FITCH: increasing demand for cyber insurance may be both an opportunity and threat for insurers
Cyber insurance brings opportunities for business growth and diversification for some insurers but could be a credit negative for others given the potential to generate larger future losses.
The number of U.S. data breaches increased 44.7% in 2017, according to the Identity Theft Resource Center and Cyber Scout. Such a large one-year jump in incident frequency, combined with numerous higher profile and more severe events in 2017 such as the Equifax breach and the Wannacry and NotPetya ransomware attacks, highlights how challenging it is for insurers to underwrite and actuarially price cyber exposures in a rapidly evolving environment.
Cyber insurance is currently a profitable niche segment for many insurers but as the market grows and becomes more competitive, Fitch believes that this opportunity may erode. Also, newer market entrants may be more vulnerable to underpricing risks and exposure to large future losses as they may lack the unique underwriting and claims expertise needed for cyber insurance.
Demand for cyber insurance is likely to grow. Risk surveys such as the recent Allianz Risk Barometer 2018 report continue to list cyber as a top-10 business risk. However, the Council of Insurance Agents & Brokers's December 2017 Cyber Insurance Market Watch Survey indicates that only 31% of respondents' clients had purchased some form of cyber coverage. Further, a 2018 report by Lloyd's and AIR Worldwide estimates that a cyber event that knocks out a major U.S. cloud provider for several days could cause USD 6.9 billion to USD 14.7 billion in damages, with only about 20% of those losses insured.
Demand for cyber insurance will also be spurred by increased regulation. New York Department of Financial Services cybersecurity regulations that went into effect in 2017 introduced new compliance certification requirements for financial service companies. This year, the European General Data Protection Regulation (GDPR) will introduce more stringent notification requirements for data breaches. Such regulations not only foster awareness of cyber risks but also increase the potential for fines and penalties when data breaches and other cyber incidents occur.
More businesses are seeking specific stand-alone cyber insurance policies to cover a wider variety of cyber exposures. For example, an increase in critical data theft and ransomware attacks is leading to greater interest in first-party business interruption and property damage coverage. Similarly, a rise in public company shareholder suits from cyber incidents that have generated large losses and reputational damage is leading to greater demand for cyber coverage specific to directors' and officers' liability policies.