Insurers grow their cyber crime insurance sales, but assessing and managing cyber risk poses challenges.

The cyber insurance market is booming due to rising cyber-attacks, but insurance organizations will need to become much more sophisticated in their approach to assessing and managing cyber risk if they hope to turn cyber policies into a strong and sustainable line of business.

A growth market emerges

Encompassing a broad range of cyber insurance products designed to cover operational risks affecting confidentiality, availability or integrity of information and technology assets, cyber insurance is among the fastest-growing niches in the industry. While its growth is led predominantly by financial institutions seeking to perform cyber risk management and better transfer their cyber risk, demand is also being driven by regulatory pressures and notification legislation that will require all firms to notify individuals if their personal data is breached. Companies are increasingly seeking cyber breach insurance products that cover the management and costs of notification processes.

The cyber insurance market also seems ripe for continued organic growth. As organizations become more reliant on data, and more of their business is conducted over digital channels, they will place increasing value on protecting that data and those channels from cyber-attacks. In turn, they will seek ever-higher levels of coverage from their insurers to cover greater risks. Demand for cyber-crime insurance is also being driven by a number of very high profile and costly breaches over the past few years, often leading to consumer litigation.

Cyber insurance growing pains

The challenge for any fast-growing and emerging market segment is that it often takes some time to fully understand the unique risks and challenges that they are taking on. In part, this is because the threat risk is continuously changing, as cyber criminals' vast toolkit evolves rapidly. Also, some insurers may struggle with how to value and compensate data breaches that cause reputational and brand damage.

The underlying problem is that few insurance organizations have a clear understanding of what 'good' cyber security looks like for their customers. They are therefore unable to assess whether their customers are taking the right precautions to properly manage their risk. Since some cyber insurance products can be purchased today without the need for even a high-level risk assessment, clearly the insurance industry will need to drive towards standards if they hope to remove the moral hazard concerns inherent in this market.

Seizing the competitive advantage

If the cyber insurance market is to properly mature and effectively transfer risk, insurers (and any eventual re-insurers) will need to become much more sophisticated in their approach to assessing and managing cyber risk. Those that hope to achieve first-mover advantage will want to focus on three, somewhat interrelated, areas:

  1. To properly quantify the risks they are underwriting, insurers will need to improve their ability to conduct appropriate security assessments on customers to better understand and monitor the protections in place and the likelihood of a claim.
  2. Insurers will need to become much better and faster at managing and analyzing their data to inform their pricing and risk models. For example, by overlaying claims information to quantify the value of each security method.
  3. Insurers should distinguish themselves with product innovation, including new, relevant policy features as well as a broader scope of services to support their cyber insurance customers, from risk assessment, forensic investigation and breach investigation services to their customers.

The bottom line is that insurers will need to think more broadly about how they develop and structure their products if they want to succeed in the evolving cyber insurance market.

Questions to think about:

  1. Has your firm examined the market potential of offering cyber insurance or other technology risk products?
  2. What steps are you taking to understand clients' evolving cyber risk management needs to drive product innovation?
  3. How sophisticated is your ability to perform client cyber risk assessments and monitor cyber threats?
  4. What in-house capabilities or third-party expertise do you require to keep up with the ever-changing cyber risk environment?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.