Cyber Insurance: A Growth Opportunity For Property And Casualty Insurers

Includes: AIG, CB
by: LD Investments


Cyber-attack costs are increasing and are likely to continue increasing especially with the advent of IoT.

The cyber insurance market is one of the fastest growing markets for P&C insurers.

Aggregate risk is a potential threat to the credit quality and financial strength of insurers.

As the market matures, the challenges are likely to be overcome, initial changes are underway.

Please take note this is only one aspect in weighing the attractiveness or non-attractiveness of any of the stocks mentioned in this article and should not be used independent of other factors.

There was an average of 200,000 global cyber security incidents a day in 2014.

The number of data breaches in the U.S. alone has been trending upward.

Source: Moody's report "Cyber Insurance: High-Risk Product With Potential To Grow"

The cost of a data breach in 2014 ranged between US$1.37 million and US$5.85 million (depending on the country). The average cost per data breach was highest in the U.S.

Source: WSJ

A report by Hewlett Packard and Ponemon Institute of Cyber Crime, hacking attacks cost the average American firm $15.4 million per year, double the global average of $7.7 million.

A report by consulting firm Hamilton Place Strategies states that the median cost of a cyber-attack for U.S. businesses has increased 192% since 2005.

Source: Hamilton Place Strategies

A 2015 UK government report estimates that the insurance industry's global cyber risk exposure is already in the region of £100 billion ($150 billion). The Strategic and International Studies' estimates annual losses from cyber-attacks amounts to about $400 billion.

These figures indicate the scale of potential cyber-attack losses are on par with natural catastrophes; however cyber-attack incidents are more frequent.

Source: PwC

Going forward, cyber-crime costs are expected to increase. A report by market analysts Juniper Research projects cyber-crime will cost businesses over $2 trillion by 2019. The report also states that the average cost of a data breach in 2020 will exceed $150 million by 2020, as more business infrastructure gets connected.

Considered to be one of the fastest growing markets for P&C insurers, the cyber insurance market is still at a nascent state, and currently a handful of companies - American International Group (NYSE:AIG), Chubb Corp (NYSE:CB), Zurich Insurance Co Ltd and Beazley Group Ltd - dominate the arena. It is estimated that about 30% of large U.S companies have a stand-alone cyber insurance policy. But among companies of all sizes, the number is probably less than 10% according to Betterley Risk Consultants.

The U.S. cyber insurance market accounts for about 90% of the global market with annual gross written premiums estimated to be US$2 billion in 2014, up from about US$1.3 billion in 2013, a 33% increase.

Source: Insurance Information Institute

In Europe, cyber insurance premiums are estimated to be about $150 million - a fraction of the U.S. market. The early growth of cyber insurance in the U.S. was spurred by U.S. Federal and State regulations requiring disclosure and notification of breaches of personal data.

With new data protection legislation currently being formulated in Europe, cyber insurance demand is likely to increase going forward.

ABI Research forecasts the cyber insurance market to grow to US$10 billion by 2020.

The cost of cyber insurance is about three times the cost of insurance for other well-known liability risks, making it the number one reason for not purchasing cyber insurance according to a report conducted by Ponemon Institute.

Source: TechTarget

The market for cyber insurance is relatively new and the industry faces a dearth of actuarial data. As a result, models for cyber risks are still much undeveloped, compared to models for more established risks such as natural catastrophes.

That fact that cyber-breaches have a long and unpredictable tail and loss contagions stemming from cyber breaches are difficult to contain make it all the more difficult for insurance companies to accurately adjust premiums.

Source: PwC

The issue is further compounded by the fact that security breaches can go undetected for several months, resulting in an accumulation of potential losses. A report by Ponemon Institute conducted on behalf of Arbor Networks found that it takes an average of 98 days for financial services companies to detect as security breach and 197 days in retail. Despite the long periods of time (termed "Mean Time to Identify", more commonly known as "dwell" time), 58 percent of those surveyed who work in finance and 71 percent of those in retail are "not optimistic" about their firms' ability to improve these results this year.

This inability to accurately calculate cyber risk is possibly a key reason for the high cost of premiums for cyber insurance; in an effort to compensate for the lack of certainty due to limited actuarial data, insurers and reinsurers thus charge a high price for cyber liability coverage and attempt to limit potential losses through restrictive limits, exclusions and conditions.

However, as the market matures, the high cost of cyber insurance is likely to decrease in the long run as insurers are better able to adjust premiums and they wouldn't require a premium cushion to compensate for the lack of actuarial data.

