A lack of data is preventing the insurance industry from making the most of one of its largest growth areas – cyber insurance.
The industry is seeking more information on cyber attacks, so it is better equipped to evaluate the risk profile of its clients and price their premiums accordingly.
The irony is, insurers need more data so they can be more effective in providing a safety net for businesses if they lose their data.
Insurers have spent decades collecting information and forming algorithms on the likelihood of individuals being burgled, getting heart disease or having their property damaged by a flood, for example.
They know that if a person lives in a certain suburb, in a certain type of dwelling, with certain doors and windows that have certain locks, they have a certain likelihood of getting burgled. They can therefore charge them a certain price for contents insurance.
It’s a matter of plugging the information into a formula, which can spit out a risk profile.
Yet cyber insurance is a little more complex.
Being a new product, that’s only been available in New Zealand for the last few years, insurers don’t have a whole lot of information to draw on when assessing how well protected their clients are from cyber breaches, and calculating how much a breach would cost them.
An art rather than a science
Delta Insurance general manager, Craig Kirk, explains: “We look at a whole bunch of factors – how big the firm is, what industry they’re in, what level of risk management processes they have in place, whether they’re taking it seriously, how big their client base is, how much data they’re holding.
“It’s very much an art rather than a science at this point in time.”
He says most of the cyber insurance policies Delta underwrites are capped at $1-2 million, but can reach $5 million. Its clients range from panel beaters, to retailers, hotels and government agencies.
The head of KPMG New Zealand's security advisory services, Philip Whitmore, says the cost of breach could stem from recovering the data, paying fines and regulatory costs, paying legal fees and hiring public relations experts to help with reputational damage control.
“Things have changed; the risk landscape has changed,” he says.
Data is power
It is for this reason Whitmore, Kirk and the Insurance Council of New Zealand (ICNZ) welcome the Government’s move to invest $22 million over four years to set up a Computer Emergency Response Team (CERT), which will collate data on cyber breaches voluntarily reported to it, and provide advice to businesses on cyber security.
“At the moment insurers in New Zealand have limited information to be able to value or quantify the risk. If there is the ability to access that information through the CERT for example, then that will provide insurers with a better ability to segment their market, to be able to put the right price in place, or have a view of New Zealand as a whole,” says Whitmore.
Kirk adds: “Data is power in terms of actually understanding the risk. So if we were to have access to data, then we would have a better understanding in terms of what is the maximum loss firms are suffering, where is this coming from, what are the trends. It would be incredibly useful from an underwriting view point.”
ICNZ chief executive, Tim Grafton, agrees, but adds: “I think a CERT will help, but insurers need more information and more tools to have a framework where they can approach a business and ask a set of salient questions and end up with a good sense of what the risk is that they’re underwriting.
“I think a lot more work needs to be done in that space. The risks are mounting year by year and the economic cost is huge.”
Lloyd’s for example has put the same price tag on Auckland suffering a major cyber attack, as the city being rocked by a major earthquake.
The cyber security firm, Symantec, says the average number of ransomware attacks in New Zealand per day increased by 163% from 2014 to 2015, to 108.
In year to April 2016, the Government’s National Cyber Security Centre logged 316 incidents – up from 190 in the year to June 2015.
What’s more, the senior vice president for the US-based Center for Strategic and International Studies, Jim Lewis, warns cyber attacks are a standard part of doing business with China.
“They want what would give them a competitive advantage in any deal they’re in,” he says.
Massive growth potential
With these risks in mind, Kirk says it would be handy if the government went further and required businesses to meet a certain standard of cyber security.
“At the moment there’s just so much variation in terms of the quality of the controls businesses have in place, so if there was some consistency, it would be fantastic from our point of view and it would certainly make an easier underwriting process.
“That would probably then flow through to cheaper premiums and broader coverage because insurers will be more comfortable with the risk.”
He also believes the Government should make it mandatory for organisations to report certain cyber breaches. He believes there should be some restrictions to this, as mandatory reporting could be quite costly and onerous for small businesses. See this story, and this one, for more on mandatory reporting.
He admits the cyber insurance market is still small, with only a handful of insurers offering the product. While it’s only been on offer in New Zealand for a few years, it’s existed overseas for the past 15 years.
Yet Kirk says the market is growing rapidly. Cyber insurers collected around US$2 billion in premiums last year, with this figure expected to grow at around 15-20%.
Grafton says that with cyber attacks likely to become the main source of business interruption, and insurers learning more about these, the cyber insurance industry has “massive growth potential”.
See this story for more on cyber insurance and how it’s different from other types of business interruption insurance.
*This article first appeared in our email for paying subscribers. See here for more details and how to subscribe.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.