PERSPECTIVES: Lesson for the cyber risk market in the mortgage industry crisis?Reprints
The cyber risk insurance market has grown, increasing both in capacity and competition in recent years. But Jim Whetstone, U.S. technology and privacy manager for Hiscox Inc., says it is worth asking if the cyber risk market in its current form is sustainable long term. Lessons learned from the mortgage industry's financial crisis should help the cyber insurance industry avoid similar pitfalls as it continues to expand.
Could there be a lesson for cyber risk insurers in the mortgage bubble debacle? The cyber risk insurance sector, once a niche market with a limited number of carriers, has grown and changed significantly over the past several years. When it was first offered, coverage was narrow, premiums were high, and underwriting was extensive. Claims were infrequent, and carriers gradually broadened coverage and lowered premiums. Over time, the market softened, with increased capacity and competition.
Annual gross written premium is now in the $800 million range, up from $600 million in 2010, according to Betterley's Cyber Risk Insurance Market Survey 2011. Large companies, the most frequent early buyers, have been joined by small and mid-sized businesses, government agencies and nonprofits. The opportunity is significant, and the potential buyer pool includes nearly every current and future insurance buyer. This growth potential makes it a very exciting time for cyber insurers and brokers/agents.
But it is worth asking if the cyber risk market in its current shape is sustainable for the long term. With growth opportunities in the property/casualty market limited, it's understandable that this new business opportunity is very tempting.
Although adverse exposures are developing rapidly, from new risks associated with cloud computing to more persistent and damaging cyber attacks, pressure to reduce pricing for this coverage continues in the marketplace. The question now is whether the loss scenarios and underwriting questions that drive policy formation and pricing are still up to date.
Although it's not a direct parallel, there are some similarities to the mortgage market, which struggled to recognize the significant increase in its risk exposures. While there are many factors that contributed to the mortgage crisis, it does appear the eagerness to increase opportunities, expand the pool of borrowers and make more money caused the mortgage industry to overextend itself. Only now is it evident just how damaging that was. The question is whether hindsight can help guide cyber risk carriers as the market continues to grow.
Writing cyber risk insurance is challenging. Malicious attacks are on the rise, and hackers and other cyber criminals are more sophisticated and adaptable. Privacy breaches have become commonplace, from the Sony Online Entertainment and PlayStation breaches that exposed more than 100 million records, to leaks of confidential health care information. Fast-changing technologies, such as cloud computing and smartphones, have created new exposures. But it isn't just the large companies attracting malicious attacks that are at risk. Simple human error, such as losing laptops, flash drives or even paper files, can create privacy exposures for even the smallest entities.
Adding to the complexity is the fact that claims and losses are just starting to develop. The number, scope and type of losses are fluid; the claims phase for many carriers is largely untested.
How did a small, specialized market grow so quickly? One major game-changer was the passage of numerous breach notification laws, which mandate disclosure in the event a breach occurs. The breach notification laws, which are now in effect in nearly all of the 50 states and in at least one instance at the federal level took what had been a hypothetical loss scenario and made it concrete and quantifiable. Businesses may now be on the hook for mandated costs, and these costs have the potential to add up quickly.
According to a cyber liability claims study by NetDiligence, the average cost of a data breach is $2.4 million. The study looked at 116 events that occurred between 2005 and 2010, with major underwriters of cyber liability providing the claims payout data. The average cost per record was $1.36. Removing outlier events (those that exposed millions of records) boosted the cost to $5 per record. The biggest costs were for legal defense (average cost: $50,000) and settlements (average payout: $1 million). Response services, including notification and forensics, were the next-highest expense.
The involvement of federal regulatory agencies also has had an impact. The U.S. Securities and Exchange Commission recently issued guidance for public companies, reminding them of their obligation to disclose cyber security issues, including actual breach events and potential risks. In a 2009 survey, Hiscox found that 38% of public companies did not adequately report information about cyber security risks in their public disclosures.
Legal liability issues also have forced companies to look for ways to mitigate risks. Similar to the loss and claims arena, there are few precedents, and legal liability issues are being explored on a case-by-case basis. For example, is a ZIP code personally identifiable information? The California Supreme Court says yes. Does it matter if the breach is a criminal hack as opposed to an inadvertent breach? In John Anderson vs. Hannaford Bros. Co., which involves an intentional hack, a federal appeals court says it does matter. The court ruled that out-of-pocket mitigation costs (such as credit insurance and fees associated with new credit cards) could result in viable claims for damages because there was evidence the breached information had been used for criminal purposes.
With so many unknowns, the cyber risk insurance market is sure to change dramatically. When coverage was introduced, caution was the watchword. The pendulum has now swung in the other direction. While the hope is that today's underwriting criteria and processes will stand up under future pressures, there is always the fear in such a dynamic environment that problems and unintended consequences will arise down the road.
Some things seem certain: The pace of claims will accelerate, and losses will mount. Right now, there is still time to learn from the hard lessons of the mortgage debacle. Carriers must be cognizant that exposures are increasing and changing rapidly, and they must ensure that underwriting is up to speed. This outlook will help insurers make any necessary course corrections with an eye to a profitable future.
Jim Whetstone is the Chicago-based U.S. technology and privacy manager for Hiscox Inc. He can be reached at 312-239-6354 and firstname.lastname@example.org.