The cyber insurance market is booming due to rising cyber-attacks, but insurance organizations will need to become much more sophisticated in their approach to assessing and managing cyber risk if they hope to turn cyber policies into a strong and sustainable line of business.
What is cyber insurance? Among the fastest growing insurance niches, cyber insurance products cover operational risks affecting confidentiality, availability or integrity of information and technology assets.
Encompassing a broad range of cyber insurance products designed to cover operational risks affecting confidentiality, availability or integrity of information and technology assets, cyber insurance is among the fastest-growing niches in the industry. While its growth is led predominantly by financial institutions seeking to perform cyber risk management and better transfer their cyber risk, demand is also being driven by regulatory pressures and notification legislation that will require all firms to notify individuals if their personal data is breached. Companies are increasingly seeking cyber breach insurance products that cover the management and costs of notification processes.
The cyber insurance market also seems ripe for continued organic growth. As organizations become more reliant on data, and more of their business is conducted over digital channels, they will place increasing value on protecting that data and those channels from cyber-attacks. In turn, they will seek ever-higher levels of coverage from their insurers to cover greater risks. Demand for cyber-crime insurance is also being driven by a number of very high profile and costly breaches over the past few years, often leading to consumer litigation.
This fast-growing and emerging cyber-crime insurance market does face growing pains, since it often takes insurers some time to fully understand the unique risks and challenges that they are taking on. In part, this is because the threat risk is continuously changing, as cyber criminals’ vast toolkit evolves rapidly. Also, insurers struggle with how to value and compensate data breaches that cause reputational and brand damage.
The underlying problem is that few insurance organizations have a clear understanding of what ‘good’ cyber security looks like for their customers. They are therefore unable to assess whether their customers are taking the right precautions to properly manage their risk. Since some cyber insurance products can be purchased today without the need for even a high-level risk assessment, clearly the insurance industry will need to drive towards standards if they hope to remove the moral hazard concerns inherent in this market.
If the cyber insurance market is to properly mature and effectively transfer risk, insurers (and any eventual re-insurers) will need to become much more sophisticated in their approach to assessing and managing cyber risk. Those that hope to achieve first-mover advantage will want to focus on three, somewhat interrelated, areas:
The bottom line is that insurers will need to think more broadly about how they develop and structure their products if they want to succeed in the evolving cyber insurance market.
KPMG in the UK
+44 20 73115295
KPMG in Canada
+1 416 777 3742