News + Resources

Summary

The cyber insurance market is not helping itself by treating itself as one. The underwriting approach and coverage requirements are different for different sectors of the economy. By creating specific areas (sub-classes) of the cyber insurance market, the market can more confidently offer solutions that are robust and appropriate for clients and capacity providers.

Detail

Mainstream carriers have questioned the long-term viability of the product and the introduction of the new (2023) LMA state sponsored cyber-attack clauses, have generated much debate. But, what does all this activity really tell us?

We know the following:

· The digitalisation of economies will continue

· Cyber-attacks will continue

· The cyber insurance market continues to grow rapidly

· The uptake of cyber insurance in the US is ahead of Europe, which is ahead of Asia

· The upsurge in ransomware claims caused a re-underwriting of many cyber portfolios

· Understanding of aggregation of exposures remains in its infancy

So, what to make of this?

The first three points are obviously interlinked: digitalisation requires computers, which in turn can be hacked which provides a need for an insurance solution, which will be required to enable businesses of any type to operate with confidence.

It seems reasonable to conclude that cyber insurance solutions will continue to be required and will therefore be offered.

The second three points are also interlinked: there are different levels of maturity of the cyber offering in different markets with the approach taken to re-underwriting of portfolios necessarily focusing on the existing portfolios (price, retentions and coverage) which in turn means the focus on exposures is on what has already been underwritten.

However, the fourth point also indicates the cyber insurance market, whilst out of its infancy (and probably in its difficult teenage years), has yet to hit maturity: initially the cyber insurance product was developed by seeing opportunities and innovating, but understanding was (understandably) low – with recent years necessitating a response to the surge in ransomware to bring stability.

It should also be noted that recent responses need not be considered permanent but more a temporary response until such time the market evolves (product, capability, market penetration, regulatory) as understanding and experience improves.

In conjunction with the first three points (cyber insurance is here to stay), it is also reasonable to conclude that the main questions are what will the cyber insurance market look like and how will it operate, rather than will it exist.

The increasing role of regulation

Many classes of business benefit from regulation – property insurance from building controls, or classification societies for hull & machinery insurance to name but two.

It is often said there is no ability to apply regulation to cyber insurance . This is not true: cyber regulation exists and is growing. Headline regulations include EU’s General Data Protection Regulation (GDPR) which targets the protection of personal data; the EU’s Network & Information Systems Directive (of which an updated version, NISD2, came into force in January 2023) which targets critical national infrastructure; and the EU’s Digital Operational Resilience Act (DORA) which targets the financial services industry.

There is also a whole area of non-headline regulatory activity too which brings expectations of good cyber risk management into the day-to-day operations of businesses that rely on computers. An example is the International Maritime Organisation’s (IMO) cyber guidelines for shipping. These make it a requirement to be cyber secure with non-compliance meaning the legal defences, should an attack happen, are removed.

The key cyber security frameworks such as the US NIST model (being the prevalent) and others, such as the UK’s Cyber Assessment Framework and Cyber Essentials regimes, provide businesses with the information they require to meet these standards.

We are also seeing a gradual expansion of the cyber regulatory environment, both in terms of sectors and depth (i.e. including new sectors and including suppliers to operators of critical infrastructure, as well as the operators themselves).

Therefore, the cyber insurance can already build regulation into its approach, both in underwriting models and expectations of clients.

A mature cyber insurance market needs to embrace the use of sub-classes

There are various traits a mature insurance market show, including the ability to: differentiate risk, ability for clients to manage exposures, wordings designed for different sectors of the economy, terms that respond to how the client conducts business. Otherwise, the solutions offered will invariably be a square peg in a round hole.

As a starting point we (Astaara) think it is necessary to improve how the cyber insurance market is structured. As identified above it is counter-productive for all stakeholders – insurers, brokers, regulators and (most importantly clients) – to just view cyber insurance as one blob.

Sub-classes need to be defined in cyber insurance, as they are in different classes of business. Sub-classes provide the ability to provide context of what is happening in a portfolio. They enable differentiation and improved abilities to provide focus for each portfolio, and across different portfolios.

These sub-classes need to have clear characteristics that provide clear delineation from the other sub-classes. Cyber insurance is not (always) different from other classes of business: property, casualty, marine etc all operate with sub-classes, Lloyd’s operates the risk code scheme for a purpose.

The primary sub-classes cannot replicate those that already exist as cyber ignores the traditional silos of marine vs non marine, physical damage vs casualty and never the twain shall they meet.

We propose that these sub-classes should be:

1 – SME cyber: Cyber insurance for small and medium sized business (per UK Govt definition) – This equates to greater than 95% of businesses by the employee metric used by the UK Office of National Statistics

2 – Large corporate cyber: Companies that are larger than the SME definition above, but are not considered to operate in a heavily regulatory or risk-managed environment, but where certain standards can be expected

3 – Cyber specialty: Businesses that are highly regulated and heavily risk managed (can be either SME or otherwise considered large corporates)

What are the benefits of this approach?

It is an old adage that the past informs the future…

The basis for the material growth of the infancy years of cyber insurance has been SME businesses – and this experience has driven the analysis of cyber insurance performance, which in turn has driven the thinking of insurers and regulators and ultimately the commentary the client base hears.

SME companies can rarely afford specialist in-house IT support, and the software out there when provided by reputable suppliers is what they need to be able to use with confidence and that is what the SME cyber insurance product should provide for.

Necessarily though, the operational models (and underwriters’ expectations) of complexity and sophistication are greater for larger, more highly regulated and heavily risks managed enterprises – aka large corporate cyber and cyber specialty risks.

Embracing the idea of sub-classes will allow:

· The market to show that it is able to respond to the different requirements of clients by embracing an approach that differentiates client requirements which are also proportional to the risks faced.

· Different underwriting approaches to be developed for each sub-class in cyber insurance as the scale, complexity, sophistication, and let’s be honest here, because the minimum cyber resilience requirements for large corporates and cyber specialty companies need to be greater than that required for the SME sector – otherwise it is a case of square pegs and round holes.

· The subsequent usual underwriting management activities of conduct risk, coverage (what is covered and not), exposure (limits and retentions) and therefore reinsurance requirements can then be tailored to the different sub-classes of cyber insurance business available.

Why is this important?

The forecast growth projections of cyber insurance mean that cyber insurance will remain in the spotlight. For this to happen in a smooth manner additional capacity needs to enter the market with confidence.

The ability to target the different segments (aka sub-classes) with appropriate models for underwriting and underwriting management will allow discerning capacity providers to better determine where they allocate their capacity. This will enhance the overall market.

Recent responses from market players and regulators alike has been to withdraw capacity and impose exclusions such as the LMA state sponsored cyber terrorism exclusions. These blunt responses indicate knee-jerk underwriting reactions to prior poor underwriting approaches and/or a lack of belief in being able to evidence, or worse, understand a cyber loss can impact different companies in different ways.

Where a company is viewed as a cyber specialty risk then, as explained earlier, the underwriting model needs to be advance, detailed and sophisticated and the clients need to expect a material number of difficult/complex questions that reflect developing technology capability and the ever-changing threat landscape. However, as this cannot be fairly expected for an SME business a different model needs to be deployed. One size does not fit all.

In conclusion, the cyber insurance market needs to recognise its different sub-classes. If not, it will end up with an outcome that is materially unhelpful for all stakeholders, but most importantly the clients we serve. They want a product that is designed for them and underwritten by those who understand their businesses – and that is our real mission, to celebrate and promote the differences within cyber insurance.

As ever, we at Astaara stand ready to support our clients through their cyber journey. #resilienceandrecovery