Cyber solutions: What are the biggest risks for insurers and are solutions from reinsurers adequate for today’s fast-evolving cyber landscape?
Many insurers are still in the process of defining their own risk appetite for cyber risks. If insurers offer their customers cyber protection, they need to manage their exposures and watch out for risk accumulation in their portfolio. At the same time, even insurance carriers not actively offering cyber products cannot lean back. Also they should ask themselves how big their exposure to silent cyber is and how these exposures accumulate in their portfolios.
In some ways, reinsuring cyber risk is not different than reinsuring any other line of business. The normal reinsurance structures come to play, like Quota Shares, Excess of Loss Treaties, or facultative reinsurance. One of the structures we currently do not find very often are per-event treaties, mainly based on the fact that it is particularly difficult to find a sensible and working cyber event definition. The definitions that work well for the (re)insurance industry in areas like natural catastrophe or terrorism are not good fits for cyber events. That’s where we must adapt and come up with new concepts that fit the cyber world better. It may become possible to develop an industry-wide standard index for cyber losses. That would allow us to circumvent the definition of a cyber event for the purpose of structuring certain reinsurance contracts.
In terms of coverage areas, reinsurers usually offer first and third party coverages. On a first party basis reinsurers cover business interruption from a cyber incident as well as data restoration and extortion. For third party liability they cover for example data breach and network security liability, as well as crisis management costs for both first-party and third-party events.
It is critical to recognise the evolution of cyber risks. Therefore insurers and reinsurers must maintain a constant dialogue about the nature of cyber risks and the development of the insurance market. We must assess trends based on any new or additional information and take conscious decisions on coverages, pricing, and exclusions.
There are multiple ways reinsurers can support their cedents beyond pure risk transfer.
For example, reinsurers can provide analytics tools that help insurers to better understand the risks they write, as well as the accumulation of the risks in their portfolios.
Reinsurers can help cedents build suitable products for their markets and target customer segments, supporting with expertise and knowledge on wording, costing, risk engineering and so on.
An important aspect of the cyber insurance policy are usually the additional services that help the insured prevent and deal with cyber risks. A reinsurer can support their cedents with a pre-existing eco-system of suitable vendors who are offering these value added services and those services can then be integrated into the original insurance products.
Reinsurers can also support their cedents with advice on wordings. When markets develop as quickly as the cyber insurance market right now, there are many wordings out there in the market that have not been tested yet. Some of these wordings might have unintended consequences for either the insured or for the insurance carrier and their reinsurers. We therefore always advertise for utmost care and a strong and multi-stakeholder view on newly developing wordings in the cyber insurance space.
Last but not least reinsurers can help their cedents estimate their potential cyber accumulation in their portfolios, both for actively written, affirmative cyber as well as for cyber perils hidden in traditional lines of business. This is an important step in order to determine risk transfer needs and to find the right reinsurance structures.
The development of a profitable and sustainable cyber insurance market is not a sprint, it’s a marathon. All stakeholders, reinsurers, insurers and brokers need to work together to bring the most suitable and attractive products to the customers and therefore help them become more cyber resilient.