Prominent credit rating agency Fitch Ratings issued a warning on Monday that aggressive growth strategies in the cyber insurance market could negatively impact its ratings, due to the inherent risks of such an emerging, inchoate business model.
“At this stage, Fitch would view aggressive growth in standalone cyber coverage, or movement to high portfolio concentration in cyber, as ratings negatives. Underwriting, pricing and reserving uncertainties currently outweigh the potential earnings growth benefits," James Auden, managing director at Fitch, said in a press release that accompanied the company's Global Cyber Insurance Market Update report.
On the other hand, more measured growth, “as part of a diversified portfolio, coupled with continually enhanced underwriting standards, would generally be neutral to ratings,” the release continued.
Auden also spoke directly with SCMagazine.com, explaining that in Fitch's view, there is presently not enough industry data or cyberattack precedent to accurately forecast potential losses incurred by insurers when an incident does happen. This, in turn, creates uncertainty around how much insurance companies should charge or what the exact policy terms should be. “It's hard to really get your arms around it,” he said.
In particular, Auden explained, the industry is having difficulties assigning compensatory value to certain intangible assets damaged in a cyberattack. “I think insurers have been more comfortable from a cyber perspective offering coverage when the claims are similar to any other [traditional] claim. So if somehow a computer is destroyed, they know what the cost is to replace that,” Auden said. A problem emerges, however, when insurance agencies try to account for “unique liability exposures,” such as the loss of personal information or data. Such assets don't have an assigned physical value, per se, yet they clearly hold significant value to their owners.
In its report, Fitch also expresses concern that insurance companies lack the IT expertise necessary to accurately assess whether or not a particular company is adequately protected against cyber intrusions. Moreover, the agency is concerned that the insurance industry is not prepared for large-scale disaster scenarios such as an attack on the power grid, whereby economic losses from incidents would vastly exceeded insured losses, especially as insurance companies process claims from multiple large businesses at once.
In the meantime, Fitch in its report suggested that traditional casualty and property policies already have language in them that could potentially cover physical damage caused by a cyberattack.
Julian Waits, CEO of cyber risk analytics firm PivotPoint, said that insurance companies should take Fitch's warning seriously, agreeing that “there isn't enough actuarial science” yet to precisely gauge risk on the insurer's behalf.
On the other hand, Waits also believes the vast majority of the industry is already doing an excellent job self-regulating its growth in the cyber market. In fact, “I can't think of any carrier… that I would call overly aggressive in writing cyber policies,” he said in an interview with SCMagazine.com.
Auden could not name a specific example either, asserting that his agency's report was more of a preemptive strike as insurance companies jockey to be a potential market leader in the cyber space.
However, Aloysius Tan, product manager at insurance analytics company Advisen, disputed the sweeping nature of Finch's advisory against rapid market growth. Tan suggested that cyber insurance policies generally do not cover low-severity cyber events that don't meet the deductible, which would account for the majority of incidents.
“In these cases, rapid growth in cyber insurance will not necessarily mean bad things for an insurer,” said Tan. That said, “The largest risk for insurers is if high-severity events occur with increasing frequency, potentially leading to insurance losses. This could potentially be the case as more devices become part of the Internet of Things, but I would also expect insurance carriers to respond as the risk landscape evolves.”
Waits cited several other common policy limitations that also demonstrate the insurance industry “has been policing itself.” For instance, even the largest cyber insurance policies are divided into smaller “chunks,” representing different breeds of cyberattack. So, if a policy-holder experiences a ransomware attack, it can only collect on the portion of the insurance policy that's specifically allocated to ransomware. The aggrieved company does not collect on the total policy amount.
Moreover, insurance agencies have been adamantly against covering intellectual property with its cyber policies. “If you're a chip manufacturer or you build some kind of tool and a Chinese hacking gang breaks into your network and steals your crown jewels, which is all your [product] diagrams, there's basically no protection for that,” Waits said.
According to Finch's report, approximately 50 insurance carriers offer some form of standalone cyber insurance coverage at this time.