- Where Insurance & Technology Meet

Brokers: Where Will You Take Cyber Risk?

In planning for the 2015 Technology Conference, my IT and Underwriting friends tell me that cyber risk is a hot topic.  For sure, there is a fair amount of discussion in the insurance and IT trade press.  However, in talking to a few organizations who are actively developing/delivering these products, I hear that there is a slow uptake by Canadian brokers.

Question for brokers:  Is cyber coverage about to take off?  If not, do we just wait for the government to define the product for us?

What’s the risk?

I was privileged to do some research for an article published by the Canadian Institute of Actuaries,which demonstrated, to my satisfaction, that cyber risk is big and getting bigger.  Consider:

  • the 2013 Norton Report estimated the total cost of cyber crime in Canada at US$ 3 billion;
  • The Ponemon Institute 2014 Cost of Breach Study reported that in the US, the average cost of a data breach to an organization was US$ 3.5 million, which was up 15% from the prior year;
  • High profile commercial breaches are increasing – Target, Home Depot, etc. – and encouraging bad guys to look at this as a growing market;
  • Increased reliance on networked technology – think of Telematics, etc. – will expand the exposures dramatically.

It’s also interesting that while challenging, the actuaries tell me there are models to help develop rates for the risk.

We’ve seen cyber insurance before  …

With the rise of the internet as a commercial tool in the 1990s, insurers tightened working around data processing exposures, and saw the opportunity to offer first and third party coverage for bad things happening.  In a 1999 Canadian Underwriter article covered a panel discussion on the emerging e-commerce risks.  The consensus was that the insurance industry had an opportunity and “big changes” were ahead for insurers in the next 18 months.

Some brought product to market, but there was significantly less than enthusiastic response by brokers and insureds.

So what’s different now?

Simply put:  Customers are looking for coverage.  There is no such thing as e-commerce anymore.  There is just commerce using modern channels.  Which is growing rapidly and in many directions.

One result:  Commercial enterprises are spending money on security.

Financial service companies are leading the way.  Results of a PwC survey of US Financial Services companies (including insurers) were recently published in UK based SC Magazine.  It found that “cyber-security spending in these areas will top US$ 4.1 billion (£2.6 billion) in 2014 before rising another 10 to 20 percent annually in the coming years – leading to US$ 1.3 billion (£830 million) to US$ 2.6bn (£1.6 billion) in additional spending by 2016.”

The article notes that this spend goes beyond defensive.  According to Grant Waterfall, cyber-security partner at PwC,  “There are also companies moving towards ‘digital disruption’ to stay competitive and I am seeing those companies spending more on security, when previously it wasn’t high on the agenda.”

But even with the best security, bad things happen, right?  And insurance should be there, no?

Yes and no.

Coverage is there, but….

Business and security professionals see the need, but have problems comparing covereages.

In a recent issue of Information Security Magazine, the authors review cyber insurance from their perspective. In summary: “As established insurance providers and startups rush to sell cyberinsurance to companies of all sizes, many enterprises still can’t find insurance policies due to the lack of product standardization and complexities of establishing adequate coverage.”

Information Security believes the there is interest in the cyberinsurance products, but the market has yet to mature. John Wheeler, research director for security and risk management at Gartner is quoted saying: “Cyberinsurance is going to continue to grow as a cottage industry until there is some standardization of the product and the policies.  It is going to take some form of government backing or incentive for that to occur.”

Wheeler is talking about the US and notes that while a debate is currently occurring in congress, a standardized product is “probably 3 to 5 years away.”

So it comes down to the brokers ….

There is likely good reason for governments to become involved, but do we really want to wait for that?  Or can we look at this as an opportunity for intermediaries to help steer clients to  coverages which meets the current needs? will be presenting several sessions at #ICTC2015 March 9-10, 2015.  I’d love to chat there.  In the meantime, let me know your thoughts below.

Don’t be insecure.