With the global cyber insurance market expected to reach $14 billion by 2022, according to Allied Market Research, it’s no wonder more insurers are looking to offer cyber coverage. But small insurers have been sidelined in this market due to the difficulty of pricing the products.
Hartford Steam Boiler, an insurer that began covering risks associated with steam boilers 150 years ago, is one carrier that is offering a way for small insurers to get in the game. It is now offering small insurers the ability to sell cyber policies to small and midsize businesses (SMBs), according to HSB Vice President Eric Cernak.
HSB claims that this vulnerable market segment – 60 percent of SMBs go out of business within six months of a cyberattack – is drastically underserved.
Cernak said small insurers have not been able to afford to write cyber policies for SMBs because the time and effort required to assess cyber risk outweighed the relatively small premiums they’d collect.
“This is a risk that kind of has evolved over the last 15 or 20 years…because of the lack of data and the lack of modeling available relative to the risks, pricing was relatively uncertain so there was a degree of variability between insurer A and insurer B on how to price this and the smaller companies couldn’t afford the coverage because of the variability and the unknown risk,” Cernak said.
While the Allied report notes that the lack of standardized policies may be an obstacle to companies buying cyber coverage, Cernak believes complicated coverage offerings and the perception of an insufficient threat have also impeded the purchase of cyber policies.
“They [SMBs] simply don’t see themselves a target for criminals to infiltrate their systems,” Cernak said, though he noted a recent shift towards purchasing cyber coverage due to SMB systems interacting with larger systems.
“So, if you’re a small business that is working with large organization and you’ve got credentials to get in their system because of some part of the operational aspect of your arrangement, the criminal element is starting to recognize that,” Cernak added.
The National Association of Insurance Commissioners has weighed in on the difficulty of writing cyber coverage.
“Cyber risk remains difficult for insurance underwriters to quantify due in large part to a lack of actuarial data. Insurers compensate by relying on qualitative assessments of an applicant’s risk management procedures and risk culture. As a result, policies for cyber risk are more customized than other risk insurers take on, and, therefore, more costly,” according to the NAIC.
Thus the type, size and scope of the business will play a role in coverage needs and pricing, as will the number of customers, the presence on the Web, the type of data collected and stored, and other factors, the NAIC found.
Cernak said that better data and tools should aid in convincing SMBs of the need for cyber coverage.
The 150-year-old insurer, using an economic model developed by Cyence, quantifies cyber risk in dollars and probabilities to aid insurers in pricing cyber policies efficiently and cost-effectively. The model looks at certain data elements like the frequency of attacks occurring, technical patching, policies, procedures and even employee sentiment. The model aids in determining whether a company is an attractive target and susceptible to attack.
“The small commercial entities are probably the next kind of frontier in terms of who is going to be buying this coverage and I think as we get better data, as we get better tools from a risk modeling or risk selection standpoint, that’s going to aid in our ability as an industry to convince these folks that they really do need this type of cover,” Cernak said.
He said the line of business is different than most, since carriers are insuring against an active adversary.
“The idea is to be able to look at what’s going on in the environment and see how often these attacks are occurring,” Cernak said.
One of the reasons the cyber insurance market is expected to grow is the continued increase in data breaches.
Allied’s Cyber Insurance Market Report sees this as an opportunity for insurers and reinsurers to innovate cyber insurance products that manage various degrees of risks and cover cost-associated data breaches, credit monitoring, forensic investigations, reputation management, and business interruption.