Let the insurer beware before adding new cyber productsReprints
SINGAPORE — Cyber risks are potentially catastrophic and insurers should be wary about expanding the coverage they offer, a panel of experts said.
The systemic nature of cyber risk means that insurance can be only part of the solution, so organizations should apply enterprise risk management techniques to address the exposure, they said.
Currently, cyber insurance products have a limited scope and often are limited to covering named risks, such as breach response costs. However, there is demand from commercial buyers for more comprehensive coverage. But insurers should not rush to meet those demands, said Peter Hacker, a global advisory executive at Distinction Global, a unit of the Cybercrime Research Institute G.m.b.H. in Cologne, Germany.
“Before we can run, we should start walking first. We should first start investing more time to understand better the threat itself before talk about new products,” he said Wednesday during a session of the Global Insurance Forum in Singapore, which is organized by the International Insurance Society.
Technology, such as the internet of things, is developing at a rapid pace, and insurers need to better understand the risks before offering coverage, Mr. Hacker said.
“We are running the risk that we believe that we have to create new revenue streams and potentially ignore the risk that we are confronting — a risk that's systemic and could potentially wipe out an insurer,” he said.
Insurers need to invest more time in pre-incident stress-testing with policyholders so both parties in the transaction better understand the risks involved and align their expectations for the coverage, Mr. Hacker said. “You have to invest more time in enterprise-wide risk management.”
While insurers potentially could offer wider coverage they don't have the analytical tools to underwrite broader cyber-related risks, said David Ho, Hong Kong-based head of financial lines in the Asia/Pacific region for American International Group Inc.
“It really comes down to understanding the risk and seeing whether we can get our hands around it … With better analytics we could probably do it, but there are certain things that are just going to take time,” he said.