Demand for cyber risk cover has seen a meteoric rise over the past 18 months, a response to high-profile incidents WannaCry and Petya. Ms Anna Tipping, Head of Insurance at Norton Rose Fullbright Asia, walks us through the risks that an insurer needs to monitor.
In July 2017, AIG reported an 87% year-on-year growth in cyber cover demand in Asia. Allianz predicts that global cyber premiums will grow to US$20 billion by 2025, up from $4 billion now. As businesses began to realise the risk that cybercrime posed, they began approaching brokers and insurers for protection against cyber liability and business interruption – to the extent that there is now a worry of companies “panic buying”.
While this represents an opportunity for insurers, the risks are evident. With so many companies willing to buy cyber insurance, insurers need to protect their reputations by selling cover that is fit for purpose and fully assess their potential exposure to the individual insureds, said Ms Tipping.
An indiscriminate threat
More importantly is the aggregation risk to insurers. Cyber is a risk that continues to evolve and thus has no clear guidelines on premium pricing or implementing preventative measures. “Cyber is also unique in that it is completely non-geographic, especially if the insurer is covering a large MNC,” she said. “Unlike natural disasters or even pandemic risks, there’s no way to know when and where a cyber-attack will occur and what the geographic spread of the impact will be.”
Cyber is indiscriminate in its targets, she pointed out. “A cyber attack could target all users of a specific operating system, or it could attack a single company and all of its offices across the world. It has the potential to have no boundaries.”
Insurers are still grappling with cyber’s unprecedented aggregation risk, and Ms Tipping thinks this is a great opportunity for them to adopt new technology themselves. “They could use artificial intelligence and data analysis to go in and interrogate their clients and their policies, to map out and plot geographic aggregation, system aggregation cloud service provider dependence and any other common target point that is a possible avenue for a cyberattack.”
She also pointed out that insurers don’t tend to insure themselves from for risks, beyond the mandatory. “They have motor and employee liability insurance, public and directors’ liability and property damage coverage, but beyond that they tend to self-insure.”
“I think that due to the indiscriminate nature of cyber, insurers need add this to the suite of insurances they purchase to first protect themselves and to further spread the risk.”
However, she admitted that most insurers are sophisticated and very clever and that most, if not all, are aware of these risks and have taken measures against them.