Insuring Cyber Risk in 2020
More sophisticated pricing and understanding accumulations are the two key challenges and opportunities for Australian actuaries and insurers looking at this line of business, according to Susie Amos and Danielle Casamento, actuaries with Finity Consulting.
In what is becoming a much-appreciated annual update on this subject at the Actuaries Summit, the Finity consultants recapped the journey so far and shared their thoughts on what may lie ahead.
The cyber insurance market in Australia is about 5 years old now, with an annual premium pool of approximately $130 million across more than 25 insurers, according to Finity estimates. To put this into context, the global premium pool is approximately $6 billion with about half of this being in the US.
Trends in the Australian market include some standardisation of coverage terms, take-up spreading to more mid and even some smaller businesses, and a move from ‘silent cyber’ (unassessed and/or unmeasured exposure to cyber risk under conventional policies) to insurers having ‘affirmative’ policies or explicit exclusions.
Although the largest policy type remains standalone cyber, the trend to affirmative policies has largely been through adding cyber as a peril to business packages. “What we’ve certainly seen come through is affirmative cyber cover coming into business packages and professional lines classes and then also affirming it in a lot more crisis management and liability coverages,” noted Susie.
There has been an increase in claims frequency, particularly for first party ransomware related claims. Yet, the relative infancy of the market means claims data is limited; APRA, for example, does not separately report cyber insurance claims. Instead indicators of claims, such as reports from the Australian Cyber Security Centre, are good data for actuaries to consider.
Finity estimates the combined ratio for cyber insurance to currently be approximately 75% in Australia.
“This class really needs quite a high profit margin because of the high uncertainty and because if there is a large accumulation event then it’s like a cat event,” remarked Susie.
The World Health Organization (WHO) has reported a five-fold increase in cyber attacks since the COVID-19 pandemic began, although this should be seen against the backdrop of a longer-term rise in cyber attacks. Greater phishing using COVID-19 related themes, higher vulnerability due to working from home arrangements, and denial of service are among the higher cyber risks being observed. On the flip side, the pandemic has also raised awareness of cyber vulnerabilities and has likely helped mitigate cyber risks.
“Insurance protection, whilst a cost mitigator [to cyber risk], is superseded by some of these other elements being about the appointment of a CISO [chief information security officer], board level involvement, and planning and incident response management,” noted Danielle. On the other hand, third party involvement, extensive cloud migration and system complexity are examples of ‘cost amplifiers’ of cyber risk because they all increase the cost of a cyber breach.
These are also the types of factors that should be considered in more sophisticated pricing and Danielle shared Finity’s best practice pricing framework for cyber insurance. Of the 12 risk relativities in that framework, only three are often used in pricing for small to medium sized risks in Australia although most of the 12 elements are considered in the underwriting process. However, it should always, for example, be of concern for pricing whether a company has an overseas exposure or a significant online presence as both are known to increase cyber risk significantly, yet both are only sometimes considered in the rating algorithm.
Susie called out Accumulations as “a key barrier for entering this space or increasing exposures” because unlike natural catastrophes there are no geographic boundaries to cyber insurance, limiting the ability of insurers or reinsurers to diversify their risk.
To help work through this challenge Susie suggests insurers use scenario analysis to help them better visualise the types of events that would need to play out for their risk appetite to be reached. She suggested summarising exposure by location, industry, exposure type and size of business, which are all highly correlated, as “a good starting point to assessing cyber accumulation zones”.
The two presenters left actuaries with the message to keep “continually using as much information as is out there, in a framework that makes sense, and continually adapting. That’s the key thing we should continue to do as a profession.”
CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.