few years as rates spiralled and exclusions were added, with a particular focus on war clauses. At the same time, capacity has dwindled.

The 2017 NotPetya cyberattack was a big factor in insurers and reinsurers moving to tackle war exclusions. Lloyd’s of London led the way, demanding that standard cyber policies exclude big state-backed cyberattacks over fears of huge systemic losses.

Ferma said it understands that the corporate insurance market needs to manage its potential exposure to systemic cyber risk. But it is unhappy with how insurers have gone about this task and thinks insurers are developing cover without factoring in the needs of their clients.

The European risk management federation wants the insurance industry to adopt a more collaborative approach to cyber insurance, which balances the risk appetite of the market with the coverage requirements of corporate buyers. It has therefore proposed a COP-style annual event to focus on this issue and cyber resilience.

“Without more concerted dialogue between all parties – (re)insurers, brokers, buyers (both largescale and SME), regulators, and service providers – there is a risk that the appeal of the cyber product for corporate buyers may decline due to increasing exclusions and more restrictive coverage, which are reducing coverage certainty,” said Ferma.

Other leading regional risk management associations and global federation Ifrima have told Commercial Risk Europe that they share some of Ferma’s concerns about the cyber market and back calls to hold a market-wide summit of all the stakeholders.

President of Ifrima and chair of Parima, Franck Baron, said the two organisations would “strongly support” such an initiative, pointing out that cyber solutions need to be fixed at a global level.

Several national risk management associations across Europe have also backed the move.

President of Swedish risk management association Swerma, Johan Rodert, said Ferma has recently created a group to push insurers to provide more capacity for cyber and increase the communication between insurers and risk managers. “At Swerma we are supporting that,” said Rodert, who is also risk manager at Autoliv, during a recent interview.

The Dutch and Belgian risk management associations Narim and Belrim told us during recent European Risk Frontiers roundtables that they support Ferma too.

And leading brokers are keen on the idea. Like buyers, they would like insurers to take up the offer.

Alistair Clarke, UK cyber broking leader at Aon, told CRE that the voice of clients should be the cyber insurance market’s “North Star”. “No decisions should be made in a vacuum and we think some of the most productive sessions we have are where we can put clients and markets together in a room. We would therefore relish the opportunity to help create a forum for sharing of ideas, for both sides to gain an appreciation of what the other is trying to achieve and in so doing drive the market forward in a productive and sustainable fashion,” he said.

Johnty Mongan, head of cyber risk management at Gallagher, said an event where the market and clients could meet to discuss issues around cyber insurance would “without a doubt be a good thing”.

From the carrier side, European insurance association Insurance Europe gave a more lukewarm response. It said it is always good to debate issues with risk managers, but stressed that it is up to each insurer to decide which risks to cover and how, rather than finding market solutions. “This is even more true in such a complex and evolving area as cyber risk,” said Nicolas Jeanmart, head of personal and general insurance at the association.

Ferma said that the corporate insurance market clearly needs to manage its potential exposure to cyber risk, but stressed it is “also important to ensure that the product remains attractive and efficient for buyers”.

“Recent decisions to restrict the scope of coverage have created uncertainty regarding the ability of insurance to meet the evolving cyber risk requirements of policyholders, and in particular for larger corporation,” said Philippe Cotelle, vice president of Ferma and chair of its digital committee.

He told Commercial Risk Europe that the primary areas of concern for Ferma and its member associations relate to two key coverage issues – cyber war and systemic risk.

“To address the issue of silent cyber, we have also seen steps taken by some insurers to ensure that cyber is no longer included on broader policies such as property insurance. It is imperative, therefore, that we work closely with the insurance industry to ensure that any potential cyber coverage gaps, either due to coverage or lack of capacity, are addressed effectively for both the insurers and the buyers of insurance,” added Cotelle, who is also head of cyber insurance management at Airbus.

He and Ferma are clear that collaboration between public and private entities will be critical to find cyber solutions of “sufficient magnitude to tackle systemic risk and support greater overall cyber resilience”.

“It is widely recognised that the insurance industry alone cannot tackle cyber risks of this scale, while most companies acknowledge that they do not have the financial strength to bear these risks themselves. Collaboration between both public and private sector entities is therefore critical… At Ferma, we are committed to facilitating greater collaboration between all key stakeholders and have been facilitating multi-party dialogue on this front,” said Cotelle.

Following this dialogue, Ferma is launching a new cyber report on 26 June that will include a series of key recommendations to address the cyber insurance protection gap.

Baron, who is group head of risk management and insurance at International SOS, said Ifrima and Parima are aware that the recent hard cyber market has seen huge increases in the price of cover, shrinking capacity and dwindling coverage. He flagged two major “pain points” that need to be addressed.

