Cyber Insurance on Growth Curve
Monday, October 19, 2015 @ 04:10 PM gHale
Cyber risk is a major and fast-increasing threat to businesses with cyber crime alone costing the global economy $445 billion a year, with the world’s largest 10 economies accounting for half this total, a new report said.
“As recently as 15 years ago, cyber attacks were fairly rudimentary and typically the work of hacktivists, but with increasing interconnectivity, globalization and the commercialization of cyber crime there has been an explosion in both frequency and severity of cyber-attacks,” said Chris Fischer Hirs, chief executive at Allianz Global Corporate & Specialty (AGCS) in the report entitled “A Guide to Cyber Risk: Managing The Impact of Increasing Interconnectivity.”
“Cyber insurance is no replacement for robust IT security but it creates a second line of defense to mitigate cyber incidents,” he said. “AGCS is seeing increasing demand for these services, and we are committed to working with our clients to better understand and respond to growing cyber risk exposures.”
Increasing awareness of cyber exposures as well as regulatory change will propel the growth of cyber insurance. With fewer than 10 percent of companies currently purchasing cyber-specific policies, AGCS forecasts cyber insurance premiums will grow globally from $2 billion per year today to over $20 billion over the next decade, a compound annual growth rate of over 20 percent.
“Growth in the U.S. is already underway as data protection regulations help focus minds, while legislative developments and increasing levels of liability will see growth accelerate in the rest of the world,” said Nigel Pearson, who is globally responsible for cyber insurance at AGCS. “There is a general trend toward tougher data protection regimes, backed with the threat of significant fines in the event of a breach.”
Hong Kong, Singapore and Australia are among those looking at, or already enforcing, new laws and the European Union is looking to agree upon pan-European data protection rules. Tougher guidelines on a country-by-country basis will be forthcoming.
Previously, attention has largely focused on the threat of corporate data breaches and privacy concerns, but the new generation of cyber risk is more complex: Future threats will come from intellectual property theft, cyber extortion and the impact of business interruption following a cyber attack or from operational or technical failure; a risk which is often underestimated.
“Awareness of business interruption risks and insurance related to cyber and technology is increasing. Within the next five to 10 years business interruption will be seen as a key risk and a major element of the cyber insurance landscape,” said Georgi Pachov, cyber expert in AGCS’s global property underwriting team.
In the context of cyber and IT risks, business interruption coverage can be very broad including business IT computer systems, but also extending to industrial control systems (ICS) used by energy companies or robots used in manufacturing.
Increasing interconnectivity of everyday devices and growing reliance on technology and real-time data at personal and corporate levels, known as the ‘Internet of Things’, creates further vulnerabilities. Some estimates suggest a trillion devices could end up connected by 2020, while it is also forecast as many as 50 billion machines could be exchanging data daily. ICSes are another area of concern as a number of these still in use today ended up designed before cyber security became a priority issue. An attack against an ICS could result in physical damage such as fire or explosion, as well as business interruption.
While there have been some very large data breaches, the prospect of a catastrophic loss is becoming more likely, but exactly what it will look like is difficult to predict. Scenarios include a successful attack on the core infrastructure of the Internet, a major data breach or a network outage for a cloud service provider, while a major cyber attack involving an energy or utility company could result in significant outage of services, physical damage or even loss of life in future.
Allianz also said the scope of cyber insurance must evolve to provide broader and deeper coverage, addressing business interruption and closing gaps between traditional coverage and cyber policies. While cyber exclusions in property and casualty policies are likely to become commonplace, standalone cyber insurance will continue to evolve as the main source of comprehensive cover. There is growing interest among the telecommunications, retail, energy, utilities and transport sectors, as well as from financial institutions.
The report highlights steps companies can take to address cyber risk. Insurance can only be part of the solution, with a comprehensive risk management approach being the foundation for cyber defense.
“Once you have purchased cyber insurance, it does not mean that you can ignore IT security. The technological, operational and insurance aspects of risk management go hand in hand,” said Jens Krickhahn, expert for cyber & fidelity at AGCS Central & Eastern Europe. Cyber risk management is too complex to be the preserve of a single individual or department, so AGCS recommends a ‘think-tank’ approach to tackling risk whereby different stakeholders from across the business collaborate to share knowledge.
Click here to download the report.