13 March 2018

OECD: The cyber insurance market: Responding to a risk with few boundaries

On the occasion of the OECD Conference on Unleashing the Potential of the Cyber Insurance Market, the OECD’s Bill Below and Leigh Wolfrom look at some of the challenges to insuring cyber risk.

With the growth of cybercrime, and intensive media coverage of privacy breaches and ransomware attacks over the last year, could complacency about cyber risks soon be a thing of the past? While consumers remain dismally bad at protecting themselves (e.g. the low uptake of Two-Factor Authentication), boardrooms are increasingly hungry for protection, with larger companies taking the lead.

The numbers alone should motivate any firm, large or small, to rev up its cybersecurity game: by 2019, cybercrime is expected to cost businesses over USD 2 trillion, up from USD 500 million in 2015 (Juniper Research, 2015). Companies are investing more in cybersecurity technology and services, registering a 7% increase in spending from 2016 to 2017.

Growth in the cyber insurance market is a sure sign of firms’ increasing awareness of cyber risk and appetite to transfer exposure. But buying the right policies can be challenging, particularly for companies whose understanding of their own vulnerabilities may be sketchy. A lack of similar terminology and different approaches to offering coverage, along with the complexity of the policies themselves, add to the frustration and dampen buyer demand.

If big firms can fall victim to cyberattacks, smaller firms are particularly vulnerable. While the penetration level for stand-alone cyber insurance is above 50% or more among large companies in most countries, take-up by SMEs is in the single digits.

A lack of historical cyber incident data (and direct experience) is a big problem, preventing insurers from developing the predictive models they depend on to set accurate premiums and exposure models. This, in turn, reduces the willingness of insurance companies (and reinsurers) to extend significant amounts of coverage. It also leads to exclusions and sub-limits that customers may find unappealing. What data is collected primarily exists in the isolated repositories.

The evolving nature of cybercrime means risk models may have to look beyond historical data. With new forms of malware and other technologies targeting ubiquitous operating systems, common applications, cloud services and hardware platforms, a single criminal act can potentially scale to global dimensions. Last year’s WannaCry ransomware attack may be a harbinger of things to come. Propagating through legacy Windows systems, Wannacry infected over 200,000 computers in 150 countries. Indeed, the potential for accumulation risks may discourage some insurers and reinsurers from entering the cyber insurance market at all. The bottom line: uncertainty and correlated risks lead to higher prices and limited coverage levels.

Remediating the lack of sharable, harmonised data on cyberattack incidents is critical if the insurance industry is to leverage its risk management expertise to help countries address the risks inherent in the transition to a digital economy. The policy and legal environment can provide information which can diminish the level of uncertainty. Particularly in countries with limited notification or disclosure requirements, governments should consider the contribution such requirements could make to improving the availability of data on cyber incidents. On another level, a number or actors in the insurance sector are examining the value of different protection technology and practices with the aim of improving their ability to assess risk at companies. While assessing the effectiveness of cyber security technologies is challenging, there may be scope for governments to encourage certification and standards for the management of cyber risk.

Full article

© OECD