An Insurtech Perspective on WannaCry and the Cyber Insurance Market
This is a guest post. The views, opinions and positions expressed by the authors are theirs alone, and do not necessarily reflect the views, opinions or positions of Coverager.
Hospitals, retail chains, technology companies, hotels and financial institutions are all purchasing insurance against cyber-attacks in recent years. As cost of cyber-crime is increasing dramatically so is the cyber security budget of organization. However, the only product that would reimburse a company for a cyber damage once it has occurred, is a cyber insurance policy. Banks require such policies as part of vendor acceptance process. Board members require companies to purchase coverage to be sure they are covered against a potential cyber breach, and worried CEOs are purchasing cyber policies as potential customer lawsuits can mean the end to SMBs.
Considering the WannaCry catastrophe, more businesses will seek to purchase much needed cyber coverage, but will this line of business still make financial sense to insurance companies in coming years as historical data is missing and dedicated technology has yet to mature?
Cyber policies are covering damages caused by malware, ransomware, downtime events, forensics costs, regulatory fines and more. Recently, AIG has even offered some form of physical damage coverage as part of their cyber-edge 2.0 policy and a family policy for high net worth clients.
Carriers, brokers, MGAs and reinsurance companies have all noticed the opportunity to enter this new market, which according to Allianz is expected to reach $20B by 2025 . The business potential is overwhelming as any business, whether small or large, may encounter a cyber-attack which might halt its operations or cause harm to their customers by publishing personal data such as medical records or credit cards data.
However, a big challenge is facing the insurance ecosystem for this market to reach its full potential. The industry lacks data on claims’ history and technology that is crucial to their analysis and decision making process. Underwriters, who are responsible for the process, and risk officers, who are responsible to avoid organizational catastrophes, are blind to the actual risks they are insuring.
In the case of WannaCry, a single event on a random Friday afternoon created a storm of claims in over 70 countries . The largest number of attacks occurred in Russia, but Ukraine, India, and Taiwan have also suffered damage from WannaCry. This may happen again.
The challenge then is how can an underwriter decide in a cost-effective manner which customers to insure and how to price the policies to make sure the business stays profitable. The second problem is that each customer on its own might be at a specific risk which might be low, but if a large group of customers at low risks are suffering an attack at the same time – Ransomware for example as in the case of WannaCry – the damages to insurers and reinsurers may be too high and loss-ratios might reach levels which would make cyber insurance products irrelevant for insurers to offer. In essence, the systemic risk must be managed to the level in which the residual risk is consistent with the insurance company’s risk appetite.
Pricing such risks and avoiding catastrophes is a key component in the activity of cyber insurance underwriters and chief risk officers, which is based today mainly on questionnaires and technology which was designed to address other business problems such as vendor risk management and isn’t dedicated nor designed for cyber coverage.
The lack of predictive analytics technology dedicated for cyber insurance underwriting is the missing element needed to ensure cyber insurance will become a profitable line of business. Insurance companies will feel comfortable with such risks once technology will be available to support the underwriting and risk management process.
