On a global scale, cyber crime costs are expected to grow 15% per year in the next five years, reaching $10.5tn annually by 2025 according to Cybersecurity Ventures.1 Ransomware-related events have unquestionably been the largest driver of losses and it does not appear that will change anytime soon. Ransomware attacks continue to increase, with downtime cost often being as great as the ransom paid, averaging $283,000.1 Overall, the average cost of a data breach globally was $3.86m in 2020.2
Although the major losses are still centred in the European and US markets, Asia is experiencing a noticeable increase in overall cyber claims. For example, APAC had 1.7 times higher than average malware encounter rates for ransomware attacks than the rest of the world.3 A recent analysis showed that 47% of all ransomware attacks got in through remote desktop protocol.4 Shifts in global strategy regarding cyber coverage have also directly impacted the Asia cyber market.
From a global and regional perspective, we are clearly in a rapidly hardening cyber market. While that traditionally has a negative implication for brokers and insureds, there is reason to look at the cyber market through a different lens. That includes taking a broader, longer-term view of the possible benefits to insurers/reinsurers, brokers and insureds.
Benefits to insurers and reinsurers
Given the major cyber incidents of the last few years (e.g., WannaCry, Ryuk, REvil) there is little question about the criticality of cyber insurance for businesses of all sizes. This reality also reinforces the need for a correction in cyber pricing and terms and conditions — important to sustaining future growth. It is reasonable that as the exposure of what insurance companies are ultimately covering increases, the risk selectivity and rating for risks also sharpens to adapt to the changes in circumstances.
Increases in claims and losses are coming to light via recent spikes in the loss ratio of cyber insurance.5
Ultimately, changes driven by insurers will enable them to recover better from the relatively sudden increase in losses and help ensure a sustainable strategy for continuing to sell cyber insurance products. In addition, while insurers traditionally have to concede points to write business in a soft market, they now have an opportunity to sharpen their strategy and risk appetite and showcase their expertise and experience in the cyber space to differentiate themselves.
Benefits to brokers
A shortage of capacity and tightening terms can present challenges to client relationships. The relative ‘youth’ of cyber insurance comes with a lack of standardisation across markets and insurers. Rapidly changing cyber exposures also make it a product line with a fast evolution of coverages and offerings. As a result, brokers have a major challenge to be fully aware of the differential in coverages and nuances among various cyber insurers (e.g., the type of incident response providers on an insured’s panel to ensure competent incident response).
Brokers can leverage this as an opportunity to showcase their important role, as insureds increasingly rely on them to help better understand changes in the market and how their cyber policy can directly impact their programmes. Another positive: The days of having to pitch cyber insurance to insureds multiple times are gone, as media attention around cyber threats is at an all-time high. In fact, inquiries will only continue to increase, expanding opportunities for brokers.
Benefits to insureds
While the reality is that insureds will be impacted by premium increases and changes to terms, as well as reduced capacity, and more scrutiny from insurers, there are positives. Insureds will be required to assess their cyber security posture more realistically, as underwriters require greater transparency and detail in this environment of escalating loss and threat. This sets up a unique win-win opportunity: Insurers have a more receptive environment to consult with insureds, helping them identify protection gaps. Insureds can then improve their risk profile if those gaps are addressed. Cyber insurance is a risk transfer solution; the initial goal for companies should be to avoid falling victim to a cyber attack in the first place.
Ultimately, everyone shares the same goal: Mitigating a cyber attack through better cyber security governance and investment in controls. Without these corrective actions, insurers could be forced to exit the market entirely due to large losses, reducing options for insureds in the long-term, along with contributing to less available capacity. Insurance is inarguably a necessity as a method of risk transfer for cyber exposure. Sustainable terms for insurers are critical for insureds to ensure companies can provide risk transfer options in the future.
Benefits to service providers
As cyber claims escalate, the importance of cyber security service providers has also increased, with incident response providers being at the top of this list. Higher demand will trigger more competition, driving up the quality of services by requiring providers to enhance their expertise, technology, and talents. In addition, the increased involvement of these vendors in the insurance world encourages more knowledge exchange which allows everyone to share their lessons learned.
Cyber security risk assessment providers will also have a growing role and value. Traditional underwriting by application may not provide sufficient information in the cyber space going forward. Cyber risk requires a breadth of knowledge, and an ‘outside-in’ review of cyber risk. That is, scanning external elements such as open ports, patch status on external IP addresses, deduction of known vulnerabilities, and more, will become more prevalent in the service offerings of cyber insurance. Larger companies, of course, will require proportionately broader and deeper analyses of their cyber security exposure, including the use of cyber security consulting firms or risk dialogues with their insurers.
Focusing on positives
All stakeholders in the cyber insurance ‘ecosystem’ are dependent on each other at the end of the day. Achieving a balance where all parties can benefit is imperative. Cyber security is, and should be, at the forefront of priorities for executives, irrespective of cyber insurance. The current hardening market then, serves an important role to catalyse positive change in the ecosystem that will ultimately lead to more resiliency and sustainability for all.
Each party in the ecosystem must focus on those things they can internally control – whether it is improving one’s cyber risk management or requiring improvements in terms and conditions of a cyber policy to renew. External factors in the cyber world, such as cyber criminals’ activity, are unpredictable and uncontrollable. Therefore, if all stakeholders leverage the beneficial opportunities of this hardening cyber market, we can collectively create a more resilient ecosystem that can withstand unexpected external developments. The combination of sustainable insurance terms and conditions from reinsurance with increased risk transparency and cyber maturity driven by cyber service providers, brokers and the insureds will foster innovation, further driving solutions outside of the current borders of insurability.
Realistically, when it comes to cyber security, the target will be forever moving. Our collective, constant vigilance and adaption will be key to ensuring that one and all benefit from the highest calibre of cyber risk management. A
Mr Eric Cho is a cyber underwriter (Asia region) with Munich Re.
4 2020 Ransomware Attack Trends in Asia Pacific – Beyond the Ransom (kroll.com)
5 Cyber insurers hike rates, tweak coverage as loss ratio rises again in ‘20 | S&P Global Market Intelligence (spglobal.com)