In an environment in which sustaining premium income from “traditional” business lines remains a considerable challenge and being disciplined enough to walk away from mis-priced business is easier said than done, many (re)insurers are looking for the “next Big Thing”.
At present, one could reasonably argue that is “cyber-risk”- a product line which apparently generated some USD 2.75BN of annual premium for the US market by the end of 2015- a number forecast by PwC to triple by 2020- with more and more carriers eager to capture some of the premium flow.
Without doubt, there is both a need and a demand for such protection, as the scale and severity of the incidents reported (which probably comprise only a fraction of the actual total) continue to increase. The business and reputational consequences of a cyber-attack can be severe, let alone the societal impact from a state-sponsored attack on, say, critical infrastructure.
However, there are significant issues with assessing and pricing the risk; because there are, as yet, little reliable historical data on losses; nor understanding and evidence of a particular Insured’s ability to prevent a successful cyber-attack, or pro-actively manage and mitigate the consequences. Meanwhile, governments (which, as we have seen, often have significant vulnerabilities of their own) are beginning to impose onerous requirements on businesses- for example, the EU’s General Data Protection Regulation (GDRP), which is due to become effective in May 2018- requiring them to “provide sufficient guarantees to implement appropriate technical and organizational measures” to protect data.
While perhaps controversial, it is arguable that cyber-risk has analogies with terrorism (in its physical forms), because it is all too easy to conceive of scenarios in which the scale of the consequences are so large, or so systemic as to be potentially uninsurable, even by an industry supposedly awash in surplus capital looking for a profitable home. This then begs the question of whether, in its eagerness for premium and faced with the temptation of increasing demand, the traditional “CAT” industry will over-reach and fail to assess or aggregate risks in a way that could ultimately gut its capital base.
Similarly, because there is, as yet, no standard language or wording for policies covering “cyber-risk”, there is ample scope for there to be a significant mis-match between an Insured’s understanding and expectation and the Insurer’s actual offer and coverage. The potential for claims disputes would appear significant.
We are not, of course, saying that clients should not purchase such protection; nor that (re)insurers should not provide appropriate coverages. We are simply saying that there are material risks for both parties that there is not, in fact, a true meeting of the minds, leading to unfortunate outcomes.
At Awbury, we are known for the bespoke and carefully-crafted nature of the large-scale credit, financial and economic coverages that we provide to our clients; but we remain wary of situations in which it is difficult, if not impossible, to “box” a risk and to define and price a cover properly, with triggers that are clear and unambiguous, so that the client is in no doubt that the policy will answer in the event of a legitimate claim.
However, we like a challenge!
The Awbury Team