Cyber risk is one of the most heatedly debated topics in the global insurance industry. At the same time, the cyber risk remains largely underestimated. As such, significant research resources have been deployed lately to quantify economic losses from cyber incidents.
Allianz estimates the annual global cost of cybercrime alone stands at USD 445 billion (Allianz AGCS, A Guide to Cyber Risk). Willis Towers Watson predicts that this figure will increase to USD 6 trillion per annum by 2021, with financial institutions being the most exposed (Willis Towers Watson, The future of financial services).
Cybercrime and non-criminal cyber incidents on the rise
However, cybercrime is only one side of the coin. Non-criminal factors such as system malfunctions or disruptions, the loss or unintended disclosure of data or the unauthorized use of data also count as damages that might cause a cyber loss to a company.
The definition of cyber risk is fairly broad, comprising any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology system (according to the Institute of Risk Management, IRM Cyber Risk).
The Journal of Cybersecurity estimates that on average, a failure can end up costing the affected company close to USD 6 million (Journal of Cybersecurity, 2016). In addition, risk managers need to keep in mind that despite strong controls internally, losses may still be triggered as a result of another party’s fault.
New regulations as a catalyst for increasing risk awareness
On 25 May 2018, the new EU General Data Protection Regulation (GDPR) will come into force, a far stricter replacement to the former Data Protection Directive from 1995. It aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. (You can find more detail about the GDPR in the next article “How data protection regulation will change insurers’ way of operating consumer data” )
The most significant change attached to the new regulation is the extension of its jurisdiction.
As a consequence of these changes, the GDPR assumes global relevance. In addition, the new regulation also increases the prominence of data breaches, because any breach that is “likely to result in a risk for the rights and freedom of individuals” has to be notified to the supervisory body within 72 hours of discovery and communicated to the customers and controllers possibly affected.
As a result, system failures that include the risk of a loss or disclosure of personal data of EU citizens have to be reported and publicized – with obvious negative ramifications to a company’s reputation.
In case of non-compliance, the GDPR may impose severe penalties of up to 4% of annual global turnover or EUR20 million, whichever is higher. The fines apply when the supervisory authority is not notified in case of a failure, and also when companies are insufficiently prepared for or protected against data breaches.
This may also create an additional risk from a management liability exposure. For example, the failure to address cyber risk at Board level may expose the Directors & Officers to various claims from shareholders in the event a cyber incident results in a drop in the company’s share price.
Cyber insurance expected to expand rapidly
Cyber risks were first brought to the fore around twenty years ago with the infamous “Millennium bug” and “Y2K”, associated with the turn of the millennium and growing concerns over massive data failures. Now, with personal, financial and medical data being collected by many sources and through various channels, the emphasis has changed to data security.
Privacy and data protection legislation, initially launched in the US, drove the demand for cyber insurance. Current regulatory and legislative dynamics will further increase exposure from non-compliance or a breach of data, as the cost of litigation and settlements are expected to soar.
In addition, companies will have to face the implications of negative publicity when reporting a breach or loss of data, which can translate into reputational damage, subsequent shareholders’ claims, the loss of clients’ confidence and possibly a decline in market share.
Today, the insurance industry is developing a range of different cyber insurance solutions to protect its policyholders. For example, traditional business interruption policies may not normally cover any loss of profits from a cyber incident. Cyber insurance policies are capable of covering business interruption following a cyber incident — such as the loss of profits or expenses due to IT systems outages. Policies may also protect for losses due to the malfunction or corruption of data and software as well as for the malicious attack on data processors, such as data extortion or fraud.
Aggregation and global nature of cyber risks as key underwriting challenges
However, insurance policies are far from being standardized and will continue to evolve to fit the ever-changing risk and regulatory landscape. While many of the contract wordings yet have to prove their merits in a real loss event, cyber risks may well be covered unintentionally within traditional property or other policies.
Accumulation or aggregation risks pose a significant challenge as both the severity and frequency of potential loss events increase — while modelling tools common for other large-scale risks are not (yet) available. Also, cyber is a truly global risk, challenging the conventional notion of risk diversification across geographies and lines of business.
According to Marsh & McLennan (MMC, Cyber Handbook 2018), in 2016 the global cyber insurance market amounted to premiums of close to USD 4 billion, of which 90% were written in the USA, 4% in Europe and 6% in the rest of the world including APAC. Growth has been substantial, at 34% per annum from 2009 to 2016. Some pundits expect the global cyber insurance market to grow briskly to up to USD 20 billion by 2025.
Cyber premiums from Asia forecast to grow exponentially – from a low base
The share of Asia Pacific in terms of global cyber premiums is small and does not reflect the proliferation of information technology across the region nor its role as an important hub for global data processing.
For instance, in China, the volume of cyber premiums is still minuscule even though Allianz estimates the country’s share in global cyber crime losses at about 15% (Allianz AGCS, A Guide to Cyber Risk). However, Marsh & McLennan predicts strong cyber insurance growth for the region, which might generate premiums of USD 1.5 billion by 2020 (MMC, Cyber Handbook 2018). Cyber insurance penetration is also expected to rise sharply, for example in Singapore from 9% to 40% by 2020 (MMC, Cyber Handbook 2018).
Asia Pacific is perceived as particularly exposed to cyber risk as the digital transformation advances faster than in other parts of the world, more often than not leapfrogging entire stages of technological development.
As internet-enabled devices spread rapidly and interconnectivity grows, so does the exposure. However, cyber risk awareness and the willingness to invest in cyber security remain low.
