Cyber liability insurance: As the market heats up, is it time to cool off in a pool?

The U.S. market for cyber liability insurance coverage was estimated to be $2 billion in 2015, according to the Insurance Information Institute. A recent projection by Allianz has this market increasing to $20 billion within a decade. To put this in perspective, $20 billion, after adjusting to today’s dollars, would propel cyber insurance to become the seventh largest property and casualty (P&C) insurance line of business in the United States. After years of stagnation, criticism, and questions regarding the relevance of P&C insurance in the modern economy, insurers are once again players in the high-tech digital game.

Criticism and concerns have arisen, however, regarding the extent of industry capacity and exposure to cyber liability insurance. AIG CEO Peter Hancock, as quoted in the Wall Street Journal, warned that the capacity offered for most risks are too low to provide adequate protection for potential billion-dollar losses to policyholders (typical policy limits for large policies can be between $100 million and $200 million). At the same time, however, rating agencies are warning insurers that the accumulation of cyber risk may negatively affect their ratings. Indeed, several current challenges in the cyber liability insurance market are limiting the capacity offered and raising the concern of regulators and rating agencies. Challenges including difficulties regarding risks, exposure, coverage, and pricing are often acknowledged but perhaps overlooked or underestimated by brokers and current markets.

A possible solution to address these concerns would be the formation of an industry cyber liability insurance pool or pools. This mechanism could result in greater capacity for the market and less risk to individual insurers. As most insurers would agree, there is strength in numbers.

Challenges within the current cyber liability insurance market

Within the current market for cyber liability insurance, there are several challenges faced by policyholders and insurers alike that may limit capacity and raise concerns of regulators and rating agencies. Some examples include:

• Lack of standardized policy forms. There are few standard policy forms in use today by insurers offering cyber liability coverage. It can be difficult for policyholders to compare these policies from competing markets when purchasing cyber insurance and understand which risks are covered and which are not.
• Continuously changing coverage. Even when policyholders believe they understand their coverage, it may only be temporary because policy language and terms and conditions are continuously evolving in reaction to unexpected claims, competition, or legal interpretations as coverage disputes wind their way through courts.
• Changes in markets. Insurers are entering and leaving the cyber liability insurance market in response to claims and as they learn more about cyber liability risks. There is no guarantee of a long-term relationship or stability with any current insurer.
• Evolving perils. The types of attacks used by cyber hackers and criminals that can lead to insurance claims seem to change and intensify hourly. Hacking, phishing, cyber extortion, and data ransom will all be surpassed by new, more inventive and currently unforeseen schemes in the future.
• Exposure changes. As the perils faced by insureds change so do the exposures created by the evolving technology used by policyholders. Companies are capturing more information about their business in “big data” efforts and shifting information and processing to cloud computing. Items such as refrigerators, previously not thought to have a cyber exposure, are now joined in the Internet of Things and could be ripe for targeting by cyber criminals.
• Inaccurate product pricing and loss projections due to insufficient data. Companies and actuaries need credible data upon which to base assumptions for models of future losses. The lack of this data could lead to projections materially biased high or low, resulting in severely underpriced or overpriced business.
• Potential duplication of coverage. In the case of identity theft, there are currently examples of duplication of coverage among insurers. For example, consider a scenario in which Insurer A provides insurance to Retail Store X and Insurer B provides insurance to Retail Store Y. A consumer shops at both X and Y and uses the same credit card to make payments. The payment systems for both stores are compromised, exposing our consumer to identity theft. Both insurers A and B now provide the consumer with identical identity protection monitoring services.

These challenges may prevent more insurers from offering cyber liability insurance and may pose barriers to customers seeking to purchase cyber liability insurance but finding policy forms and coverage options too difficult to navigate.

Why a pool?

Pools historically have been a mechanism employed to provide greater insurance capacity for risks, particularly those with exceptionally high levels of insurance values. Some current high-profile examples of insurance pools include aviation pools and nuclear risk pools. Many aviation insurance pools were formed in the early days of flight and still exist today. While the pools were formed in reaction to some of the same issues facing cyber liability insurance today, they continue to function as part of an overall competitive market serviced by many individual insurers and underwriters. Nuclear liability insurance has been provided to the U.S. nuclear power industry since the late 1950’s by a pool of insurers through a program that provides roughly $12 billion in protection to compensate the public in the event of a nuclear accident. While there is no market for nuclear liability insurance beyond the pool, the existence of the pool allows for a more efficient spread of the risk to the U.S insurance market as well as to the global reinsurance market (two-thirds of currently liability exposure is ceded to reinsurers).

The exposure to loss for risks covered by cyber liability policies is often difficult to determine and is sometimes only understood in terms of full policy limits in place. A pool (or pools) for cyber liability would allow the industry to provide the necessary coverage needed today, but would also allow for stability of capital in the market, aggregation of information, and credible loss data for rate-making. In short, a pool would allow the industry the proper time needed to move up the learning curve and recover from any potential early missteps.

