Insurer Models Cyber Risks to Benefit SMBs

With the global cyber insurance market expected to reach $14 billion by 2022, according to Allied Market Research, it’s no wonder more insurers are looking to offer cyber coverage.

All industries need liability and property coverage to protect against cyberattack risk, Allied’s most recent Cyber Insurance Market Report stated, adding that “This is an opportunity for insurers and reinsurers to innovate cyber insurance products that manage various degrees of risks and cover cost-associated data breaches, credit monitoring, forensic investigations, reputation management, and business interruption.”

The cyber insurance market is expected to grow as a result of continued increases in data breaches.

Hartford Steam Boiler, an insurer that began covering risks associated with steam boilers 150 years ago, is now offering small insurers the ability to sell cyber policies to small and midsize businesses (SMBs), according to HSB Vice President Eric Cernak.

According to HSB, this vulnerable market segment – 60 percent of SMBs go out of business within six months of a cyberattack – is drastically underserved.

Cernak said small insurers couldn’t afford to write cyber policies for SMBs in the past, because the time and effort required to assess cyber risk outweighed the relatively small premiums they’d collect.

“This is a risk that kind of has evolved over the last 15 or 20 years…because of the lack of data and the lack of modeling available relative to the risks, pricing was relatively uncertain so there was a degree of variability between insurer A and insurer B on how to price this and the smaller companies couldn’t afford the coverage because of the variability and the unknown risk,” Cernak said.

The Allied report noted that the lack of standardized policies could hinder companies from buying cyber coverage.

In addition, complicated coverage offerings and the perception of an insufficient threat impeded the purchase of cyber policies, Cernak said.

“They [SMBs] simply don’t see themselves a target for criminals to infiltrate their systems,” Cernak said, though he noted a recent shift towards purchasing cyber coverage due to SMB systems interacting with larger systems.

“So, if you’re a small business that is working with large organization and you’ve got credentials to get in their system because of some part of the operational aspect of your arrangement, the criminal element is starting to recognize that,” Cernak added.

A statement within the Allied report seems to confirm Cernak’s points, “Even though cyber security and cyber risks are acknowledged as serious threats, several companies do not purchase cyber insurance policies.”

The National Association of Insurance Commissioners has weighed in on the difficulty in writing cyber coverage, “Cyber risk remains difficult for insurance underwriters to quantify due in large part to a lack of actuarial data. Insurers compensate by relying on qualitative assessments of an applicant’s risk management procedures and risk culture. As a result, policies for cyber risk are more customized than other risk insurers take on, and, therefore, more costly. The type of business operation will dictate the type and cost of cyber liability coverage. The size and scope of the business will play a role in coverage needs and pricing, as will the number of customers, the presence on the Web, the type of data collected and stored, and other factors.”

Cernak said that better data and tools should aid in convincing SMBs of the need for cyber coverage.

The 150-year-old insurer, using an economic model developed by Cyence, quantifies cyber risk in dollars and probabilities to aid insurers in pricing cyber policies efficiently and cost-effectively. The model looks at certain data elements like the frequency of attacks occurring, technical patching, policies, procedures and even employee sentiment. The model aids in determining whether a company is an attractive target and susceptible to attack.

“The small commercial entities are probably the next kind of frontier in terms of who is going to be buying this coverage and I think as we get better data, as we get better tools from a risk modeling or risk selection standpoint, that’s going to aid in our ability as an industry to convince these folks that they really do need this type of cover,” Cernak said.

He said the line of business is different than most, since carriers are insuring against an active adversary.

“The idea is to be able to look at what’s going on in the environment and see how often these attacks are occurring,” Cernak explained.