Insurers grow their cyber crime insurance sales, but assessing and managing cyber risk poses challenges.
The cyber insurance market is booming due to rising cyber-attacks, but insurance organisations will need to become much more sophisticated in their approach to assessing and managing cyber risk if they hope to turn cyber policies into a strong and sustainable line of business.
Among the fastest growing insurance niches, cyber insurance products cover operational risks affecting confidentiality, availability or integrity of information and technology assets.
Encompassing a broad range of cyber insurance products designed to cover operational risks affecting confidentiality, availability or integrity of information and technology assets, cyber insurance is among the fastest-growing niches in the industry. While its growth is led predominantly by financial institutions seeking to perform cyber risk management and better transfer their cyber risk, demand is also being driven by regulatory pressures and notification legislation that will require all firms to notify individuals if their personal data is breached. Companies are increasingly seeking cyber breach insurance products that cover the management and costs of notification processes.
The cyber insurance market also seems ripe for continued organic growth. As organisations become more reliant on data, and more of their business is conducted over digital channels, they will place increasing value on protecting that data and those channels from cyber-attacks. In turn, they will seek ever-higher levels of coverage from their insurers to cover greater risks. Demand for cyber-crime insurance is also being driven by a number of very high profile and costly breaches over the past few years, often leading to consumer litigation.
The challenge for any fast-growing and emerging market segment is that it often takes some time to fully understand the unique risks and challenges that they are taking on. In part, this is because the threat risk is continuously changing, as cyber criminals’ vast toolkit evolves rapidly. Also, some insurers may struggle with how to value and compensate data breaches that cause reputational and brand damage.
The underlying problem is that few insurance organisations have a clear understanding of what ‘good’ cyber security looks like for their customers. They are therefore unable to assess whether their customers are taking the right precautions to properly manage their risk. Since some cyber insurance products can be purchased today without the need for even a high-level risk assessment, clearly the insurance industry will need to drive towards standards if they hope to remove the moral hazard concerns inherent in this market.
If the cyber insurance market is to properly mature and effectively transfer risk, insurers (and any eventual re-insurers) will need to become much more sophisticated in their approach to assessing and managing cyber risk. Those that hope to achieve first-mover advantage will want to focus on three, somewhat interrelated, areas:
The bottom line is that insurers will need to think more broadly about how they develop and structure their products if they want to succeed in the evolving cyber insurance market.
This article originally appeared in Frontiers in Finance, December 2014 edition.
© 2017 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.