2020 broke all records for cyber-attacks. How has the pandemic changed the cyber insurance market?
One of the impacts of the pandemic was a huge quickening of digitalization, which has increased exposure. Over the past months there have been some prominent attacks, impacting many people and generating high losses. This resulted in a heightened awareness among company leaders, who realised that cyber is a real risk to their business. Insurers, in turn, had to adjust to the changed risk landscape, and thus we have seen a stronger push towards better cybersecurity practices, as well as rising prices.
One of the pandemic’s impacts was a huge quickening of digitalization, which has increased exposure.
Will the pandemic trigger a further rise in cyber claims?
I think we are already seeing that now with the rising losses and deteriorating claims ratio. Whether that is directly linked to companies moving their employees into home offices or embracing more digital business models is hard to say. The real reason could be simply ransomware gangs pushing their business model much more aggressively.
The cost of cybercrime this year could total as much as $6 trillion dollars. Can the cyber insurance market really offer meaningful risk transfer?
It is a valid question, if you compare $6 trillion to $7 or $8 billion in global cyber premiums, which is the current size of the cyber insurance market. For many companies, especially SMEs, cyber insurers are taking on a sensible portion of their risk. At the same time, cyber insurance often comes with services that support the insureds before and after an incident, which they find invaluable in helping them to get back on their feet after a cyber-attack.
Equally, the insurance industry is trying to become more comfortable with the risk through better data and modelling. To generate more risk capacity, public-private solutions for the largest cyber-attacks should be looked at, as well as exploring alternative sources of risk capacity, such as the capital markets.
Do you mean government-backed cyber-reinsurance pools?
It is high time we talk about public-private risk transfer solutions. We know that there are cyber risks that are too big to be borne by the private insurance industry alone. I think we need to discuss as a society who will pay for these losses before such a big event happens.
In 2021 alone, rates for cyber insurance have gone up by 30-50%. Has the market reached its limit?
While some news outlets are already talking about a “crisis”, we believe that the current situation is more a stage in the natural development of a still-young market. A crisis might arise if the ransomware epidemic continues to worsen, rendering certain risks like business interruption following a cyber-attack effectively uninsurable. But we are not there yet, and I am optimistic that the measures insurers have taken to improve the quality of their cyber books will be successful.
Some are talking about a ‘crisis’, we believe that the current situation is more a stage.
The insurance industry’s practice of reimbursing companies that pay ransomware gangs has been questioned. What’s your view?
If a company has been hit by ransomware and its only chance to get its data back and become operational again is to pay that ransom, then that is an obvious choice for them. But in the longer-term, paying ransoms is counterproductive. They basically fuel a vicious circle, which is neither healthy for the insurance industry or for the wider economy. While not paying the ransom might be the right thing to do, the affected victims will need to take their individual circumstances into account before taking a decision.
What else needs to be done to counter the threat of cybercrime?
I think a lot of companies can still do more to increase their own cybersecurity maturity and their cyber resilience. This also includes working together more closely on exchanging data. A good example of this are the ISACs, or Information Sharing and Analysis Centers, that exist for sectors such as the automotive, aviation and energy industries. It’s also important that companies share information with official bodies, such as their country’s national cybersecurity centres and law enforcement agencies. At an international level, we need more diplomacy and collaboration to come to agreements on how to combat cybercrime and create a safe and secure cyber space.
Each technological innovation brings a new threat. How do insurers respond to such fast-changing risks?
Because the technology, actors and threats are always changing, we need to run very fast just to keep up with the risk. We try to understand what kind of impact the new technology has on the risk landscape, by trying to get data to model those risks and then either build products around them or adapt our existing products. The innovation cycle within the cyber insurance market is very active.
Are there any new risks that particularly worry you?
One of the areas that isn’t new, but remains largely unsolved, is the industry's ability to deal with cyber exposures in other lines of business. Silent cyber exposures should be eliminated in a way that 'allowed' inherent exposures are made explicit, affirmed, and priced for. And 'unwanted' residual exposures should be excluded and moved into the cyber market.
How about emerging risks?
Supply chain risk is one that will keep us busy in the future. It is not to be underestimated because it is not dependent on one technology. I think that is the one that we need to get our hands around.
What more does the industry need to face tomorrow’s challenges?
First, we need to have enough great people with knowledge about technology and insurance, as well as cyber expertise to be able to underwrite and grow this demanding risk class in the future. And secondly, we also need to invest more into data availability and data capabilities for the same reasons.
