Swiss Re has recommended a public-private partnership insurance scheme, with one option being a government-backed fund, to help fill the coverage gap as insurance companies struggle to stay afloat in the face of rising cyber claims.
According to Swiss Re, global cyber insurance premiums will reach $10 billion by 2021. The insurance giant forecasted 20 percent annual growth to 2025 in a study released this week, with premiums rising to $23 billion over the next few years.
Meanwhile, annual cyberattack-related losses total approximately $945 billion globally, with approximately 90 percent of that risk remaining uninsured, according to Geneva Association insurance researchers.
While Forrester estimates that the average data breach costs $2.4 million in investigation and recovery, only 55% of businesses currently have cyber insurance policies. Furthermore, less than 20% have coverage limits in excess of $600,000, which is the analyst firm’s estimate of the median ransomware demand in 2021.
“The market needs to mature further to ensure adequate insurance protection is available,” said John Coletti, head of cyber reinsurance at Swiss Re. “Our industry can make a significant contribution by addressing three issues: improving data and modeling, increasing contract consistency and clarity, and identifying new sources of capital.”
All three of these points are recommended by the Swiss Re Institute to help mitigate exposure to cyber risk — and keep the insurance industry profitable.
While the industry has traditionally quantified risks using backward-looking data, this does not work for cyber risk due to a lack of standardized data and the rapidly changing threat landscape.
According to the report, “introducing cybersecurity standards will improve data in terms of breadth and transparency, allowing meaningful risk insights and enabling more accurate pricing and modeling.”
Swiss Re also advises insurers to revise policy language regarding exclusion clauses, terms and conditions in order to clarify the scope of coverage.
Other insurance companies and marketplaces are also struggling with policy language. Lloyd’s of London recently announced that its sellers’ policies will no longer cover losses caused by certain nation-state cyber attacks or those occurring during declared or undeclared wars.
Following the 2017 NotPetya cyberattack, two other major insurers, ACE American Insurance Company and Zurich American Insurance Company, were sued for lack of coverage clarity. In this case, the issue was what constitutes an act of war, which could invalidate an insurance claim even in cyberspace, and whether insurance companies should pay damages caused by network intrusions supported or organized by nation states.
“Exposures to difficult-to-insure systemic risk scenarios continue to be a barrier for industry capacity,” according to the Swiss Re study. “While stakeholders have taken steps to address some of these issues, attribution of cyber events remains a major issue.”
Swiss Re also called for “new sources of capital,” and stated that “collaboration between the public and private sectors is critical to mitigating cyber threats to critical infrastructure.”
According to the report, one way to address the cyber-insurance gap would be a government-backed fund. In this vein, the US Treasury recently issued a request for comment on cyber-insurance and catastrophic cyber incidents.
Another option, according to Swiss Re, is to “enter the market for insurance-linked securities.”