Cyber-insurance market still struggling to meet demand

Published on Fri, 01/04/2016 - 23:00

The cyber-insurance market has come to a crossroad, according to speakers at a recent event in London.

Industry experts at the Advisen Cyber Risk Insights Conference addressed whether cyber-insurance meets the needs of organisations and how potential property damage arising out of cyber-events should be covered.

Speakers tried to manage expectations, and especially the idea that the cyber-insurance market might be capable of responding to any loss event connected to hacking, cyber-crime, or system failure. The result would be an “unwieldy product,” said Stephen Wares, cyber risk practice leader for Marsh’s European, Middle East, and Africa office. Several speakers indicated that aggregation issues would overwhelm the market’s capacity.

“The way we’re feeling our way through, it’s a hatchet walk through a twisted forest, with people figuring out the best way to go,” said Michael Schmitt, vice president and senior underwriter for cyber and technology at Swiss Re.

Finding the right home

The term “cyber” doesn’t help matters, said Graeme Newman of CFC Underwriting, for an industry founded on the historical basis of protecting tangible assets. “If an oil rig blows up, it’s a property event. I don’t care if it’s the result of a hacking event,” said Newman, adding that no insurer would ever offer a full cyber-policy covering any loss arising out of a cyber-related peril. “The property market will realize that the cyber-market is taking all this premium for a very small risk.”

However, while the cyber market – a world focused on third-party liability for data breaches – is ill- equipped to handle physical damage risks, so is the property market, according to Matthew Hogg, underwriting manager, strategic assets, at Liberty Specialty Markets. The result is two markets at a bit of an impasse.

“The cyber-market doesn’t understand EML, PML, that’s generally not their speak. And industrial control systems are not really their field,” said Hogg, during a panel on cyber and property damage. Instead, the cyber-market offers an understanding of systemic risk, technological advances, and good relationships with third-party forensic firms.

“The cyber-market brings a lot, but it doesn’t do everything,” said Hogg.

Russell Kennedy, divisional director of political risk at Brit Insurance, commented that the property market should only cover cyber if they are capable of understanding the risk and what would trigger a cyber-related property loss.

“At this moment, they are not in the right place to offer it,” he said, predicting that a standalone policy would be a likely solution for cyber-related physical damage.

Andreas Schlayer, senior underwriter at Munich Re, agreed that property insurers should not be writing a risk they do not understand. “It’s the same fire risk, completely different exposure,” he said.

EU data protection regulation overhaul a 'game changer'

New EU regulations on cyber-risk, due in about two years, will be a game-changer, the Advisen conference heard.

The General Data Protection Regulation (GDPR), which is expected to gain formal ratification soon, seeks to strengthen data protection for individuals in European Union. It holds new obligations on data transfers, consent and what has become to be known as “the right to be forgotten.”

Michael Bruemmer, vice president of Experian’s Data Breach Resolution Group, described the GDPR as “a wake-up call”, whilst another speaker warned that organisations “need to be serious about what kind of confidential information is stored, where it is and who has it.”

Companies that fail to take suitable action may face something akin to US-style class actions.