Cyber insurance: a solid growth prospect for global (re)insurance

Cyber insurance offers significant growth potential for (re)insurers, as this risk becomes more prevalent the world over.

In SHA's 2022 Specialist Risk Review of the views of 1040 South African business leaders across various sectors, respondents ranked cyber security third on the list of top threats, after power disruptions and labour matters. That is a fair estimation, given the context of South Africa's risk landscape over the past two years.

Cyber insurance sector remains small

In spite of the priority seemingly given to this risk by business leaders, only 39% of respondents had actually bought cyber insurance. Granted this had increased from 18% in the previous survey, but the statistic remains worryingly low.

In 2018, the European Insurance and Occupational Pensions Authority (EIOPA) surveyed 41 large (re)insurance groups across 12 European countries representing a market coverage of around 75% of total consolidated assets on cyber risk.

It found that by contrast, the European cyber insurance industry was rapidly growing, with an increase of 72% that year in terms of gross written premium for the insurers in the sample. That amounted to EUR295 million in 2018 compared to EUR172 million the previous year, representing approximately 0.02% of the total gross written premiums of the participating groups.

The majority of affirmative cyber insurance was written within standalone cyber products (EUR246 million), with the remainder being offered as cyber endorsement for traditional policies (EUR49 million).

Despite this positive growth in Europe, EIOPA describes the cyber insurance industry as still being 'small in size'.

This begs the question, why aren't more companies pursuing cyber insurance products?

Varying nature of cyberattacks

The need is certainly there. The SHA review stated that over the past 12 months, one in three (30%) South African SME respondents suffered a cyberattack.

The most common event was malware infection (30%) followed by phishing (26%), denial of service (13%) and theft of funds (13%). Up to 34% of respondents had fallen victim to email scams.

As much as 69% of these incidents resulted in the business in question being offline for more than 24 hours. A further 60% of respondents admitted to suffering a financial impact following an attack.

Despite the frequency of attacks and the severity of the business impact, the report revealed that 64% of local SMEs believed they were not a potential target for cybercriminals. Alarmingly, the majority (88%) believed their cyber security measures were sufficient.

Ransomware the biggest risk

This points to misperceptions within companies around cybercrimes and their constantly changing nature. All companies are at risk, no matter their size or industry.

The IBM Security X-Force Threat Intelligence Index 2022, which mapped new trends and attack patterns, drawn from billions of datapoints between January and December 2021, showed that ransomware was again the top type of attack last year. It represented 21% of cyberattacks in the businesses surveyed.

A ThoughtLab study of the security practices and performance of 1 200 companies in 13 industries and the public sector across 16 countries revealed that in 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year. The security executives polled anticipated that future attacks would come from ransomware (alongside social engineering) as cybercriminals become more sophisticated.

This, perhaps, provides part of the answer to our question; ransomware is rapidly advancing, and it's a moving target.

The difficulty in underwriting cyber insurance

Ransomware is a type of malware that infects computers, restricting access to files. Users are threatened with permanent data destruction unless a ransom is paid. It is rated the fastest growing and one of the most damaging types of cybercrimes, as it constantly evolves with new levels of threats.

(Re)insurance underwriters battle to maintain pace with these technological advancements, making it difficult to write accurate products for this growing, largely unknown, risk.

Businesses face mounting pressure to get their IT houses in order and adopt appropriate cyber security measures. Basic controls like the latest antivirus software, multi-factor authentication and automatic software updates are expected by insurers as standard practice, as are thorough cyber security risk management plans. 

One of the barriers to cyber insurance adoption by businesses, especially SMEs, is the cost of both these security measures and the cyber insurance itself. This, as premiums are driven up by anticipated increased losses as well as the greater overall demand for cyber insurance.

Cyber insurance a necessity

The fact is, cyberattacks will increase in future, and more businesses will need to take this threat seriously.

There is an opportunity for (re)insurers to educate clients about the varying cyber risks, and the financial and reputational cost of not having adequate insurance. There is also an opportunity for (re)insurers to innovate in order to meet the growing market demand for relevant cyber insurance products.

This will be critical, as some observers say cyber security will dominate the liability insurance market in future, possibly becoming the next systemic risk, rivalling the Covid-19 pandemic in terms of the extent of exposures.