Thought Leadership article by Anup Dhingra | Marsh
What are the catalysts that will make cyber insurance a more
mainstream insurance product like D&O?
Liability policies have always been about compliance (customer or regulatory) and less about pure risk management, but this has changed over the years as the share of intangibles increases in corporate balance sheets. Globally D&O has been on an upswing since the 90’s and inspite of D&O not being compulsory till recently in India most firms (listed as well as unlisted) have taken such policies for pure risk management and balance sheet protection for years. Marsh India today has over 1700 active buyers of such products and this number has consistently increased by 15-20% every year over the last decade. Every time there is news of a corporate fraud or governance failure, the enquiry rate goes up. However, I feel that cyber insurance has the potential to leapfrog D&O and other traditional liability products. We feel that cyber could very soon become a thirdpillar for Marsh (first two being Property & Casualty and Health & Benefits). Some expect this to take another 20 years but I am hopeful it would be sooner. As
cyber-attacks increase given increased digitization, stringent regulations, maturing of cyber insurance as a product and a lot more aware consumer base that doesn’t take their privacy rights lightly.
Cyber insurance underwriting-even with so much data, the
method of underwriting remains more static. Why is that?
As the cyber market has matured, insurers have refined how these policies are underwritten and priced. However, there are fundamental aspects of cyber insurance that make it difficult for insurers to write and price policies that cover a broad swath of risks.
- There is only a limited loss history for insurers to use when setting prices for cyber insurance premiums and coverage loss limits.
- Cyberattacks are constantly evolving as both private and state-sponsored hackers develop new methods to infiltrate networks. The rapid evolution of hacking capabilities and strategies makes it difficult for insurers, which rely on clients having relatively consistent risk profiles, to assess the true risk of a potential client being hacked.
- Cyberattacks are highly scalable as they can potentially hit thousands of companies simultaneously, causing large interrelated losses for insurers. If an important service, such as a large cloud-computing platform used by many policyholders, went down, the insurer may then have to pay claims on all of its policyholders at once.
- The fourth type of problem cyber insurance faces is the possibility of cascading failures caused by a cyberattack. One common example of a cascading failure is an attack on a power grid, where the destruction of a piece of critical infrastructure leads to failures across the rest of the grid.
The difficulties in properly pricing cyber insurance products and the looming possibility of a large-scale cyberattack encourage insurers to write policies that limit the amount of coverage a business can get, as well as the risks that are insured.
Life and health insurance is viewed as a higher priority for India thana commercial liability and in that cyber (as a financial lines business) comes last. What do you think will make commercial insurance a
requirement for medium-sized businesses (anyone with revenue north of 50Cr).
Indian businesses are shifting towards global practices with the rise of new-age companies and profusion of startups setting up shop. The startups of today are more risk averse than traditional Indian businesses have ever been. Add global stakeholders, international- vendors, clients and partners, contractual requirements to this mix, and the relevance of commercial insurance becomes
apparent. The cost of getting insurance (especially cyber) might seem steep however; the benefits insurance cover far outweigh their cost in the event of a claim. A business of 50cr revenue would have a lower risk tolerance than a 100cr business. A prolonged business interruption or outage would see them out of business in a very short span. Cyber insurance is seeing a huge uptake because we’ve reached a
tipping point in technology adoption. While large corporations have had major IT footprints for decades, this hasn’t always been true of small to medium-sized businesses (SMBs). Nowadays though, most enterprises are digital-first, all the way down to sole traders, and many have further embraced remote working and cloud computing. Cyber risk now affects everyone in every sector, and it affects them
daily. The ever-loudening chatter around cybersecurity and cyber insurance has brought many new and smaller buyers to the table with risks in need of covering: from ransomware attacks and cyber-related business interruption to social engineering and data breaches
Author: Thought Leadership Article By Anup Dhingra | Managing Director, FINPRO
Disclaimer: The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of IIA and IIA does not assume any responsibility or liability for the same.