Insurers and brokers say clients can’t measure cyber risk

Insurance buyers, and consequently their risk transfer partners, are struggling to measure cyber risk and are therefore largely in the dark about its financial impact, according to a new survey of insurers and brokers by Secure Systems Innovation Corporation (SSIC). The survey also finds that the insurance industry needs to properly address non-affirmative cyber cover and that a series of catastrophic cyber events would radically alter the way in which insurers measure the risk profile of customers.

The survey reveals that 89% of 78 broking and insurance firms polled believe their customers could not adequately measure the impact of cyber extortion. The same percentage said their customers cannot adequately measure the cost of a data breach.

The survey also found that 87% of insurers and brokers believe buyers have inadequate systems to grasp the costs of intellectual property theft, while 83% of respondents said buyers could not quantify the cost of a cyberattack that causes business interruption.

Only 14% of respondents believe insurance buyers can adequately measure the cost of cyber property/casualty damage incidents. Just 10% said buyers are adequately measuring the likely costs of a potential data breach.

SSIC said the survey also reveals the urgent need for the UK insurance market to address non-affirmative or silent cyber risk, where perils including business interruption and data breach are not explicitly included or excluded from standard policies. Of the insurers and brokers surveyed, only 8% said their policy wording reflected the top five most understood cyber peril threats.

“If insurers do not map key cyber peril events to key cyber risk policy clauses – defining affirmatively what is explicitly covered or excluded – there is a real danger that vital cyber perils will not be covered,” SICC said.

Some 60% of survey respondents said lack of understanding about aggregated risk within cyber insurance hinders market growth. SICC said buyers are confused by cyber policies and do not understand policy coverage.

The survey found that the biggest driver for new cyber insurance sales comes from board-level executives, followed by demands of due diligence.

Some 62% of respondents said a series of catastrophic cyber events, or a systemic event, could make insurers change the way they measure the risk profile of cyber insurance buyers. About a third, 35%, said catastrophic claims could reset the market.

SICC said the market is concerned that a series of major cyber events could wipe out the margins for cyber cover and test whether there is enough capital supporting cyber claims.

Robert Vescio, inventor of SSIC’s cyber risk quantification model X-Analytics, said there are more than 130 insurers writing cyber insurance globally. “Does this mean that cyber risk is well understood and that there are agreed-upon standards for underwriting throughout the industry? According to the survey, the answer is a resounding ‘no.’ Cyber risk is clearly not yet well enough understood or measured right now.”

Mr Vescio added: “There remains significant market pressure to underwrite and quote policies as efficiently as possible, even while admitting a widespread inability to measure an applicant’s risk profile. This generates mismatches between desirable underwriting principles and prevalent practices for writing cyber cover today.”

Back to top button