Insurers can improve their cyber-risk profiles and avoid unnecessary litigation by designing new policies, creating single-risk limits and establishing contingency reserves, AM Best says.

In a report on US cyber risk, the ratings agency says insurers must stop depending on old policies and begin designing, developing and selling specifically targeted cyber coverage.

While commercial general liability, business interruption or directors’ and officers’ policies cover data breaches, they were developed decades before cyber-liability claims.

AM Best says the language in these old policies has led to lengthy litigation, which could be avoided with more tailored covers.

It would be prudent to develop single-risk limits, due to the interconnectedness of the cyber threat, according to the report.

“As the regulatory environment expands and becomes enhanced, this may be unavoidable.”

Devising single-risk limits with regards to policyholders’ shared service providers, common vectors of attack and other correlational factors could prevent massive losses from a single event simultaneously causing losses at many organisations. 

AM Best recommends insurers establish contingency reserves for cyber losses, given the lack of consequence-oriented data and actuarial information.

This is normal for certain monoline insurers such as financial and mortgage guarantee companies, and may also be prudent practice for cyber insurers.

The report says insurers must understand the idiosyncratic risk of companies in their portfolios, and the aggregate risk of those companies and policies, to arrive at reliable loss estimates.

Estimating the annual cyber loss will help facilitate appropriate discussions on adequate pricing and compensation.

AM Best says all insurers should be concerned about risk aggregation, with the possibility of single cyber attacks causing losses across a large number of insureds.

Research shows the total realistic probable maximum loss for cyber risk worldwide is currently about £20 billion ($41.17 billion), according to the report.

While that amount is within the reinsurance capacity for single-event risk of £65 billion ($133.73 billion), it is well above that of £3 billion ($6.17 billion) for a nuclear loss.