The Organization for Economic Co-operation and Development (OECD) released a report on ‘Supporting an effective cyber insurance market’ on May 13. The report was prepared for the G7 Finance Ministers and Central Bank Governors meeting on 11-13 May 2017.
Types of coverage
The report looks at coverage as a stand-alone policy, as a specific endorsement on existing policies or as part of traditional coverages without a specific endorsement.
Cyber-related losses are sometimes excluded from property, crime, kidnap and ransom, liability and other traditional insurance policies. The report notes that exclusions could be in the form of general exclusions of all losses resulting from a cyber-attack or incident or exclusions applied to exclude liability related to data breaches or data restoration. Most stand-alone cyber insurance policies have been developed to close the gaps arising from these inclusions and from the requirement that there be property damage in order for business interruption coverage to be triggered.
Where mentioned exclusions are applied, there might be coverage from traditional insurance policies. This may be explicitly understood by the insurer and policyholder, for example through the inclusion of a specific endorsement providing such coverage. While in other cases, it might take a claim dispute and/or litigation to “discover” the coverage.
Challenges in immature market
The stand-alone cyber insurance market reached an estimated USD 3.5 billion in written premiums in 2016. Approximately USD 3 billion was written on behalf of US-based companies and USD 300 million was written on behalf of European companies (miniscule in comparison with USD 373 billion and USD 230 billion of gross written premiums in the motor vehicle and fire/property insurance lines respectively in the G7 countries during 2015).
Take up of commercial property and liability insurance coverage potentially approaches 100% of all businesses in most mature insurance markets. In contrast, only 20% to 35% of all US companies have specific (stand-alone or endorsed) cyber insurance coverage. In Europe and UK, an estimated 20% to 25% of mid-to-large companies (which have a broker) have purchased specific cyber insurance. Few companies have assessed the potential financial impact of a cyber-incident.
There are broad differences in coverage available from different insurers and policies may not be covering some important losses.
The report cites examples which are rarely covered in either stand-alone cyber policies or traditional insurance policies, such as a large privacy breach or loss of value of intellectual property due to its theft through cyber-espionage. In both cases, the key impediment to coverage is the difficulty in quantifying the value of the future business that has been lost due to reputational damage or the reduced ability to exploit the commercial value of intellectual property.
Premiums for cyber insurance per million in coverage has been estimated to be three times more expensive than general liability coverage and six times more expensive than property coverage. Reasonable pricing is hindered by the absence of historical data and collection of data is obstructed by the continuing reluctance of victims of cyber incidents to share information on these events and their impacts.
Another factor for the pricing is the high potential for cyber-related losses to be correlated across insured entities, where a number of insured companies are affected by the same or same type of incident, such as through use of commonly-used software with a vulnerability or attacks on common information technology infrastructure, such as a cloud service provider.
Better, more comprehensive data on the frequency and impact of cyber incidents would be essential for quantifying exposures. This would provide more confidence in the underwriting of insurance coverage for cyber risk, thereby supporting availability and affordability.
The report states that the development of a more comprehensive data set on cyber incidents would most probably require 1) a common classification of cyber incidents and types of losses; 2) a trusted party (e.g. government agency) to collect and report the data; and 3) incentives or requirements for reporting by companies affected by cyber incidents and insurance companies that have paid related claims.
Most governments have adopted national cybersecurity or digital security strategies. But they do not always address cybersecurity as an economic and social risk management issue. National strategies could provide incentives for businesses to measure and manage their exposure to cyber risk. They could also consider the benefit of further co-operation and coordination between government bodies in charge of cyber security, which could include insurance regulators.
The report says that governments can also play a role in ensuring that clarity is provided on the extent of coverage for cyber risk included in stand-alone and traditional policies. This could be done by encouraging the insurance and policyholder communities to develop a common understanding about the appropriate place for cyber coverage and/or establishing requirements for insurers to provide greater transparency on the coverage provided and losses that are excluded).
Read the full report here.