He said carriers need to “muscle up” their risk engineering capabilities so that risk managers can develop a “credible technical” dialogue wither their CIOs and CISOs. Secondly, Baron wants insurers to “radically transform” cyber by leveraging digital solutions to simplify and optimise the renewal process.

And Baron agrees with Ferma that mounting cyber war and state-sponsored exclusions are one of the most worrying recent coverage developments. “It is quite difficult to trace down where some viruses are developed from, and claim determination from such events appears to be very challenging,” he said.

Ratings agency Moody’s said that movements to limit systemic cyber risk through war exclusions has recently been met with “some resistance” in the marketplace. It said that brokers have seen clients shop for new carriers rather than sign onto much more restrictive policy language.

And a growing number of leading risk managers we talk to are either choosing to forgo cyber cover or at least questioning its merits.

Moller-Maersk suffered big losses in 2017 from NotPetya, which resulted in $250m to $300m of losses, and decided to buy standalone cyber insurance in response. But its risk manager said during a recent CRE webinar that the company has since chosen to take the risk on its own balance sheet amid concerns over costs of cover and capacity, investing some of the premium spend in better cyber defences.

“The cyber product has made less and less sense for us from a risk financing perspective because, based on our own data, our own risk assessment, we believe that the premium substantially exceeds the mean average cyber losses that we will experience. Don’t get me wrong, we see cyberattacks almost every day and they cost us money every day but still on an average basis it doesn’t exceed what we would have to pay on an annual cyber premium,” said Lars Henneberg, vice president and head of risk management at the shipping giant.

“At the same time, you see that capacity available has reduced so much that it has become less relevant for us. So we have spoken to our CFO and said we will take the volatility that could be transferred to insurance – ie, a 1-in-50 or 1-in-100-year event – on our own balance sheet. That is basically how we have used risk analysis and data to arrive at a well-documented decision not to insure our cyber risk for the time being. From a risk reduction perspective, the money we used to spend on cyber insurance premium is simply better spent on investment in additional cyber security,” he added.

Pedro Cupertino de Miranda, the risk, cyber security and data protection officer at retail group Sonae in Portugal, said transferring cyber risk in the current market is a big challenge for many companies that are increasingly questioning the relevance of protection.

“We have to increasingly ask ourselves whether cyber insurance is of any use with its current offer,” he said.

Several other big insurance buyers have said off the record that they have chosen not take out cyber cover. It is also worth remembering that cyber mutual Miris, which was set up by European multinationals in response to inadequate protection from the traditional market, was set up to write business from the beginning of this year.

Aon’s Clarke was keen to stress that the voice of the client is paramount and the view of well-respected organisations like Ferma must be listened to. “If there is ever a feeling that any clients and their concerns aren’t being considered, then that’s absolutely something that needs addressing,” he said.

But he believes that while the cyber market has come through its first hard market, the line remains, overall, one of the broadest currently available. “The hard market did have a temporary effect on the availability and price of cyber insurance, but had no lasting negative effects on the breadth of coverage available,” argued Clarke.

He said that ongoing conversations around war clauses are clearly a point of concern for many clients, and it’s a “great shame that so much time has been spent over the last 24 months discussing what a cyber policy might not do, rather than what we know it does do”.

However, Clarke said Aon firmly believes that the “angst and confusion” around war clauses has been caused by poor communication rather than a substantive shift in market intent.

“The fundamental point is that the intent around war, around what should and shouldn’t be covered by Lloyd’s and company markets hasn’t fundamentally changed…the challenge has been for the market to enshrine that intent in clear language that can be understood and accepted by all parties, providing full clarity over what is, and is not covered,” he said.

“It is the responsibility of both markets and intermediaries to bring this to a swift resolution and avoid further confusion for clients,” he added.

Fellow broker Mongan from Gallagher said some companies looking to purchase cyber insurance are uncomfortable at how high the bar is set to obtain cover. “But that is not to say that is wrong to set the bar that high. We are a world away from the low entry point three years ago, and that is a good thing as it protects those companies with good risk management in the pool of insureds,” he said.

The better news for buyers is that although exclusions and war clauses remain a big topic the cyber market seems to be improving for buyers.

“Putting the issue of war aside we think the market is actually in good health, as there is so much more capacity available today than even six months ago, rates have cooled markedly and we are seeing clients every day availing themselves of the opportunity to increase limits and broaden out the terms and conditions of their policies,” said Clarke.

Baron agreed that there has been improvements recently with some new dedicated capacity, for example from Marsh out of Bermuda.

Moody’s said that it expects cyber insurance rates to flatten or increase slightly in the near term as the market enters equilibrium after drastically improving profitability over the past few years.