The slew of recent ransomware attacks in over 150 countries reveals the widening scope of corporations’ cyber risk exposures, which is likely to increase demand for related insurance protection, Fitch Ratings says. Insurers are in a unique position to assist customers in addressing the cyber threat. However, a cautious approach to adding cyber exposures is warranted as there is considerable uncertainty in pricing and underwriting this risk. Aggressive expansion by individual underwriters into the segment could be credit negative.
Tallying the costs from recent attacks will take time. However, growth in corporate anxiety from cyber-related threats amid regular reports of data breaches and other information system intrusions will spur demand for cyber protection and solutions including insurance protection. Furthermore, compliance with developing regulations will likely increase the demand for coverage.
Insurers are playing an expanded role in countering the cyber threat, utilizing traditional expertise in risk management and claims services. They are also gaining more technical expertise in cyber threat testing and prevention and post-event resolution through acquisitions or alliances with cyber security vendors. Cyber protection coverage, therefore, increasingly includes a service and advisory component, as well as insured loss limits.
Besides cyber extortion and ransomware attacks, cyber-related events may include systems hacking, data theft and denial of service attacks. These events may create economic losses from damage to systems and property, remediation costs, lost revenue due to business interruption and reputation damages. Hacking events can also generate third-party liability exposures triggered by errors and omissions or failure to protect data. Professional liability exposures, including potential claims against directors and officers for failing to manage risks and prevent cyber incidents, are also possible.
Underwriting experience relating to cyber coverage, as reported by insurers, has appeared relatively favorable for insurers in the past two years, but the market remains untested.
Insurers’ reluctance to write more cyber coverage lies with challenges in establishing actuarially robust pricing and coverage terms for cyber-related risks given still-limited data from historical claims losses. The evolving nature of events and uncertainty regarding the source and range of potential losses add further challenges. Premium growth in cyber products may also be dampened somewhat by contrasts between the coverage insurers are currently willing to offer and the policyholders’ perspective of the nature of their cyber risk and protection needs. Over time, these differences will likely converge as the market matures.
Given the scope of these challenges, we would view aggressive growth in stand-alone cyber coverage, or movement to high portfolio concentration in cyber, as negative for an insurer’s credit profile. Underwriting, pricing and reserving uncertainties would outweigh the potential earnings growth benefits. Controlled growth as part of a diversified portfolio, coupled with continually enhanced underwriting standards, would generally be neutral for the credit profile.