- Risk selection and pricing This relies on understanding the likely claims volumes and sizes. This is difficult when the pool of previously written policies is small and the risks levels are changing rapidly (making them non-comparable) which is certainly the case. The main effect here is that insurers are writing relatively small volumes of business while they build understanding. It’s also worth understanding that for complex commercial insurance the pricing and risk selection is mostly done manually, it’s not at all like car insurance where you are rated on specific measurable factors. Commercial insurance is in many cases more about a story and feel of a risk. There is a significant shortage of good people with underwriting skills. This is also true at the broker level, and these are the people responsible for advising the end client that they should consider the product in the first place.
- Moral Hazard Or put more simply, making sure that as a customer you are still incentivised to manage your own risks rather than buying cover and letting the insurer pick up the tab. This is probably the easiest to address as commercial policies quite often come with requirements for improvements (eg, a typical manufacturer might be required to upgrade their fire suppression or do extra health and safety training courses). Word to the wise, if your board buys a cyber policy, that could become the driver for some key security projects which you’d previously found it hard to persuade your business to back.
- Claims inflation (including fraud) Unsurprisingly, the main cost to an insurer is the cost of claims so this is always an area of focus. With increasing breach disclosure and the rise in civil cases and regulatory fines this is a fast moving target. This makes it hard for insurers to understand what the likely liabilities will be in the medium term. That said these things move slowly enough to not be a problem within the average policy life.
- Aggregation and systemic risk Using a physical world example, in principle you might be happy to insure $10bn of coastal property but you clearly wouldn’t want it all in Miami. The problem for cyber products is that there is a worrying possibility that big events could be truly global and cut across all classes of organisation. As an insurer that’s frankly terrifying as they can’t be sure they’ve spread their risks against catastrophes and if they wrote a lot of cover one bad event could put them out of business. An insurer would normally buy re-insurance against massive individual or aggregated losses. There are serious suggestions that the industry will need a government-backed re-insurer along the lines of Pool Re, which covers terrorist events.
Finally, a recent article on El Reg suggested that insurers should consider buying an anti-virus or similar security product firm in order to better understand the risks. While I agree with the basic sentiment, frankly that suggestion is more than just a little nuts. Going back to an analogy with car insurance, this would be like Direct Line announcing that it wanted to buy Goodyear to better understand how cars perform in wet weather. I’m a strong believer in never saying never but if anyone would like to put a £5 bet on this happening within the next 10 years I’ll happily take your money.
That said, there clearly is a desire for a greater understanding of how cyber risks could and should be managed. However this is manifesting in the creation of industry forums and information sharing partnerships. It’s also quite likely that there will be some expansion into security management risk consulting (think ISO27001 type consultancy work). This would be consistent with what already happens in the health and safety or business continuity spaces. This would fit far better with how insurers view the world and also represents a form of risk free income for them.
So to sum up, right now you can buy cyber cover – but the overall market is still very young and the amount of capacity available is relatively small. Insurers are very much trying to figure out how to grow their ability to offer it, but there are significant hurdles. If your company does decide to look at it I would encourage you to take it seriously. Honestly it could become a serious ally in getting the important things done.