While insurance against cyber risk represents a tremendous new business for the insurance industry, numerous problems with the insurability currently impede the development of the market, according to a new report published by the Geneva Association.
The report, titled “Ten Key Questions on Cyber Risk and Cyber Risk Insurance,” said the main insurability problems are “the lack of data, risk of change, accumulation risk, loss sizes, availability of risk capital, and potential moral hazard problems.”
“[A]necdotally it is not only the challenge of insurability but also the demand for products that is hampering the market’s development,” said Anna Maria D’Hulster, secretary general of the Geneva Association, the Zurich-based insurance think tank.
“Either way, the successful development of a cyber risk insurance market is an important goal for the further development of society,” she commented.
In a discussion of cyber risks’ insurability problems, the report said, losses are difficult to measure because of a lack of data. “Moreover, even if there are data available, it is questionable whether or not historical data are a meaningful indicator for the future, due to the dynamic nature of cyber risks and thus the risk of change,” the report continued.
Another significant problem in cyber insurance is “information asymmetry,” as a result of adverse selection and moral hazard.
The report explained that companies that have experienced a serious cyber attack are more likely to buy insurance, which results in adverse selection.
“The insurers in the market try to alleviate adverse selection effects by screening (e.g. up-front audits), self-selection (e.g. questionnaires in the underwriting process), and signaling (e.g. certificates for IT-compliance),” the report explained.
Further, moral hazard occurs when there is a change of behavior after purchasing insurance. “One example is the insured’s lack of incentive to invest in self-protection measures … if full coverage is offered,” the report added.
While insurers use instruments such as screening (e.g. audit) and risk sharing (e.g. deductibles, cover limits) to reduce moral hazard, the GA report said, information asymmetries still pose a significant problem for the insurability of cyber risks.
“For instance, because of complex interrelations in modern IT systems, firms might be vulnerable to cyber risk even though they have invested in self-protection. Thus, the benefit of self-protection investments in one company highly depends on the investments in other, connected firms,” the report explained.
Coverage Limits, Exclusions
The development of a cyber insurance market is also being hindered by coverage limits, the report said, noting that policies tend to cover only limited maximum losses (US$10 to $500 million) and contain several exclusions, including those for self-inflicted losses, accessing unsecure websites, or terrorism.
Therefore, extreme scenarios – also known as “Cybergeddon” – cannot be covered well by existing insurance policies, the report emphasized. “Additionally, there might be indirect effects of cyber losses that cannot be measured and thus are not covered (e.g. reputational losses and their impact on stock prices).”
Policy complexity is another problematic aspect of coverage limits, GA continued. “Given the large number of exclusions and the dynamic nature of cyber risk, there is uncertainty about what the cyber policy actually covers. Worse yet, the policies in the market have no agreed-upon terminology, which makes the offerings very difficult to compare,” the report explained.
“While the cyber insurance market is currently in its early stages, as market development continues, the risk pools will become larger and more data will be available,” it said, noting that several new competitors have entered the market and more are planning to do so.
“Additionally, it will lead to a more uniform terminology and standardization of products.”
The report suggested that the industry should establish standards with regard to definitions, coverages and pre-coverage risk assessment, which will help to reduce some of the problems of insuring cyber risk.
The report compiles and analyses a database of 211 of the most significant industry reports and academic papers on cyber risk and cyber risk insurance.