Technological advances have brought many improvements to our day-to-day lives and many incredible discoveries, but have also exposed consumers and businesses to a new set of risks and challenges. In this article we explore what some of these are and how they affect the insurance industry, and in particular its coverage of cyber incidents.
We are facing the last stage of a changing technological shift. The internet, which used to be a place where we “went” (cybercafe), is now a ubiquitous reality in which we “live”. Our house, car, or the way in which we shop and interact with people is filled with the presence of algorithms. This trend has also been fueled by the Covid-19 pandemic. We now have a split screen existence, where part of our time takes place in the real world, and the other half is in the virtual. This technological advance, which has brought many improvements to our day-to-day lives and many incredible discoveries, has also exposed us to a new set of risks and challenges. In this article we explore what some of these are and how they affect the insurance industry, and in particular its coverage of cyber incidents.
The insurance sector has not been oblivious to this evolution. In fact, cyber represents a fast-growing market. According to Forbes in 2021, the cyber insurance industry wrote $10 billion in premiums (in comparison with the $600.000 for the year 2010). As for the future of the industry, the Swiss Re Institute, has projected that the cyber sector is expected to grow 20% annually, reaching $23 billion in underwriting premiums by 2025.
The International Association of Insurance Supervisors (IAIS) has confirmed this pattern of growth in its recently published Global Market Report (GIMAR). In particular, it has explained this growth due to “the higher frequency and severity of cyber-attacks, a greater cyber-attack surface as a result of digitalisation and remote working policies, and a riskier cyber landscape [which is] expected to continue to push demand for cyber coverage to record levels” (GIMAR special topic edition, 2023).
Amid the myriad of conclusions offered by the Report, one may underline the following:
Furthermore, we are of the opinion that the technological evolution poses a greater challenge to the industry due to the widespread nature in which one single attack can expand its effects all around the world. In particular, some of the challenges associated with this new line of business could be:
According to the data offered by GIMAR, the insurance sector is adjusting its exposure to cyber in many ways. For instance, by applying “affirmative coverage risks mitigation strategies” such as reducing policy limits (84%), increasing deductibles (64%) or making terms and conditions contingent on IT risk controls (e.g., multi-factor authentication) [48%]. At the same time, about 64% of insurers provided cyber advisory services, either as part of the policy or as an add-on to shore-up the insured’s capabilities.
Special attention should be made to the importance of cyber hygiene (i.e., the implementation of best practices in the use of cyber assets) as a pre-requisite of the coverage. We believe that this precondition would lead to a virtuous cycle which will improve our network resilience. As an example of its importance, one may take consider the Cybersecurity Certification Scheme introduced by Singapore’s Cyber Security Agency “to promote cyber hygiene measures with a view to partnering with the insurance industry to encourage the adoption of cyber insurance” (vid. page 21 of GIMAR’s report).
Another way to avoid the crippling effect that these systemic risks may cause is to exclude such incidents from insurance policies. That may explain why an insurance-powerhouse such as Lloyd’s will require insurance operators to include exemptions preventing the coverage of “state-backed” incidents.
In conclusion, taking into consideration that cyber is still in its infancy, we do find that insurance will have a leading effect on the evolution to a new cyber culture which will enhance our resilience against cybercrime and better the digital environment. The rapid distribution of this type of products will generate economies of scale that will lead to a higher insurance penetration rate.
At the same time, the need for higher cyber-standards will increase our cyber-culture, resulting in a stabilisation in the medium term of the number of declared incidents, which will rein in costs and increase profitability.