This maturation process has already begun; in January this year, two of world's biggest catastrophe risk modeling companies for the insurance industry - Risk Management Solutions Inc (RMS) and AIR Worldwide - together with the Center for Risk Studies at Cambridge University, worked with eight large insurers and reinsurers - including Lloyd's of London - to publish a Cyber Exposure Data Schema to provide the insurance industry with a uniform, 'open standard' on capturing cyber exposure data, manage risk and so on.

The Internet of Things (IOT) increases the need for cyber insurance

It is estimated that there are about 10 billion devices connected to the internet now, with projections that the number will double or triple by 2020.

A report by AT&T ("Cybersecurity Insights") which included a survey of more than 5,000 enterprises worldwide, found that 85% of enterprises are in the process of or are planning to deploy IoT devices, but only 10% feel confident that they can secure those devices against hackers.

As the internet becomes a hub for a plethora of inter-connected devices used by consumers, manufacturers, healthcare service providers, it increases society's vulnerability to cyber-attacks on infrastructure and control systems. These new security risks created by IoT will increase the need for cyber-insurance policies to cover against loss or theft of data, hijacking, and software malfunctions etc.

This points to a promising growth market ahead for P&C insurers.

Source: MIT Technology Review

Potential Threat to Insurer Credit Quality

While the advent of the Internet of Things brings opportunities for cyber insurance, the sheer interconnectedness of IoT indicates it also carries equally extensive risks to insurers; cyber-attacks involving IoT connected devices are not just limited to disclosure of confidential information but could also result in physical harm such as property damage and bodily injury. For instance, the Stuxnet worm destroyed centrifuges inside Iran's uranium enrichment site by damaging a specific type of Siemens Programmable Logic Controller (PLC) which were used by the Iranian centrifuges. Another instance is when hackers remotely took control of a Jeep Cherokee on the highway, activating windshield wipers, manipulating the air conditioning, turning the radio on full-blast and then killing the engine.

Nearly all modern automobiles, not just the Jeep Cherokee manufactured by Fiat Chrysler have such computer controls that are potential targets for hackers.

A more disturbing concern is the potential threat to insurers' financial stability and credit quality. Insurance rating agency A.M. Best points out that the connections and interdependencies present in cyber-security risks mean that the potential loss aggregations for insurers who write cyber insurance may be far more difficult to manage than natural disasters; whereas natural disasters may be restricted to a certain geographic area, cyber security risks in a connected world essentially have no boundaries making locale almost irrelevant when assessing and managing aggregate risk in an insurer's cyber security portfolio. This creates aggregation risk, which could potentially place the insurer in a position so burdened with catastrophic losses thereby resulting in the non-payment of claims. For instance, a cyber-attack that affected multiple industry segments could potentially threaten some insurers' solvency.

A.M. Best still considers natural catastrophe losses to be the main threat to the financial strength and credit quality of P&C insurers. However, the firm believes cyber risks are close behind.

Fitch Ratings echoed this view in a report "The Rise of Cyber Insurance: Growth Opportunity Paired With Incalculable Threat".

Challenges are likely to be worked out as the market evolves and matures

It is quite clear that cyber insurance is a growth opportunity for insurers especially with the rise of the Internet of Things. Any new market will inevitably have challenges and these are likely to be worked out in the long run. The lack of actuarial data should be solved over time as insurers continuously gather data and improve cyber risk models which should enable them to better price cyber insurance policies. As mentioned earlier, developments in this area are already taking place.

Lloyd's of London CEO, Inga Beale has spoken on Lloyd's intention to be a world leader for cyber coverage. Current cyber risk capacity in London is about $440.3 million, which is equal to at least 30% of global cyber premium volume (which Ace Ltd. estimates at $1.5 billion to $2 billion). Lloyd's has taken leading steps to address the threat of aggregation risk and as a first step Lloyd's is closely monitoring syndicate's underwriting.

Lloyd's has also established a specific cyber risk code 'CY', and recent guidance suggests that if the policy form provides coverage for specified cyber exposures, a percentage of premium must be allocated to the risk code. Lloyd's expects this move to provide greater transparency of cyber exposures thereby leading to the development of more comprehensive Realistic Disaster Scenarios (RDS) which is intended to stress test both individual syndicates and the market as a whole.

These efforts are indications that the evolution of the cyber insurance market is already underway and in the long run should lead to a market that's more resilient to the threats it faces today.

Given the relatively high risk present in the short term in a market as new as cyber insurance, companies with a record of disciplined underwriting are more likely be long run beneficiaries (as they would navigate the risks of this nascent market while maximizing its long term potential).

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.