When cyber insurance first came to market, it was treated rather like a bandage used to patch up problems. Its first problem to solve on behalf of the early breed of dot-com companies in the 1990s was the computer virus, and any resulting destruction of data, resulting business interruption, and unauthorized access to systems. Over time, the bandage evolved to cover companies’ exposure to data security and regulatory issues associated with data breaches. More recently, it expanded the focus further to cover data privacy, its associated regulatory issues, and ransomware.
Find out more: Learn everything you need to know about AXIS Insurance here
While trying to staunch cyber-related wounds, the underlying force driving the early evolution in cyber coverage, was simple: the market desperately wanted more buyers and more capacity. Max Perkins (pictured above), Head of Cyber Strategy & Innovation at AXIS Insurance, commented: “As the cyber insurance market matured, it was all about trying to provide more coverage. Underwriters followed the problems that were in the market, followed the game of the threat actors, and provided solutions – all of which created premium.”
In following those problems so resolutely, the cyber insurance market had created a problem of its own – the results of which insurers and their end-clients are feeling through hardening market conditions today.
“All along the way, we’ve had this clever insuring agreement called business interruption and digital asset recovery that we weren’t properly pricing for,” Perkins commented. “Coverages were evolving rapidly in response to customer demand at a time when there wasn’t sufficient loss history and data to accurately price for this risk. Underwriters actively priced for cyber risk exposures, but today we see clearly the pricing has ultimately proven inadequate, and these coverages are driving the frequency and severity of loss on all cyber insurance books. That’s leading us into a hardening market for cyber insurance, because the books have been affected in such a way that they require additional rate.”
With the frequency and severity of claims on the rise, cyber insurers in the US have started to tighten their risk appetites and underwriting guidelines. In doing so, they have created some new coverage gaps or problems that need patching up with innovative cyber solutions. Some of the biggest challenges today revolve around property damage triggered by a cyber event, bodily injury triggered by a cyber event, and cyber-related espionage.
In 2019, Lloyd’s of London announced a silent cyber mandate through which the market will require all insurance policies to clearly state whether or not they will provide affirmative cyber coverage. The first phase of that mandate was introduced on January 01, 2020, targeting first-party property damage policies, and asking underwriters to affirm or exclude cyber cover, regardless of whether the policies were written on an all-risks or a named perils basis. Phase two rolled out in July, for more classes of business, including life and health, political risks, and property catastrophe excess of loss. Phase three for professional risks and financial lines is due to launch on January 01, 2021. The general stance in the cyber market is that property underwriters will exclude coverage for malicious cyber events, thus creating some cyber coverage gaps that need to be filled.
“In the last six months, we have experienced a tremendous amount of inquiries from brokers representing all different lines of business, from renewable energy, to manufacturing, shipping, big cargo, industrial property, and beyond, where brokers are trying to help their clients fill that gap in their property policies,” said Georgie Furness-Smith (pictured below), Cyber Underwriter at AXIS.
“What’s been very reassuring is the amount of collaboration that has emerged to tackle this problem,” she added. “In the London market, for example, AXIS has been working closely with relevant business units to figure out how to close any potential coverage gaps following the Lloyd’s mandate. One specific example is that we created a Marine Cyber specific wording that we’re now marketing via our broker partners. This is an interesting time to collaborate with other areas of insurance. There may not be a single class of business that wouldn’t benefit from a partnership with cyber in order to help them find a new product to bring to market.”
Read more: Different models for cyber security
Underwriters in more traditional lines of insurance, like property and general liability, to this point have not typically been covering cyber events. The current situation has left many insureds in a tight bind because the cyber insurance market does not have enough capacity to cover property losses resulting from cyber deficiencies. Therefore, brokers are left with the tricky task of telling clients, for example: “You have a $750 million tower, but unfortunately, the most I can get you out of the cyber market to cover the ensuing property loss is $250 million.” This is where insurance, and the cyber market in particular, is presented with its best opportunities for innovation, according to Perkins.
“This is where I think further innovation will come, and it revolves around where else we can draw capacity into the cyber market,” Perkins told Insurance Business. “If you look at the property market, it has been very successful in drawing insurance-linked security (ILS) capacity from alternative capital providers. I think there’s potential in that, at least for cyber property risk, because it is short-tail in nature and you can recognize loss at the end of a calendar year, which are all things that the asset managers sitting behind ILS want to be able to recognize.
“I also think it will help us with the problem of intangible assets. The biggest problem right now is that there could be arguments in a claim over the value of that asset. But if we start to create this short-tail trigger and also payment, you can begin to look at parametric triggers that simply state: ‘If a certain event happens, then we will pay this amount,’ and you agree everything up front. Again, you could draw an alternative capital supply and the ILS would to be able to do that, but it’s going to take time because we need to get those alternative capital providers more comfortable with cyber risks. That’s another example of how we must continue to evolve and innovate.”