Risk cybercrime consequences for cyber insurers


This surge in demand for cyber insurance policies has presented the industry with a unique problem: While cyber premiums in the U.S. grew 22 percent in 2020, direct claims costs also rose at the same time, as did the so-called defense-and-cost-containment ratio (DCC) – a metric that refers to the percentage of an insurance company's revenue that is paid out to injured parties.

Once that DCC ratio reaches 80 percent, an insurance company loses money on their policies. Last year, it was already at 73 percent and had thus moved much closer to the critical 80 percent mark compared to 47 percent the year before.

As the number of cyberattacks grows and public awareness of these incidents increases, so does the demand for insurance policies. But with each claim, the current model of cyber insurance becomes less profitable.

This presents insurers with a dilemma. Are they giving up an important part of their business that until recently proved lucrative? Simply increase the premiums to compensate for the increasing risk? Or, they try to limit risk by insisting on compliance with certain standards around cybersecurity as a condition of the policy? With the consequence that insurers themselves would set a de facto minimum standard for companies' cybersecurity efforts.

How the cyber risk changes?

It is self-explanatory that the payouts to be made affect the insurer's profit. This applies to all types of insurance, from car insurance to travel cancellation insurance. In these areas, however, the risk can be easily mitigated by assessing the risk for each policyholder and setting an appropriate premium level, which can be determined based on a wide range of historical data. For example, younger people are statistically more likely to be involved in car accidents. Here's why car policies tend to be more expensive for younger drivers.

This way of quantifying risk has been the backbone of the insurance industry for years. However, few variables used to assess risk in other areas can be readily applied to cyber risk determinations.

An insurer can evaluate the risk of a home being damaged by a hurricane based on several factors, such as historical data and location. Insurers can also be sure that a payout is likely to be limited to the cost of repairing the building and replacing the contents of the home.

The risk of cybercrime, on the other hand, is still relatively recent, so little historical data is available. It also evolves extremely dynamically, making it difficult to extrapolate the limited data available into the future; and third, the consequences of cyberattacks for victimized companies are difficult to limit precisely in advance. Many insured risks are based on the probability of a random event and not on a targeted and malicious threat. However, precisely in the area of cybercrime, the possibilities as well as the scope are increasing considerably. In addition, both safety awareness and the protective measures taken vary from company to company. This makes it even more difficult to quantify the risk uniformly.

In addition, there is also the problem of systemic risk. The impact of a home destroyed by a hurricane is generally limited to the building itself. However, should a company fall victim to a serious cyberattack, its suppliers, customers, investors and banks, among others, may also be affected by the financial losses and the associated loss of reputation.

Since cybercrime knows no geographical boundaries, insurers are expected to take this domino effect into account when providing coverage. In the wake of the SolarWinds attack, for example, the New York State Department of Financial Services noted that insurers must consider systemic risk. This occurs "when a widespread cyber incident harms many insureds at once". This can cause massive spikes in payouts and limit the insurance industry's ability to properly plan, reinsure and remain solvent.

How will insurers react?

Demand for cyber insurance policies is not expected to slow down anytime soon. As the world becomes increasingly connected and everyone relies more and more on software, businesses in all industries need protection from outages, security breaches and other cyber incidents that could disrupt or, at worst, permanently damage their operations.

To meet this demand, insurers need some form of coverage to account for the rising cost of claims. While many are already raising premiums to address this risk, this is not a long-term solution.

Instead, some insurance companies are starting to rethink their policies and business models. In most cases, this means limitations on policy coverage. AXA was one of the first major insurers to take this step, withdrawing coverage for ransomware attacks in France. Possibly in retaliation for the now-dying revenue stream, cybercriminals attacked the company days later with a ransomware attack.

Other insurers have begun to set stricter terms or offer discounts for those who have certain security measures in place that prevent successful cyberattacks, or at least make them much more difficult to carry out. Similar to the car insurance policies offered to drivers who have agreed to install GPS black boxes.

Exciting times for cyber insurers

Setting such conditions is not a new concept. A widely known example of such an approach dates back to the early 1900s. In response to the sharp increase in steam boiler explosions, the Hartford Steam and Boiler Inspection and Insurance Company (HSB) in the U.S. required anyone who wanted to take out boiler insurance to use a special piping configuration. As a result, the number of boiler explosions and the resulting damage claims fell considerably.

There is no doubt that HSB has thus changed the industry for good. Because this particular pipeline configuration quickly became known as the Hartford Loop and is still used today.

By setting a minimum acceptable standard for insurance coverage, the company has been able to increase its profitability and improve the safety of the entire industry. Cyber insurance companies now also have the opportunity to set new standards in this area.

If they do it right, they could use it to spur widespread change. In doing so, they would contribute to increasing the safety measures of both large and small companies. In addition, clearly defined and prescribed safety procedures would not only help to increase everyone's safety level. But they would also help solve a growing problem many CISOs currently face due to the risk of sharing data with related entities, be they suppliers, partners or contractors. By a minimum of security for all would here the security and/or. Improve risk assessment significantly.

If, on the other hand, insurers take a less rigorous approach to this task, they may soon find that a once-profitable offering becomes an economic disaster – and that's despite a veritable explosion in demand. This could have enormous, now no longer insurable financial consequences for companies but also for individuals.

Undoubtedly, the problem facing cyber insurers today is more complicated than the one HSB once faced. Plain and simple, as it is not just a simple pipe installation. The challenges and complexities are much broader, and cybercriminals are constantly evolving their methods and tactics to remain effective and impactful from their perspective.

But just because it won't be an easy task to set the right standards here, doesn't mean there isn't a need for it. With 79 percent of German businesses facing the risk of a serious cyber attack in the next 12 months, the seven percent buffer in the DCC ratio is unlikely to last much longer. Something must be done, and very quickly.