In the wide array of insurance type coverages for businesses to have, or at least consider, one growing in necessity is being protected against cyberattacks.
In a webinar hosted Thursday by PropertyCasualty360, Moody’s RMS Global Head of Analytical Services Alok Kumar and Model and Product Specialist Bethany Vohlers covered the increasing need for cyber insurance and recommended best practices for underwriters in covering losses.
It’s a business risk that Shaughn Kennedy, SPARK Underwriters co-founder and vehicle specialty market underwriter, previously told Repairer Driven News is often overlooked.
In the collision shop space, most cyber activities deal with bad players trying to hold systems hostage for ransom, he said. Prevention comes down to being proactive by protecting passwords and ensuring the right software is installed. However, if a business does find itself victimized in an attack, cyber coverage can be beneficial, especially since most experts don’t recommend paying the ransom, he said.
Based on Kumar’s research and a recent survey of insurance industry workers, he said there is a tremendous upcoming growth opportunity in cyber insurance but also, “the threat perception, which gets accentuated as a combination of geopolitical risk as well as digital nature of the risk itself.”
He noted that a World Economic Forum report says 93% of cybersecurity experts and 86% of business leaders believe a far-reaching catastrophic cyber event will occur in the next couple of years.
“Today, there are millions of pieces of code,” Kumar said. “If you take just about 2 million pieces of software code and assume that there are dozens of possible ways to do harm, to do a cyber attack, the number suddenly becomes almost infinite or uncountable. And that’s why this risk landscape is so broad, so prominent and so much more difficult to predict and quantify. Because there is an exponential number of ways as the more and more software becomes prevalent, there are more ways a cyber attacker can attack and create massive damage.”
Common factors Kumar listed that increase cyber threats include:
- Increased number of devices in use;
- Increased number of interconnected devices sharing data; and
- Attackers becoming more sophisticated from years of experience.
In 2022, the economic cost caused by cyber attacks was close to $8 trillion, predominantly in North America, and that is expected to reach $24 trillion in the next five years at the same rate of cyber attacks and growing exposure happening currently, Kumar said. And only a small portion of the cost is covered by insurance, he added.
Attackers in Europe are catching up to North America compared to two years ago. The North American attacks are primarily targeting health care and education sectors.
Reasons for attacks are largely monetary but can also be based on geopolitical, espionage, and ideological motivations making it difficult to predict and prevent attacks, Kumar shared.
Cyber insurance demand continues to outpace supply but profits are increasing. Kumar noted reinsurance is vital because of “the borderless nature of the risk” insurers take in underwriting cyber risk for businesses.
Kumar predicts cyber insurance will also become more prevalent in auto insurance as attacks are increasingly viewed as risks. “There’s very high likelihood that motor products become a part of the cyber premium because these are more like a technology warranty product rather than just a damage product,” he said.
“If that happens, there are predictions that the cyber premium surpass the property premium by 2032. Broadly speaking, by 2032, various estimates show that cyber insurance premium in the market would be in the range of $50 to $60 billion — a significant size for insurance and reinsurance companies to be interested in.”
Cyber insurance, Kumar said, is growing 25% every year.
Vohlers said there has been a surprising increase this year in business email and ransomware attacks. It’s much easier, and cheaper, to prevent a cyber claim than to investigate and deal with the aftermath, she said.
“But traditional underwriting strategies make very little room for proactive prevention. They tend to work off point-in-time assessments that are aligned to traditional annual cycles where the risk is evaluated once at [the] point of underwriting and really only review it again at the policy renewal. But as we’ve seen, cyber is evolving just too rapidly for this.”
Some carriers, however, are taking a new approach with cyber coverage by managing their portfolio’s collective risk and keeping track of technological trends in real-time rather than only when conducting quotes and renewals, Vohlers said.
“The more uncertain we are, the less insurable the risk becomes. The reality is our understanding of cyber risks is just not at a point yet where the industry can constantly ensure cats [catastrophes] of this nature. There are just too many unknown unknowns. And until we know what we don’t know, the market is likely to face challenges with critical infrastructure and cyber warfare for some years to come.”
Vohlers also covered the impact generative AI and machine learning will have on the cyber insurance landscape. Overall, that’s an unknown right now but she called the potential resulting dramatic technical and societal change “exciting, if not scary from an insurance lens.”
“We’re looking at new avenues for data collection interpretation and delivery, providing a toolkit for the development of complex algorithms for risk assessment, and even fraud detection opportunities for predictive analytics at scales never seen before,” she said.
Vohlers added that AI and machine learning can offer quantifiable risk analysis through objective data.
“AI and machine learning algorithms really can further be customized to reduce the need for that hands-on keyboard underwriting, especially as we look to the SME [small and medium enterprise] micro-segments of the cyber market,” she said. “Automation based on predefined rules and tolerances can translate into faster decision-making capabilities for underwriters. And finally, using AI to build automation that flags vulnerabilities in a portfolio as soon as they appear and then suggesting relevant remediation steps…”
All of the above lends itself to the potential for reduced costs, improved compliance, and enhanced predictive threat intelligence for the insurance industry, Vohlers concluded.
Featured image credit: PUGUN SJ/iStock