Cyber: too hot to handle?
As the cyber threat continues to grow, so does the suggestion the private insurance market may not be able to cope with it.
The argument is simple: due to the systemic nature of the peril, cyber is potentially more devastating than natural disasters and terrorism, which many governments already provide reinsurance backstops for.
While catastrophes tend to be restricted to one area, the impact of a cyber attack could spread through common software or network architecture to create losses on a truly global scale.
The list of companies attacked in the US continues to lengthen: Anthem, Target, Home Depot, Neiman Marcus, to name just a few.
And the fear is that worse is most definitely to come, with catastrophe modeller AIR Worldwide warning the cyber equivalent of Hurricane Andrew – such as an attack on a power grid, air traffic control system or cloud computing provider – may be around the corner.
Zurich North America Senior VP Catherine Mulligan summed up the views of many in the insurance industry while giving evidence to a recent US Senate committee hearing.
“One cyber event can trigger multiple types of claims, for multiple insureds,” she said.
“The lesson can be boiled down to the simple fact that the scope of the challenge is too broad to be solved by the private sector alone.”
But a UK Government report, compiled in conjunction with Marsh, finds “no conclusive evidence” of the need for a state backstop, although this could change as claims grow.
It would be hard to establish such a pool in advance of systemic claims materialising, it says.
The report recognises the extraordinary potential for cyber losses, estimating the insurance industry faces a possible maximum loss (PML) of £20 billion ($37.8 billion).
“If we consider that the cyber insurance market could treble in the next 3-5 years, the industry PML for cyber risks could easily exceed the global insurance/reinsurance capacity available for other aggregating events, such as nuclear disaster or natural catastrophe.”
Despite this, the report says the market does not face supply constraints in the short term, with underwriters expressing “strong appetite to grow this line of business”.
There is certainly huge potential for insurers, with a Fitch Ratings report highlighting cyber as a key growth opportunity.
Fitch says the risk has become a reality for every business, and predicts it is only a matter of time before cyber insurance enters personal lines too.
But it also notes “the dark side of the golden opportunity”, with unprecedented loss potential and the exposure of the insurance industry itself.
Insurers collect and store more personal information than ever, making them as vulnerable to cyber attacks as any other industry.
Insurers must also work hard to get the message across about the benefits of cyber cover.
The UK report says business leaders are often unaware cyber is an insurable risk, and many are too optimistic about the level of cover provided by their current policies.
More than half (52%) of large-organisation CEOs believe they have cyber cover, whereas the reality is closer to 10%.
“This evidence suggests a failure by insurers to communicate their value to business leaders in coping with cyber risk,” the report says.
Law firm Clyde & Co says take-up in Australia has been slow, with many businesses exposed.
“While the Australian market has not yet experienced a significant data breach, it appears almost inevitable that there will be a significant breach in the future,” it says.
There are still many unanswered questions about how the cyber insurance market will play out – not least whether private insurers will be able to cope alone.
But whatever the outcome, there is no doubt insurers have a crucial and immediate role to play in helping businesses build resilience to this potentially devastating threat.