Cyber – a risk we need to insure
Article information and share options
The notion that cyber-crime is restricted to lone hackers working from a PC in their bedroom is long outdated. Sophisticated and interconnected groups now target companies and individuals in increasingly audacious attacks: Hotel chain Marriott recently discovered an attack affecting up to 500 million records, Singapore also suffered an attack which exposed 1.5m people's health records, while the NotPetya malware in 2017 impacted different sectors like global shipping business or critical infrastructure (e.g. in the Ukraine).
Increasing demand for cyber cover
The losses faced by victims of cyber-attacks are driving a rise in the sales of cyber insurance policies, leading to a market growth of around 25% per year. But how prepared is the re/insurance industry to meet the increasing demand for cover, and where are the areas of greatest need?
Grappling with silent cyber and risk accumulation
Cyber is a challenging risk for re/insurers and many are still in the process of defining their own risk appetite. There are two main categories of cyber risk:
- Affirmative cyber risk - insurance policies that explicitly include coverage for cyber risk
- Non-affirmative cyber risk, also known as silent cyber – traditional property, liability and marine policies that do not explicitly include or exclude coverage for cyber risk, but are nonetheless exposed
Insurers must define their risk appetite for exposure to affirmative cyber, while also identifying what levels of silent cyber risk they are accumulating in their portfolios. The insurance industry is currently working hard to detect both silent and hidden cyber exposures in their books and either make them explicit and then assess and price them, exclude them, or- at the minimum- monitor them.
This will allow the industry to take the next big step to define cyber as a distinct line of business and ultimately meet the increasing demand for cover.
How we help our clients
It's clear that there is great potential in the cyber risk insurance market and we want to support our clients in building a sustainable and profitable book of business.
Our proposition for insurers consists of reinsurance capacity, expert advice, a suite of cyber solutions, including product development support, cyber analytics on single risks, portfolios and accumulation pathways as well as a better understanding of how to manage the accumulation of risk.
Big opportunity to support SMEs
While an increasing number of companies are buying cyber insurance to manage their risk, these are generally large corporates.
However, in many ways it is the small and medium-sized enterprises that are the most in need. They are just as vulnerable as any larger firm, but they are more likely to be without the necessary resources and in-house skills to design and implement a comprehensive cyber security strategy.
Here we believe that insurers can build partnerships with SMEs that go beyond pure risk transfer and offer a variety of support services, like crisis management support or help with preventative measures. The smaller the company, the more important such support services are.
Building a sustainable cyber market
From an insurance and risk-management perspective, Swiss Re is looking to build risk partnerships among insurers, customers, technology companies and other partners as a way to build cyber resilience.
This can be through a combination of products or product packages that support customers where they need help. As cyber-risk becomes ever more sophisticated, we believe that insurers need to go beyond providing purely financial support and expand into a holistic risk-management service that should help build stronger relationships and mitigate the increasing cyber risk.
Swiss Re has built up knowledge on silent and affirmative cyber covers and developed solutions to help individuals, firms and governments to better manage the rapidly evolving and increasing cyber risk.