Cyber insurance stuck in a digital divide
Insurers have always been adept at finding solutions to the world’s emerging risks. First it was climate change, where the industry was documenting evidence while devising methods of risk transfer decades before former US Vice President Al Gore sounded the alarm and won a Nobel Peace Prize.
The insurance industry’s modelling was a key factor in changing attitudes towards climate change, particularly in the business sector where floodwaters and carbon dioxide levels mean little without a profit/loss narrative to frame the conversation.
From the natural to the digital world, cyber risk is the next frontier where insurance is poised to contribute its experience and expertise – but not before navigating a minefield of pricing and coverage conundrums.
While the latest Lloyd’s 360 Risk Insight paper on digital risks provides little new commentary on the inherent dangers of conducting business online, it offers an intriguing glimpse into the emerging market of cyber insurance.
Insurance has long been a keystone of general risk management strategies, and the use of cyber insurance, as recommended by the report, extends that principle. The report urges risk managers to implement cyber insurance as part of an overall digital risk management strategy as one of five recommendations to meet the “increasingly complex digital risk environment”.
But as the Lloyd’s report makes clear, cyber insurance is still a fledging market and faces numerous disadvantages in becoming readily available.
Lloyd’s estimates the global market for cyber insurance grew by at least 16% this year to $US600 million ($606 million) – a healthy growth rate but coming off a low base considering the reliance of business on IT systems.
Writing in the Sydney Morning Herald last month, University of Sydney Centre for International Security Studies Director Alan Dupont estimated global losses from cyber crime could be worth $1 trillion.
Lloyd’s points out that while many companies believe their existing policies cover digital risks, most don’t. Business interruption policies also neglect to cover anything outside the terms of “physical damage”, including denial of service attacks.
Coverage gaps are exacerbated and perhaps derive from the lack of historical information. Companies are understandably unwilling to share data on security breaches. Only a fraction of cyber crime is therefore reported, leaving actuaries with little or no data to crunch.
Actuaries also have a difficult time calculating the likelihood of an attack – and the effectiveness of mitigating security technology – when the nature and scale of cyber crime is evolving.
Possibly the trickiest of the myriad issues to overcome is the age-old insurance question – what price on loss? How much is data worth? What is the value of reputation loss, productivity decrease and lowered consumer confidence?
As the report notes, insurers must find solutions to these questions.
“Cyber insurance is likely to continue to develop, evolving as technologies change and new crimes or threats emerge,” the report says.
“Some areas of cyber risk are likely to remain challenging in terms of developing insurance solutions. For example, where a company loses competitiveness and believes it is through the loss of their intellectual property, it may be hard to track down evidence of the events or quantify this.
“As such, although important, insurance will only ever form part of a company’s overall digital risk management strategy.”