Published on: 4/11/2019
Cyber risk is a complex hazard of evolutionary and multifaceted nature. This emerging threat, whose consequences are as disastrous as natural disasters, is a difficult risk to model. Its impact is not easy to quantify because an attack can simultaneously affect a multitude of targets.
In just a few seconds, the networks and computer servers of millions of businesses can be infected all over the world. An attack can also paralyze whole cities for long periods of time, ending up with a massive theft of personal data.
Such attacks led some analysts to characterize cyber-attacks as the new systemic risk.
Figures on the cyber insurance business
Still small, the cyber insurance market is currently held by extremely cautious insurers. They are up against an evolving and exorbitant risk that is difficult to grasp. Moreover, the absence of any claim history is likely to result in a totally unsuitable premium.
Despite these obstacles, cyber insurance is growing at a steady pace. According to Munich Re data, the market is estimated at 3.5 billion USD at the end of 2018. Concentrated in the United States, the cyber-insurance is poised to double its turnover by 2020 and reach, according to the German reinsurer, 20 billion USD in premiums by 2025.
Faced with the complexity of this risk, solutions have increasingly, been developed by major market operators. Swiss Re has recently launched a new product called "Decrypt". Together Chubb and AXA account for more than 30% of cyber risks in the US market. Trust Insurance Management, a Bahrain-based risk management company, has also begun underwriting cyber plans from companies in the Gulf Cooperation Council countries.
To date, the loss experience generated by this risk has been well managed by the market. An increase in premium rates for cyber contracts has been reported since the WannaCry and NotPetya attacks. Overall, rates rose by more than 50% in 2019.
Cyberinsurance: Ranking of cyber incidents according to the insured’s claims
Type of cyber incidents | Share of claims |
---|---|
Email compromise/email hacking
|
23% |
Ransomwares (1)
|
18% |
Data piracy
|
14% |
Violation of data due to employees' negligence
|
14% |
Identity theft
|
8% |
Other viruses/infections linked to malware
|
6% |
System failure/breakdown
|
5% |
Loss or theft of data
|
5% |
Others (2)
|
4% |
Other non ransomwares
|
3% |
* Study conducted by AIG in the EMEA (Europe, Middle East and Africa) region analysing claims received in 2018
(2) Ransomware: ransom or extortion software
(3) Denial-of-service attacks
Cyberinsurance schemes
Cyber risk can be covered in two ways; either through a traditional policy or through specific plans.
- Traditional or implicit "silent cyber" policy
This is a conventional fire/accident or liability insurance policy that does not include explicit exclusion of computer risk. This coverage is said to be silent. Other cyber guarantees can also be included in this classical plan.
This type of coverage is causing concern among market players. Lloyd's has recently expressed concern over policies that do not explicitly rule out cyber risks. It even called on members to clarify their insurance and reinsurance contracts. As of 2020, they will have to mention explicitly whether the cyber risk is covered or not, accurately specifying the level of coverage.
Allianz and AIG have taken the same measure with their respective entities.
- Specific or affirmative coverage
This is a specific insurance plan that covers cyber incidents. This policy accompanies the insured before, during and after the occurrence of the attack. It covers the cost of repairs (software and data), the shutdown of operations and even damage to reputation and personal data.
Limitations of cyber coverage
The cyber insurance policies are dismissed to be:
- hardly clear, too generic, containing several exclusions,
- not adapted to the profile of the insured.
Source: Atlas Magazine
Tags: Cyber Risk Insurance, Insurance Companies