Cyber risk is one of the most pertinent global threats facing the world today. With firms’ and individuals’ reliance on technology only set to increase, the frequency and severity of cyber incidents is likely to rise in turn. The cyber insurance market is set to undergo significant growth in the coming years, accelerated by increasing levels of liability and data protection regulation.
The latest issue of The Geneva Papers on Risk and Insurance, guest edited by Professor M Martin Boyer, is dedicated to cyber risks and insurance, a topic growing in popularity not only amongst academics, but also amongst corporate researchers.
This special issue focuses on both the demand and supply side of cyber risk insurance and covers three broad themes:
The cost of cyber events
Palsson, Gudmundsson and Shetty (Analysis of the impact of cyber events for cyber insurance) investigate exposure to cyber incidents across corporate sectors. They find that malicious breach incidents dominate cyber threats across all sectors and that they most often target personal financial information. Phishing and malicious breach incidents are associated with much higher losses than cyber extortion. They also reveal that incidents attributed to hacktivists, foreign nation states and terrorists have several things in common: They involve mostly malicious data breaches and network disruptions and mainly target personal identity information and corporate business income/services. Such insights can help in designing cyber insurance policies that are sector and asset specific.
US stock market’s reaction to cyber attacks is investigated by McShane and Nguyen (Time-varying effects of cyberattacks on firm value). Investors were found to react more negatively to cyber events that cause immediate business interruption losses than to events involving less direct losses, such as consumer data. The market also seems to react more negatively to attacks involving insiders, perhaps because these cause concerns about the company more generally, and to attacks affecting credit card and personal data. Overall, the authors document a U-shaped relation between shareholder reactions and cyber attacks over the 10-year study period. They also document that firms in the retail and service industries suffer greater negative market reaction than others.
Mega data breaches can have considerable monetary impacts on companies as a result of legal fees, loss of customer trust and revenue or decreases in stock price; however many still struggle to estimate their cost and make justifiable risk management and cyber security decisions. Poyraz, Canan, McShane, Pinto and Cotter (Cyber assets at risk: monetary impact of US personally identifiable information mega data breaches) analyse the direct impact of large cyber security breaches that could lead to the illegal use of personally identifiable information and find that the cost of such breaches increases with company revenue, the number of people affected and the number of class action lawsuits. Their model can also be used to examine the potential loss of future breaches.
Cyber insurance contracts
In their analysis of the US cyber insurance market, Xie, Lee and Eling (Cyber insurance offering and performance: An analysis of the US cyber insurance market) look at what drives insurers to offer cyber products. Though most industry reports view the realisation of growth opportunities as a primary motivation to write cyber insurance, they find that insurers do not participate in the cyber insurance market simply to overcome constraints on their business growth. Rather, the decision to participate can be best explained by a careful evaluation of potential competitive advantages in understanding and pricing cyber risks. The type and amount of coverage offered vary substantially and standalone coverage is found to incur higher loss ratios than packaged coverage, demonstrating its riskier nature. They conclude that cyber risk insurance is extremely profitable, with industry loss ratios below 50% and more than half the insurers paying no claim in any given year.
Woods and Weinkle (Insurance definitions of cyber war) delve into cyber insurance contract wording, focusing specifically on war clauses and definitions of cyber war. Based on an analysis of 56 policies, they conclude that insurers specialising in cyber insurance have converged to an equilibrium of circumstances that exclude war but include terrorism. They say this has the potential to make cyber terrorism, or cyber attacks more generally, ‘normal risks’, in which losses are tolerated and expected as part of economic activity.
Traditional insurance lines are increasingly affected by claims resulting from cyber risks. Wrede, Stegen and Graf von der Schulenburg (Affirmative and silent cyber coverage in traditional insurance policies: Qualitative content analysis of selected insurance products from the German insurance market) examine cyber insurance coverage in traditional insurance policies in Germany and uncover considerable cyber liability risk potential for insurers due to imprecise wording in insurance clauses and insufficient descriptions of the contractually-specified scope of the insurance coverage.
Cyber risk in specific industries
As insurance companies increasingly utilise data collected from internet of things (IoT)-connected devices to determine premiums more effectively and provide better products, the potential cyber risks also increase. Leong and Chen (Cyber risk cost and management in IoT devices-linked health insurance) study the potential cyber risks associated with IoT devices-linked health insurance. They find that IoT insurance products that use better technology and provide more incentives to policyholders to maintain good health increase cyber risk. Their model can also be applied to other IoT insurance products.
IT service outages are a type of cyber risk not necessarily caused by a malicious act but are rather similar to IT-related supply chain glitches. They can have dramatic consequences, including lost revenue and productivity and reputational damage. As such, companies pose demanding requirements on IT service continuity. Franke (IT service outage cost: Case study and implications for cyber insurance) studies actual IT service outage costs incurred in three sectors in Sweden: Transportation, food and government services. He shows that some enterprises incur only a fixed outage cost while some incur (almost) only lost productivity or revenue. These results open the scope for product development – for instance insurance policies covering productivity loss – and stress the importance of considering the interdependency of IT service outages in insurers’ risks portfolios.
The issue demonstrates the diverse nature of cyber risk and shows how far the cyber insurance market has come. It also reveals that there is some way to go to inferring what the demand and supply of cyber insurance should be. With the increased availability of data on cyber losses, more research may be developed and shed further light on the insurability of cyber risk.
This article first appeared in the November 2020 issue of the Asia Insurance Review.