Specific advantages of a pool include:

• Broader participation and greater capacity. Smaller insurance companies looking to expand their business could participate in a cyber liability pool. This would allow them to access this growing market without the customary start-up costs and limit their liabilities to match their own appetite for risk. In addition, capital could be provided by other financial entities looking to diversify their investment portfolios.
• Sharing of information regarding risks. As pool members and policyholders are confronted with new types of cyberattacks, they can share information rapidly. This can result in a quicker reaction and response, hopefully limiting the spread of the problem. A possible additional benefit of a pool (particularly one with a credible number of participants) could be to seek government approval for liability protection for the sharing of data between pool members and insureds. Similar protections for sharing of information were implemented previously to combat the perceived Year 2000 (Y2K) threat.
• Standardization of application process. Applications for cyber insurance today have become increasingly detailed and complex and vary by insurer. It is often hard for potential policyholders to get all the information required, which may discourage them from purchasing the insurance. A standardized application may lead to greater efficiency in the underwriting process and to more potential insureds entering the market.
• Elevation of cyber protection standards. Cyber protection standards for acceptance by the pool can be selected and maintained at higher levels. Pooling information can result in quicker identification of best practices, which can be shared with all members. This may result in improved protection and lower projected losses.
• Uniformity of policy coverage. Pools could offer standardized policies making it clear what is covered and what is excluded. This would cut down on the time and expense policyholders currently spend comparing policy offerings.
• Elimination of duplicate claims costs. The greater the number of insureds covered by the pool, the less likely claims will overlap. For example, if there were multiple breaches at different retail entities covered by the pool, identity theft monitoring could be performed by the pool for those consumers with exposure at each of the retail entities, instead of multiple monitoring covered by each different insurer if the retail entities were covered separately.
• Protection of insurer pool members. A larger pool results in greater business volume and greater leverage for the potential purchase of protection for the pool from reinsurance or capital markets. The concentration of risk may also help in the discussion of potential government backstops that could become available.

How could such a pool operate?

In its simplest form, a cyber liability insurance pool could be operated on a voluntary basis, sponsored by insurance companies or other financial entities, each with assumed shares. There could be limits on membership related to financial strength and limits on pool participation. The time frame for the existence of the pool could be limited—perhaps more of a tool to help develop the early market, keep it stable and growing, and avoid potentially unnecessary growing pains. A small number of large pools would allow for greater risk diversification, but multiple smaller pools would address specific industries with different risks and exposures, such as healthcare, retail, finance, manufacturing, etc. Within the pool, committees could be formed to address underwriting, finance, claims, technology, and security issues.

There is already historical precedent for the projected evolution from pool to competitive market—the formation of accident and health (A&H) reinsurance pools in the late 1970s. The growth for these pools was driven by market demand. Pool managers formed new and different facilities to provide coverage to similar classes of business. Some of the participating companies recognized the profit potential and left to enter the marketplace as independent reinsurers. More companies and pools led to greater competition and more attention to underwriting, claims handling, and reserve adequacy.

There have also been many state and international catastrophe insurance pools and programs that were established following an extreme event to stabilize a market until the private sector was willing and able to provide appropriate coverage. A recent example of this is flood insurance in the United States. Flood insurance coverage is currently provided through the National Flood Insurance Program, but there is a push for privatization because there have been advances in risk modeling for this peril.¹

What are the potential disadvantages of a pool?

While there are many advantages to using a pool or pools in the early years of a volatile coverage such as cyber liability insurance, there are also some potential disadvantages:

• Limited market competition. Having several large pools servicing the market cuts down on the number of competitors in the market. This could drive up prices higher and faster than in an open market.
• Limited innovation and lack of customization. As noted above, pools tend to standardize coverage to leverage knowledge and increase operational efficiency. This could inhibit the growth of custom polices that could address perils faced by a small number of potential policyholders.
• Lack of exit strategy. The dissolution of pools can sometimes be messy and result in expensive litigation.

Why now?

There is an obvious need for cyber liability insurance today. The P&C insurance market is racing to meet the demand. The benefits of potential growth in premium resulting from providing cyber liability insurance on an individual insurer basis, though, may be tempered by the impact of adverse loss experience because of naïve pricing, exposure accumulation, and lowered financial ratings resulting from the uncertainty of the business. There is also the potential for unforeseen extreme large losses, which could devastate the entire fledgling market. Rating agencies, regulators, and even some insurers are waking up to the very real potential dangers of providing cyber liability insurance. Pools would allow the industry to learn, test, measure, and adjust the coverage provided, perhaps in a less risky way. The gains of the individual insurer firm may be temporarily sacrificed for the good of the industry as a whole and its policyholders.